[
https://issues.apache.org/jira/browse/ACCUMULO-2713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13976998#comment-13976998
]
Alex Moundalexis commented on ACCUMULO-2713:
--------------------------------------------
Simply put, fix it for 1.6.0:
* community hat: it's the correct move
* customer-awaiting-1.6.0 hat: another X days isn't going to matter
It looks extremely poor for a security-minded distribution to cut a release
with a *known* security flaw, moreso given recent vulnerabilities in the media.
That is not the image we want to project to the community, nor code we want to
provide to the same, whether the feature is experimental or new or old.
My non-binding $0.02...
> Instance secret written out with other configuration items to RFiles and
> WALogs when encryption is turned on
> ------------------------------------------------------------------------------------------------------------
>
> Key: ACCUMULO-2713
> URL: https://issues.apache.org/jira/browse/ACCUMULO-2713
> Project: Accumulo
> Issue Type: Bug
> Affects Versions: 1.5.1
> Reporter: Michael Allen
> Priority: Blocker
> Labels: WAL, encryption, rfile
> Fix For: 1.6.0
>
> Attachments: Dont-write-instance-secret-to-RFiles.patch
>
>
> The encryption at rest feature records configuration information in order to
> encrypted RFiles and WALogs so that if the configuration changes, the files
> can be read back. The code that does this recording hovers up all the
> "instance.*" entries, and does not pick out the instance.secret as a special
> one not to write. Thus the instance secret goes into each file in the clear,
> which is non-ideal to say the least.
> Patch forthcoming.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
