Re: [Ganglia-developers] [Ganglia-general] [SECURITY] [IMPORTANT] Security issue in Ganglia Web
Just wondering if anyone has already started looking at doing 3.1.8 with the security fix? On 15/07/12 18:48, Bernard Li wrote: Hi Daniel: If you want to start a wiki page for that, that's fine. But in my experience these pages get stale pretty quickly ;-) Cheers, Bernard On Sun, Jul 15, 2012 at 11:40 AM, Daniel Pocock dan...@pocock.com.au wrote: On 15/07/12 20:27, Bernard Li wrote: Hi Daniel: On Sun, Jul 15, 2012 at 10:26 AM, Daniel Pocock dan...@pocock.com.au wrote: I think we need to be clear about the support lifecycle for older versions - I remember 3.0.x was being supported for a while when 3.1.x was in use - I'm not sure if anyone has taken on 3.1.x support? I saw Kostas on IRC and talked to him briefly about the security vulnerability and he mentioned that he will take a look at backporting fixes to 3.1.7 since that is the latest version available on EPEL. I don't think he has volunteered to take over support for the entire branch, but will at least work on releasing updated RPMs for EPEL users. Hopefully he could chime in on this ;-) I don't think there is any obligation on anyone to do this - but perhaps it would be useful to track supported versions (and related distros) on a wiki page so we don't duplicate any effort e.g: 3.1.x:Distros: Debian 6, EPELUpdates: Kostas?Note: security fixes only 3.2.x:Note: unsupported, go to 3.5.x? 3.3.x:Note: unsupported, go to 3.5.x? 3.4.x:Note: unsupported, go to 3.5.x? 3.5.x:Distros: Debian 7? Updates: ? Note: we aim to make this the next long-term-support version for Debian 7, EPEL In this example, I've marked 3.[234].x as unsupported because I don't know if any stable distro is carrying any of them - feel free to correct me -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] [Ganglia-general] [SECURITY] [IMPORTANT] Security issue in Ganglia Web
Hi Daniel: On Thu, Aug 2, 2012 at 1:35 PM, Daniel Pocock dan...@pocock.com.au wrote: Just wondering if anyone has already started looking at doing 3.1.8 with the security fix? That depends. Are we still maintaining the 3.1.x tree? Traditionally we have kept with the current branch and one release branch before. For instance if current web is at 3.5 then we maintain that and 3.4. I believe Kostas has already pushed out patches for 3.1.7 to Fedora/EPEL so in terms of distributed binary packages I guess we should be fine? We could potentially pull the old versions from SourceForge.net so people don't download the old versions, but they should really be getting the latest and greatest... Cheers, Bernard -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] [Ganglia-general] [SECURITY] [IMPORTANT] Security issue in Ganglia Web
On 02/08/12 21:21, Bernard Li wrote: Hi Daniel: On Thu, Aug 2, 2012 at 1:35 PM, Daniel Pocock dan...@pocock.com.au wrote: Just wondering if anyone has already started looking at doing 3.1.8 with the security fix? That depends. Are we still maintaining the 3.1.x tree? Traditionally we have kept with the current branch and one release branch before. For instance if current web is at 3.5 then we maintain that and 3.4. I remember that logic - but that doesn't really reflect what the distributions do Just backporting/cherry-picking the most essential security fixes to an old branch shouldn't be a big pain though I believe Kostas has already pushed out patches for 3.1.7 to Fedora/EPEL so in terms of distributed binary packages I guess we should be fine? Debian 6 also has 3.1.x - when this was mentioned before, I thought Kostas was updating the 3.1 branch and then the Debian and Fedora packages could all be built from the same tarball Kostas, could you possibly commit what you did onto the 3.1 branch and then I'll release a tarball? However, I can't see the 3.1 branch in git... does anyone know where it went or a quick way to revive it? $ git branch -a * master release/3.3 release/3.4 remotes/origin/HEAD - origin/master remotes/origin/master remotes/origin/php-support remotes/origin/release/3.3 remotes/origin/release/3.4 We could potentially pull the old versions from SourceForge.net so people don't download the old versions, but they should really be getting the latest and greatest... That's not what distributions support - keep in mind, for many people, they only need something basic, they are happy to run apt-get or yum and get the package in 30 seconds, and that convenience is more important than new features - so they are not going to dedicate 30-60 minutes to downloading a tarball and working out what to do with it -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
[Ganglia-developers] git repo status
