Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [iot-pmc] Eclipse Kura v3.0.0 Release
Hi Jens,

Thanks for the input. Please see below.

*There is no statement about fixed security related issued in the release review information.
See Below.

* The link to the Eclipse security policy is missing
Is the link on this [1] page not sufficient?

* Which raises the question if you have reviewed the Eclipse Security Policy
I believe it is more respectful to turn your statement/accusation into the question: “Have you reviewed the Eclipse Security Policy”? Which would give me the opportunity to respond accordingly. Yes, I have read the security policy, and, to my knowledge, we are adhering to the policy. The reported vulnerability bugs have been addressed. The next step would be to make the bugs public and disclose to the community. I am working on this last part. There are several industrial solutions based on Kura, so we need to be sensitive about how we word such messaging. This messaging will be ready before we make the official release. I didn’t see anything in the policy that stated vulnerabilities must be discussed in the release review information. In fact, I would argue this is the wrong place to track vulnerabilities as we now have a separate system in place.

* The source code for a modified GPL module is still missing [2]
The linked issue is marked with the KURA-3.0.0 tag. All such tagged items will be addressed before the release. Apologies if that wasn’t clear, I believe I usually include that link in the PMC request.


Thanks,
--Dave


On Apr 18, 2017, at 02:55, Jens Reimann <jreimann@xxxxxxxxxx> wrote:

Hi David,

from a quick look there are a few points still missing for me:

* There is no statement about fixed security related issued in the release review information.
* The link to the Eclipse security policy is missing
  * Which raises the question if you have reviewed the Eclipse Security Policy [1]
* The source code for a modified GPL module is still missing [2]

I know the security related points are partly new, but the issue about the missing GPL source code is quite a few releases old now and I think it should be fixed before making another Kura release.

On Mon, Apr 17, 2017 at 5:40 PM, Woodard, David <david.woodard@xxxxxxxxxxxx> wrote:
Hello,

We are in the process of releasing Eclipse Kura v3.0.0. Information on the release can be found here [1]. The IP log for the release has been approved here [2]. The review and release is being tracked with this bug [3]. Please let me know if you have any questions.


Thanks,
David Woodard
Eclipse Kura Project Lead

_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc




--
Jens Reimann
Senior Software Engineer / EMEA ENG Middleware
Werner-von-Siemens-Ring 14
85630 Grasbrunn
Germany
phone: +49 89 2050 71286
_____________________________________________________________________________

Red Hat GmbH, www.de.redhat.com,
Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc

Back to the top