Bug#727607: Please address the issue

Mon, 31 Mar 2014 02:04:32 -0700 

On 31/03/2014 08:14, Thomas Goirand wrote:

I don't think waiting again and again for a potential version 3.3 to
maybe fix the issue in probably some months, is the way to go.



We are expecting to release 3.3.0 either this week or next, for what 
it's worth. Our fix to this issue has been available in our nightly 
builds for a while.



This bug
has been opened on the 24th of October, we're now the 31st of March.
That's been already 5 months. And I've warn you about this issue months
before reporting this publicly. That's half a year with a severe public
access hole in your package. To me it doesn't look like you are taking
this problem seriously enough.


I'm sorry you feel that.


We are concerned about security. If this were unambiguously a bug (i.e. 
with no negative consequences for fixing it) then it would have been 
fixed in a point release long ago.



But while this is a security issue, it's also the expected behaviour; 
many of our users will expect to be able to connect remotely. We wanted 
to come up with a solution that was well documented, gave clear error 
messages and was as unsurprising as possible to our users.



In my change, if there's no /etc/rabbitmq/rabbitmq-env.conf *AND* if the
package isn't upgrading (eg: this is the first install), then the
postinst script will add RABBITMQ_NODE_IP_ADDRESS=127.0.0.1 in that
file.



I would prefer it if you didn't do this; there's no documentation of it 
and the behaviour introduced is different from the one we will be 
releasing in 3.3.0.



Attached to this message, you will find a debdiff of my changes. If you
find it not good enough, you have 2 days to react (as I uploaded to the
DELAYED/2-day queue), and I can either cancel the upload during this
period, or sponsor anything better that you may provide. Note that I'd
be very happy to help in any way possible.


I can't guarantee that we will upload something else in two days though.

Cheers, Simon


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org























					Reply via email to