On Mon, Jun 2, 2014 at 11:14 AM, Sergio Fernández < sergio.fernan...@salzburgresearch.at> wrote:
> Hi Reto, > > > On 02/06/14 10:28, Reto Gmür wrote: > >> There have been two releases of these components. This one brings clear >> improvement over the older (it works with Jersey >=2) without afaict >> bringing any disadvantage. The code with the patch has been in subversion >> since June 10th of 2013 so it can be assumed that it has been community >> tested quite a bit. It has not not only been used in Stanbol but also in >> Clerezza. >> > > Well, my comment comes to raise the issue that, according to the feedback > I read in this mailing list, the security components are not really > community-driven, but motivated by a concrete use case from another project > and not really well documented: > > http://stanbol.apache.org/development/security.html We had discussions when the code was originally added. And yes some problems where reported and fixed. IIRC those problems where all not actually related to the Stanbol security features but in the components not working correctly in a secure environment, i.e. they would alsohave appeared when integrating the components in any application server with an active Java security manager. Anyone could have vetoed the addition of the code, but nobody did. Also two relases containg the code where unanimously accepted. I don't think that the problem you had with other components are in any way > specific to the patch incorporated to this release and probably not even > caused by a bug in these components. But if you create issues then these > could help improve situations. But even if these problems are real (JIRA > issues rather than FUD) we cannot only make a release if that release > solves all the problems the software might have. > Well, for casting a positive vote I'd like to know the modules coverage: > how many implement that, how many they just ignore it, etc. Confused. The vote is about two modules that can be used in Stanbol or in other environment. Other modules do not need any specific interaction with these modules. They do interact indirectly via Java security, e.g. whenthe open a file this requires a FilePermission. > Sorry, I did not report proper issues to Jira since just disabling the > security worked fine in my deployment scenarios. > So you're jumping in on a discussion about releasing modules that you are not event using? And you can't say what the exact problem they have and you've previously +1 when in released together with others? > > In the end I think we should clarify is such security granularity is > actually necessary here. Because my understanding of Stanbol is a set of > reusable restful components for semantic content management, not a semantic > cms itself, which is the direction where this security modules pushed it. > Sergio, you can of course start a discussion about removing the security related module. A filibuster on the third release featuring an important, simple and well tested patch doesn't seem a good way to bring this issue in. I agree for the rest of what you say except that this modules would push in the direction of CMS. But we did release many modules and even full releases that aren't restfull, but that's even less the place to discuss this. Thanks. Reto > Cheers, > > > -- > Sergio Fernández > Senior Researcher > Knowledge and Media Technologies > Salzburg Research Forschungsgesellschaft mbH > Jakob-Haringer-Straße 5/3 | 5020 Salzburg, Austria > T: +43 662 2288 318 | M: +43 660 2747 925 > sergio.fernan...@salzburgresearch.at > http://www.salzburgresearch.at >