I've just had a look over the git repo I notice that a) the authors.txt mechanism wasn't used when migrating from svn: Author: d_pocock d_pocock@93a4e39c-3214-0410-bb16-828d8e3bcd0f should be Author: Daniel Pocock dan...@pocock.com.au and likewise for everybody else of course, b) we don't have the old branches (at least I can't see them) $ git branch -a * master release/3.3 release/3.4 remotes/origin/HEAD - origin/master remotes/origin/master remotes/origin/php-support remotes/origin/release/3.3 remotes/origin/release/3.4 Maybe it's a long shot, but maybe it is possible to extract from SVN again, rebase all the new work on top of it, and push that up to github? Has anyone ever done something like that? I believe scripts exist for amending the authors I've also heard there are techniques for importing branches, but it may be more or less tricky than the rebase approach -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] [Ganglia-general] [SECURITY] [IMPORTANT] Security issue in Ganglia Web
Hi Daniel: On Thu, Aug 2, 2012 at 2:35 PM, Daniel Pocock dan...@pocock.com.au wrote: That's not what distributions support - keep in mind, for many people, they only need something basic, they are happy to run apt-get or yum and get the package in 30 seconds, and that convenience is more important than new features - so they are not going to dedicate 30-60 minutes to downloading a tarball and working out what to do with it Well if we agree that we are EOL'ing 3.1, then it is up to the distributions who are still on the old version to maintain it for security patches. I don't think it's really our responsibility to fix bugs for releases that are old. We have better things to do with our time. Just my $0.02. Cheers, Bernard -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] [Ganglia-general] [SECURITY] [IMPORTANT] Security issue in Ganglia Web
Perhaps I'm totally off here but is this saying 3.3.5 is under testing and will eventually be stable? http://packages.qa.debian.org/g/ganglia.html If that is the case, shouldn't we work on backport it into the 3.3.x tree as opposed to 3.1.x tree? Regards, Bernard On Thu, Aug 2, 2012 at 2:56 PM, Daniel Pocock dan...@pocock.com.au wrote: On 02/08/12 21:49, Bernard Li wrote: Hi Daniel: On Thu, Aug 2, 2012 at 2:35 PM, Daniel Pocock dan...@pocock.com.au wrote: That's not what distributions support - keep in mind, for many people, they only need something basic, they are happy to run apt-get or yum and get the package in 30 seconds, and that convenience is more important than new features - so they are not going to dedicate 30-60 minutes to downloading a tarball and working out what to do with it Well if we agree that we are EOL'ing 3.1, then it is up to the distributions who are still on the old version to maintain it for security patches. I don't think it's really our responsibility to fix bugs for releases that are old. We have better things to do with our time. Not quite... Kostas already did the effort for Fedora Someone (probably me) has to do the same for Debian End result: it is not some invisible person out there from the distribution community - it comes back to us If we don't do it, Ganglia would be dropped from the distributions. Keeping a branch just means that we can avoid duplicating effort on such things - the branch doesn't need to have every security enhancement (e.g. the recent gid stuff), just essential web security fixes. There is nothing else I have seen in the last 6 months that belongs on 3.1 -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] [Ganglia-general] [SECURITY] [IMPORTANT] Security issue in Ganglia Web
On 02/08/12 22:08, Bernard Li wrote: Perhaps I'm totally off here but is this saying 3.3.5 is under testing and will eventually be stable? http://packages.qa.debian.org/g/ganglia.html If that is the case, shouldn't we work on backport it into the 3.3.x tree as opposed to 3.1.x tree? I was going to get to that... wheezy (Debian 7) probably won't be released for another few months Even after that, people with squeeze (Debian 6) have been promised security updates for 12 months from the official release of wheezy: http://www.debian.org/security/faq#lifespan I really tried to get 3.4 and standalone ganglia-web ready for Debian 7, but as I am not a full DD and I can't do all the things myself (like the recent minimised javascript issue), this didn't happen before the freeze process began - so it looks like we will be seeing 3.3.x in some form for up to another 3.5 years from now. This is why I made a big push to get the new web code into the 3.3 releases though: so at least it will be there in some form for Debian users to admire (and hopefully update) -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers