Hi Justin
On 24 February 2015 at 12:31, Justin Ross <[email protected]> wrote: > The latter three are approved. > > On the first, QPID-6247. You say "only affects a part of Broker > functionality responsible for writing updates to configuration files". > This is the primary way users will store their configuration, true? If so, > that's not isolated. > > It's also not small. Which leaves us with importance. Does this deserve > an exception because it's a particularly severe defect? It looks (to the > uninformed, me) like a normal priority defect. Is it a regression? > > It is true that QPID-6247 is a long standard defect, however, with changes we have already made in 0.32 the severity is increased. 0.32 brings with it the ability to upload private keys through the UI. By default, these keys are stored - inlined - within the Broker's configuration files and are written to disk. If we don't include QPID-6247 the Broker won't preserve the file permissions on the configuration files through the update, and it could therefore become inadvertently readable by others. This would represent a security issue. Apologies, we should have identified the interdependency between this existing defect and the new feature earlier in the cycle. Kind regards, Keith > >
