Adding some discussions I had with @jan...@apache.org <jan...@apache.org> over slack:
"Your client should be aware that they are vulnerable to a bunch of CVEs if they stay on 9.1. See https://solr.apache.org/security.html#cve-2023-50292-apache-solr-schema-designer-blindly-trusts-all-configsets-possibly-leading-to-rce-by-unauthenticated-users " "We may not be allowed to release a 9.1.2 with known vulnerabilities " "There are dozens of 3rd party dep upgrades since 9.1 as well that should probably be upgraded before such a release, mounting up to a ton of extra work and added risk for very little gain, given that a 9.6 upgrade is likely to be a drop-in upgrade." And given that 9.6 is under release, I have a strong feeling I should try to convince the client to go with it, rather than a 9.1.2. In the meantime additional discussion happens here, I'll talk with the sponsor, strongly advising that a 9.6 upgrade makes more sense now. I'll keep this thread updated in case we don't need 9.1.2 anymore. -------------------------- *Alessandro Benedetti* Director @ Sease Ltd. *Apache Lucene/Solr Committer* *Apache Solr PMC Member* e-mail: a.benede...@sease.io *Sease* - Information Retrieval Applied Consulting | Training | Open Source Website: Sease.io <http://sease.io/> LinkedIn <https://linkedin.com/company/sease-ltd> | Twitter <https://twitter.com/seaseltd> | Youtube <https://www.youtube.com/channel/UCDx86ZKLYNpI3gzMercM7BQ> | Github <https://github.com/seaseltd> On Mon, 22 Apr 2024 at 12:07, Alessandro Benedetti <a.benede...@sease.io> wrote: > Hi all, > I managed to secure a sponsorship to work on a bug that impacted the > Learning To Rank module (re-scoring was ignoring query limits and time > allowed, causing outages and crashes). > The contribution has been merged already in 10, 9.x and 9.1: > https://issues.apache.org/jira/browse/SOLR-17018 > I take the occasion to thank everyone involved. > > As agreed with the client as a sponsoring condition, the bugfix is > expected to come in a 9.1.2 release. > I anticipated this via Slack roughly 3 months ago when negotiating the > sponsorship. > So, first of all, I would like to discuss if doing a 9.1.2 just including > this additional bugfix is still ok and I'm happy to volunteer as Release > Manager, it will be my first time so I may have questions. > It's an inactive branch so as soon as the discussion is finished I'll cut > the branch. > > In the meantime, I am looking around for the steps to do for a release and > I found the release wizard Python script, that should be a decent entry > point, feel free to point me in any other direction if it's a better start. > > Cheers > -------------------------- > *Alessandro Benedetti* > Director @ Sease Ltd. > *Apache Lucene/Solr Committer* > *Apache Solr PMC Member* > > e-mail: a.benede...@sease.io > > > *Sease* - Information Retrieval Applied > Consulting | Training | Open Source > > Website: Sease.io <http://sease.io/> > LinkedIn <https://linkedin.com/company/sease-ltd> | Twitter > <https://twitter.com/seaseltd> | Youtube > <https://www.youtube.com/channel/UCDx86ZKLYNpI3gzMercM7BQ> | Github > <https://github.com/seaseltd> >
