On Tue, Oct 21, 2014 at 04:41:34PM +0200, Andrew Phillips wrote: > >In this case, the static method on HttpUrlConnection approach may be more > >appropriate. Basically we can point to documentation about it and it > >requires no special knowledge and can be plopped in at bootstrap code. > > @Andrew G: would documenting this and/or the module fix address your concerns? > > Given where we are, my suggestion is as follows: if we can't resolve > -1 votes by the end of the day, I'll cancel this release and work > towards a 1.8.1-rc2. > > In this case, I would like to urge all those who are uncomfortable > with releasing rc1 at this point to improve the current proposed > fix, since from the discussion it is clear it is currently not a > state we would like to include in 1.8.1. > > If we can resolve the -1s, I would obviously still like to work on > fixing JCLOUDS-753 as quickly as reasonably possible. Hopefully, > with the release behind us we will a little bit more time for that.
Users should expect jclouds to have sane defaults; we should not require code or even configuration to secure jclouds. Our users expect us to make the best decisions on their behalf and I do not believe release noting a potential (although unlikely) security issue represents this. Apache releases require lazy majority, not unanimity, so a single negative vote should not affect this release given the existing votes. However, my -1 vote represents my best understanding of this issue and I encourage others to vote -1 as well. While I lack the imagination to exploit this issue, a sufficiently motivated attacker might not. We should give users a fix in code as soon as possible, whether in a delayed 1.8.1 or an accelerated 1.8.2. I can understand the benefits of both approaches but the former seems like less work than an extra release. -- Andrew Gaul http://gaul.org/
