It's been >72h since the vote was initiated and the result is:
+1 6 (5 binding)
0 0
-1 0
This vote has PASSED
I failed to convince the PMC about the severity of the exploits that I was
hoping to address in the blocker issues. I don't have time nor patience to
pursue those blockers any more. I withdraw my vote (-1) on this release.
On Mon, 1 May 2023 at 02:42, Jan Høydahl wrote:
> > Without polluting
> Without polluting this thread, I'll just say that this assertion is wrong.
> If you can demonstrate how someone with full API access, but no write
> access to disk or ZK, can execute any user code, I'll stand corrected.
Hi Noble/Ishan. I regret using the phrasing "arbitrary plugin code upload"
> it is by design to allow full access, even arbitrary plugin code upload,
by users with config-edit permission and in unprotected Solr instances.
Without polluting this thread, I'll just say that this assertion is wrong.
If you can demonstrate how someone with full API access, but no write
On Sun, Apr 30, 2023, 10:09 AM Jan Høydahl wrote:
> I maintain my +1 vote, as it is by design to allow full access, even
> arbitrary plugin code upload, by
There is no such "design" as you say Jan. Show me a single feature that can
upload and run code without file system or direct zk access
I maintain my +1 vote, as it is by design to allow full access, even arbitrary
plugin code upload, by users with config-edit permission and in unprotected
Solr instances.
I do support discussing new defaults to some of these setting, but that can
happen in the open for a future release, no rush
I'm going to proceed with this release as is, we can follow up with an
additional release as needed. Voting will close 2023-04-30 at 15:00 UTC.
On Sat, Apr 29, 2023 at 10:37 AM Ishan Chattopadhyaya <
ichattopadhy...@gmail.com> wrote:
> https://issues.apache.org/jira/browse/SOLR-16777 is fixed.
https://issues.apache.org/jira/browse/SOLR-16777 is fixed. I've added it to
the release branch.
The other one will require me some more time, maybe another day.
Justin, I believe a re-spin is warranted to accommodate this, but I leave
it to your judgement.
On Sat, 29 Apr 2023 at 12:07, Ishan
In my opinion, these two are blockers.
https://issues.apache.org/jira/browse/SOLR-16776
https://issues.apache.org/jira/browse/SOLR-16777
In case we decide not to respin to accommodate these, these should be
carried over to a 9.2.2 release.
On Sat, 29 Apr, 2023, 7:54 am Ishan Chattopadhyaya, <
(FYI, -1 on a release is not a veto. Just a simple vote.)
On Sat, 29 Apr, 2023, 6:53 am Ishan Chattopadhyaya, <
ichattopadhy...@gmail.com> wrote:
> Sure, carry on with this release.
>
> I vote -1 on this release, and I'll prepare for a follow on release after
> this one is done.
>
> On Sat, 29
Sure, carry on with this release.
I vote -1 on this release, and I'll prepare for a follow on release after
this one is done.
On Sat, 29 Apr, 2023, 2:45 am David Smiley, wrote:
> I'm going to challenge Ishan and say that there is no change coming that
> warrants halting a bugfix/patch release,
I'm going to challenge Ishan and say that there is no change coming that
warrants halting a bugfix/patch release, as the proposed change that Ishan
speaks of is an "improvement" that helps security and is not a
bug/vulnerability being fixed. It would also bring a backwards
compatibility change.
It sounds like the general consensus from the thread regarding the issue
was that while some changes to make that less risky are worthwhile, they
are not blockers for the release. Did that change?
I just hate to hold up the release any longer unless we have a truly
blocking issue since there are
Hi Justin,
I am testing a patch for a security issue discussed privately within the
PMC group. Can you please give me another 24 hours to have it fixed? If
not, then I'll be pushing for a 9.2.2 release later, once that is resolved.
Thank you for your understanding.
Regards,
Ishan
On Fri, 28 Apr
+1 (binding)
SUCCESS! [0:33:17.833968]
On Fri, Apr 28, 2023 at 9:34 AM Arrieta, Alejandro <
aarri...@perrinsoftware.com> wrote:
> +1
> SUCCESS! [0:29:31.135392]
>
> And run Solr operator tests successfully following instructions:
> Local end-to-end cluster test successfully run!
>
> ubuntu
+1
SUCCESS! [0:29:31.135392]
And run Solr operator tests successfully following instructions:
Local end-to-end cluster test successfully run!
ubuntu 23.04 amd64 temurin-openjdk11 on virtualbox 7.
Kind Regards,
Alejandro Arrieta
On Thu, Apr 27, 2023 at 4:23 PM Joel Bernstein wrote:
> +1
+1 (binding)
SUCCESS! [0:43:48.160659]
I tested out the assets as well and looked fine.
Joel Bernstein
http://joelsolr.blogspot.com/
On Thu, Apr 27, 2023 at 1:23 PM Jan Høydahl wrote:
> +1 (binding)
>
> SUCCESS! [0:38:44.920838]
>
> Jan
>
> > 27. apr. 2023 kl. 16:12 skrev Justin Sweeney
+1 (binding)
SUCCESS! [0:38:44.920838]
Jan
> 27. apr. 2023 kl. 16:12 skrev Justin Sweeney :
>
> Hi all, we are back on for the vote:
>
> Please vote for release candidate 1 for Solr 9.2.1
>
> The artifacts can be downloaded from:
>
+1 (binding)
SUCCESS! [0:29:48.563934]
Kevin Risden
On Thu, Apr 27, 2023 at 12:41 PM Houston Putman wrote:
> +1 (binding)
>
> SUCCESS! [0:36:33.732480]
>
> Also ran the Solr Operator integration tests with the RC image (generated
> using the instructions above):
>
> (From the Solr Operator
+1 (binding)
SUCCESS! [0:36:33.732480]
Also ran the Solr Operator integration tests with the RC image (generated
using the instructions above):
(From the Solr Operator repository)
$ make e2e-tests SOLR_IMAGE=solr-rc:9.2.1-1
...
Local end-to-end cluster test successfully
Hi all, we are back on for the vote:
Please vote for release candidate 1 for Solr 9.2.1
The artifacts can be downloaded from:
https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2
You can run the smoke tester directly with this command:
python3
Yup, let's wait in that case. I didn't realize it would fail since I had
temporarily added my key locally to be able to execute the additional
steps. This results in the smoketester passing for me. I'll resend a vote
once I'm able to push my key.
On Mon, Apr 24, 2023 at 12:32 PM Houston Putman
Hey Justin,
Should we wait to run this until after your GPG key is in
https://downloads.apache.org/solr/KEYS?
The smoketester fails for me because it can't find your key.
- Houston
On Mon, Apr 24, 2023 at 12:20 PM Justin Sweeney
wrote:
> Please vote for release candidate 1 for Solr 9.2.1
>
>
Please vote for release candidate 1 for Solr 9.2.1
The artifacts can be downloaded from:
https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2
You can run the smoke tester directly with this command:
python3 -u
24 matches
Mail list logo
