This week, we had discussions about the release cycle and whether a six-month cycle may be more appropriate. Work continued on the 4.1.0 release, and Apache CloudStack 4.0.2 was released.
Several major discussions this week, summarized below. Note that this is only a fraction of the activity in the project. For a full overview of project activity, you may want to subscribe to dev@cloudstack.apache.org.
Animesh Chaturvedi started new thread for a discussion that cropped up in the timeline thread about the four-month vs. six-month release cycle ideas. After much discussion, Animesh summed up the discussion saying:
I still see there is difference of opinion and not a clear consensus with 12 out
of 21 ( approx. 60%) preferring 6 months. But going by the argument of not
having given proper shot to 4 month cycle I will say we can keep 4.2 as a 4
month cycle and pull in all effort to make it successful. If it turns out that
we can work with 4 month schedule that's well and good otherwise we can bring
this topic again based on the results of running 4 month cycle.
After clearing out a number of last-minute blockers, it looks like 4.1.0 may be just about ready to roll. Chip Childers posted on Friday that he was waiting on confirmation on CLOUDSTACK-528 and CLOUDSTACK-2194 being fixed. If those are fixed, Chip says he will "proceed with starting the VOTE thread" Monday morning, Eastern time.
Joe Brockmeier announced the 4.0.2 release on 24 April, along with security fixes for two security vulnerabilities.
John Kinsella sent out an announcement detailing two security vulnerabilities on 24 April:
Description:
The CloudStack PMC was notified of two issues found in Apache CloudStack:1) An attacker with knowledge of CloudStack source code could gain
unauthorized access to the console of another tenant's VM.2) Insecure hash values may lead to information disclosure. URLs
generated by Apache CloudStack to provide console access to virtual
machines contained a hash of a predictable sequence, the hash of
which was generated with a weak algorithm. While not easy to leverage,
this may allow a malicious user to gain unauthorized console access.Mitigation:
Updating to Apache CloudStack versions 4.0.2 or higher will mitigate
these vulnerabilities.Credit:
These issues were identified by Wolfram Schlich and Mathijs Schmittmann
to the Citrix security team, who in turn notified the Apache
CloudStack PMC.
Prasanna Santhanam raised a discussion about adding the ability to send user data as POST to commands.
I'm guessing we'll have to put in additional annotations on our APIs
that support POST so that API discovery can print the methods
supported (GET/POST). Right now it's only the deployVMCmd (AFAIK). But
I expect this will need to be done for others soon.I've included POST support for every command in marvin but that's
just brute-force. To make it more intelligent I think we should apply
it to only apis that make sense as POST (causing side-effects). But
that needs to be exposed by the api endpoint.
A discussion was brought up on dev@ this weekend about enabling notifications for pull requests made via GitHub. David Nalley remarked that in his opinion, "there really isn't an option - if we are going to have a GitHub mirror, we also need to be able to deal with the pull requests there. Ignoring folks that submit pull requests is inappropriate."
Chip questioned the need for a GitHub mirror at all. "Not sure the value, when you consider the confusion it causes WRT the canonical source repo."
Checking in on the upcoming 4.2.0 release, we have added a few bugs over the past week:
Want to keep reading the CloudStack Weekly News? Many hands make light work, but having only one editor means getting the weekly news out every week is a "best effort" activity. A healthy community publication needs several contributors to ensure weekly issues go out on time.
If you have an event, discussion, or other item to contribute to the Weekly News, you can add it directly to the wiki by editing the issue you want your item to appear in. (The next week's issue is created before the current issue is published - so at any time there should be at least one issue ready to edit.)
Alternatively, you can send a note to the marketing@cloudstack.apache.org mailing list with a subject including NEWS: description of topic or email the newsletter editor directly (jzb at apache.org), again with the subject NEWS: description of topic. Please include a link to the discussion in the mailing list archive or Web page with details of the event, etc.