Adding some discussions I had with @jan...@apache.org <jan...@apache.org> over
slack:

"Your client should be aware that they are vulnerable to a bunch of CVEs if
they stay on 9.1. See
https://solr.apache.org/security.html#cve-2023-50292-apache-solr-schema-designer-blindly-trusts-all-configsets-possibly-leading-to-rce-by-unauthenticated-users
"

"We may not be allowed to release a 9.1.2 with known vulnerabilities "

"There are dozens of 3rd party dep upgrades since 9.1 as well that should
probably be upgraded before such a release, mounting up to a ton of extra
work and added risk for very little gain, given that a 9.6 upgrade is
likely to be a drop-in upgrade."

And given that 9.6 is under release, I have a strong feeling I should try
to convince the client to go with it, rather than a 9.1.2.
In the meantime additional discussion happens here, I'll talk with the
sponsor, strongly advising that a 9.6 upgrade makes more sense now.

I'll keep this thread updated in case we don't need 9.1.2 anymore.

--------------------------
*Alessandro Benedetti*
Director @ Sease Ltd.
*Apache Lucene/Solr Committer*
*Apache Solr PMC Member*

e-mail: a.benede...@sease.io


*Sease* - Information Retrieval Applied
Consulting | Training | Open Source

Website: Sease.io <http://sease.io/>
LinkedIn <https://linkedin.com/company/sease-ltd> | Twitter
<https://twitter.com/seaseltd> | Youtube
<https://www.youtube.com/channel/UCDx86ZKLYNpI3gzMercM7BQ> | Github
<https://github.com/seaseltd>


On Mon, 22 Apr 2024 at 12:07, Alessandro Benedetti <a.benede...@sease.io>
wrote:

> Hi all,
> I managed to secure a sponsorship to work on a bug that impacted the
> Learning To Rank module (re-scoring was ignoring query limits and time
> allowed, causing outages and crashes).
> The contribution has been merged already in 10, 9.x and 9.1:
> https://issues.apache.org/jira/browse/SOLR-17018
> I take the occasion to thank everyone involved.
>
> As agreed with the client as a sponsoring condition, the bugfix is
> expected to come in a 9.1.2 release.
> I anticipated this via Slack roughly 3 months ago when negotiating the
> sponsorship.
> So, first of all, I would like to discuss if doing a 9.1.2 just including
> this additional bugfix is still ok and I'm happy to volunteer as Release
> Manager, it will be my first time so I may have questions.
> It's an inactive branch so as soon as the discussion is finished I'll cut
> the branch.
>
> In the meantime, I am looking around for the steps to do for a release and
> I found the release wizard Python script, that should be a decent entry
> point, feel free to point me in any other direction if it's a better start.
>
> Cheers
> --------------------------
> *Alessandro Benedetti*
> Director @ Sease Ltd.
> *Apache Lucene/Solr Committer*
> *Apache Solr PMC Member*
>
> e-mail: a.benede...@sease.io
>
>
> *Sease* - Information Retrieval Applied
> Consulting | Training | Open Source
>
> Website: Sease.io <http://sease.io/>
> LinkedIn <https://linkedin.com/company/sease-ltd> | Twitter
> <https://twitter.com/seaseltd> | Youtube
> <https://www.youtube.com/channel/UCDx86ZKLYNpI3gzMercM7BQ> | Github
> <https://github.com/seaseltd>
>

Reply via email to