Thanks, Keith. It's now approved for 0.32. On Tue, Feb 24, 2015 at 7:50 AM, Keith W <[email protected]> wrote:
> Hi Justin > > > > On 24 February 2015 at 12:31, Justin Ross <[email protected]> wrote: > >> The latter three are approved. >> >> On the first, QPID-6247. You say "only affects a part of Broker >> functionality responsible for writing updates to configuration files". >> This is the primary way users will store their configuration, true? If >> so, >> that's not isolated. >> >> It's also not small. Which leaves us with importance. Does this deserve >> an exception because it's a particularly severe defect? It looks (to the >> uninformed, me) like a normal priority defect. Is it a regression? >> >> > It is true that QPID-6247 is a long standard defect, however, with > changes we have already made in 0.32 the severity is increased. 0.32 > brings with it the ability to upload private keys through the UI. By > default, these keys are stored - inlined - within the Broker's > configuration files and are written to disk. If we don't include QPID-6247 > the Broker won't preserve the file permissions on the configuration files > through the update, and it could therefore become inadvertently readable by > others. This would represent a security issue. Apologies, we should have > identified the interdependency between this existing defect and the new > feature earlier in the cycle. > > Kind regards, Keith > > > >> >>
