Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [iot-pmc] Please review project release and vote (was: Re: Eclipse Kura v3.0.0 Release)
Hi Kai,

We are not introducing API breaking changes in this release. We are using the major release version to indicate a major update in features (move to Java 8, new web UI, Kura Wires, etc.). This is the same approach we took when moving from Kura v1 to v2.

Thanks,
--Dave


On Apr 24, 2017, at 11:56, Kai Kreuzer <kai@xxxxxxxxxxx> wrote:

Hi,

Sorry for not responding earlier.

I might have missed something, but are we ok now to have no "security issues“ section in the review information?
I have found the link about how to report security issues on the contribution page of the Kura website, so this part is imho fine.

@David: As it is a major (and thus API breaking) release, is there any information on the API compatibility? I.e. which parts of their code must consumers address to be able to upgrade to 3.0.0?

Regards,
Kai

On 24 Apr 2017, at 17:31, Jens Reimann <jreimann@xxxxxxxxxx> wrote:

Hi PMC,

maybe making the subject a bit "call-for-action"-ish helps.

please have a look at the Kura release and vote.

As I am involved in the project I will abstain.

Thanks

Jens

On Thu, Apr 20, 2017 at 4:57 PM, Woodard, David <david.woodard@xxxxxxxxxxxx> wrote:
Hello,

The review team is waiting for a vote on the release [1]. Can we start the voting please?


Thanks,
--Dave

On Apr 19, 2017, at 02:35, Jens Reimann <jreimann@xxxxxxxxxx> wrote:

Hi David,

good to hear that.

I guess we can start voting.

Jens



On Tue, Apr 18, 2017 at 4:46 PM, Woodard, David <david.woodard@xxxxxxxxxxxx> wrote:
Hi Jens,

No worries. I probably shouldn’t read emails before I’ve had my morning coffee ;)

So, we are okay for now with the security topic? I certainly want to follow the guidelines, as this is an important topic. 

I understand the GPL topic is important. We should be able to get this addressed within the next week. I will update the referenced Github Issue once we have new information. This issue will be corrected before we make the 3.0.0 release.

Thanks,
--Dave

On Apr 18, 2017, at 09:41, Jens Reimann <jreimann@xxxxxxxxxx> wrote:

Hello David,

If that formulation sounded disrespectful I apologize. It honestly wasn't meant that way!

Having a brief look at the homepage, clicking through a few links didn't bring up this page, with the link to the policy to me. So I think that link should be a bit more prominent. e.g. in the footer or maybe the "community" sub-menu. Finding it right now, is rather hard.

We had a public discussion over the last weeks which ended up in the initial version of the document [1]. The PMI already has a field for providing information about fixed security issues or if there where none, then this field should be filled with a short statements that there were no known issues at this point. It also handles the case on how to provide information without disclosing the actual issue, allowing for a controlled disclosure. I know that this step, of filling out the field, is new. It should ensure that this field is not simply forgotten, but filled in one way or the other intentionally. Tracking security vulnerabilities should still happen in the Eclipse Bugzilla as the Eclipse Security Policy states.

I consider the GPL issue rather important. As this issue (not the GitHub issue entry, but the issue itself) is now open since before Kura 2.1. And effectively it is not possible to re-compile Kura in the way it is distributed right now. But I guess it shouldn't be a big issue providing the sources in a reproducible way.

I hope this explains a bit what I meant.

Jens

On Tue, Apr 18, 2017 at 2:41 PM, Woodard, David <david.woodard@xxxxxxxxxxxx> wrote:
Hi Jens,

Thanks for the input. Please see below.

*There is no statement about fixed security related issued in the release review information.
See Below.

* The link to the Eclipse security policy is missing
Is the link on this [1] page not sufficient?

* Which raises the question if you have reviewed the Eclipse Security Policy
I believe it is more respectful to turn your statement/accusation into the question: “Have you reviewed the Eclipse Security Policy”? Which would give me the opportunity to respond accordingly. Yes, I have read the security policy, and, to my knowledge, we are adhering to the policy. The reported vulnerability bugs have been addressed. The next step would be to make the bugs public and disclose to the community. I am working on this last part. There are several industrial solutions based on Kura, so we need to be sensitive about how we word such messaging. This messaging will be ready before we make the official release. I didn’t see anything in the policy that stated vulnerabilities must be discussed in the release review information. In fact, I would argue this is the wrong place to track vulnerabilities as we now have a separate system in place.

* The source code for a modified GPL module is still missing [2]
The linked issue is marked with the KURA-3.0.0 tag. All such tagged items will be addressed before the release. Apologies if that wasn’t clear, I believe I usually include that link in the PMC request.


Thanks,
--Dave


On Apr 18, 2017, at 02:55, Jens Reimann <jreimann@xxxxxxxxxx> wrote:

Hi David,

from a quick look there are a few points still missing for me:

* There is no statement about fixed security related issued in the release review information.
* The link to the Eclipse security policy is missing
  * Which raises the question if you have reviewed the Eclipse Security Policy [1]
* The source code for a modified GPL module is still missing [2]

I know the security related points are partly new, but the issue about the missing GPL source code is quite a few releases old now and I think it should be fixed before making another Kura release.

On Mon, Apr 17, 2017 at 5:40 PM, Woodard, David <david.woodard@xxxxxxxxxxxx> wrote:
Hello,

We are in the process of releasing Eclipse Kura v3.0.0. Information on the release can be found here [1]. The IP log for the release has been approved here [2]. The review and release is being tracked with this bug [3]. Please let me know if you have any questions.


Thanks,
David Woodard
Eclipse Kura Project Lead

_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc




--
Jens Reimann
Senior Software Engineer / EMEA ENG Middleware
Werner-von-Siemens-Ring 14
85630 Grasbrunn
Germany
phone: +49 89 2050 71286
_____________________________________________________________________________

Red Hat GmbH, www.de.redhat.com,
Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc


_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc




--
Jens Reimann
Senior Software Engineer / EMEA ENG Middleware
Werner-von-Siemens-Ring 14
85630 Grasbrunn
Germany
phone: +49 89 2050 71286
_____________________________________________________________________________

Red Hat GmbH, www.de.redhat.com,
Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc


_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc




--
Jens Reimann
Senior Software Engineer / EMEA ENG Middleware
Werner-von-Siemens-Ring 14
85630 Grasbrunn
Germany
phone: +49 89 2050 71286
_____________________________________________________________________________

Red Hat GmbH, www.de.redhat.com,
Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc


_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc




--
Jens Reimann
Senior Software Engineer / EMEA ENG Middleware
Werner-von-Siemens-Ring 14
85630 Grasbrunn
Germany
phone: +49 89 2050 71286
_____________________________________________________________________________

Red Hat GmbH, www.de.redhat.com,
Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc

_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc

Back to the top