Lack of accounting for extremely disruptive functionality
Locked
Lack of accounting for extremely disruptive functionality
 
|
Hi!
there's a thread about an extremely questionable practice that Apache Ignite engages in. A practice that borderlines on unsolicited data collection (and as such may even be illegal in some jurisdictions without an explicit opt-in): https://mail-archives.apache.org/mod_mbox/www-legal-discuss/201706.mbox/%3CCAGJoAUn-hiE89mWObh1Lb2S_vgqQJ%3DDC%3D1P_V1REQ9hUERCFog%40mail.gmail.com%3E This thread, however, is not focused on the legality (IANAL) of the practice nor it is focused on security implications of it. I'd live to talk about an absolute lack of any accounting for an extremely disruptive functionality like this one. Because you see, when I asked myself a question "how the heck could something like this possible end up in a project with virtually 0 discussion that I remember?" My next thought was -- well let me use Git and JIRA to get to the bottom of this. Quite to my surprise every single commit that touches the URL in question has virtually 0 accounting for why it is there. No JIRA IDs, not extended comments -- nothing. My understanding is that you guys pride yourself on being RTC project. Can someone please explain to me how all of these got reviewed: https://github.com/apache/ignite/commit/952be8b995050b34379006dd6e739da3fe3b49e3 https://github.com/apache/ignite/commit/33ec73f901ca5dba441c6ca4e118d55165f3d25e https://github.com/apache/ignite/commit/551b3d1eab2a0b78d3f259f1bf24f1f6f3ff7b06 https://github.com/apache/ignite/commit/c4030f926a7339cfcae14e19cec22d9d37cd94dd https://github.com/apache/ignite/commit/73c5e43c6c161aa18aa9e8ff2b09e582c7aedce4 Thanks, Roman. |
|
|
Hi Roman!
In fact, that particular issue you’re referring to was handled directly in JIRA [1] in order to address the reported CVE [2]. Now I see, that as one of the ticket reviewers, I should have initiated a broader discussion on @dev to avoid the point we came to today with the update notifier. Speaking about the notifier in general, that’s not a new piece of code. It was originally donated to Ignite at the time of incubation and we planned to make use of it for the whole community (for instance, knowing such metrics as JDK version we can not only see what’s the most popular Java version Ignite runs on but to decide if there is a reason to support Java 7). However, due to a lack of resources and shifting priorities and interests inside of the community we haven’t completed the upgrade process of the notifier and none of the data gathered by it is used for any purpose. So, now, the reasonable decision would be to disable the notifier completely and initiate a separate discussion on @dev going over its scope, functionality and future. Thoughts? [1] https://issues.apache.org/jira/browse/IGNITE-4537 <https://issues.apache.org/jira/browse/IGNITE-4537> [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6805 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6805> > On Jun 5, 2017, at 6:27 PM, Roman Shaposhnik <[hidden email]> wrote: > > Hi! > > there's a thread about an extremely questionable practice > that Apache Ignite engages in. A practice that borderlines > on unsolicited data collection (and as such may even be > illegal in some jurisdictions without an explicit opt-in): > https://mail-archives.apache.org/mod_mbox/www-legal-discuss/201706.mbox/%3CCAGJoAUn-hiE89mWObh1Lb2S_vgqQJ%3DDC%3D1P_V1REQ9hUERCFog%40mail.gmail.com%3E > > This thread, however, is not focused on the legality (IANAL) of > the practice nor it is focused on security implications of it. I'd live > to talk about an absolute lack of any accounting for an extremely > disruptive functionality like this one. > > Because you see, when I asked myself a question "how the heck > could something like this possible end up in a project with > virtually 0 discussion that I remember?" My next thought was -- well > let me use Git and JIRA to get to the bottom of this. Quite to > my surprise every single commit that touches the URL in question > has virtually 0 accounting for why it is there. No JIRA IDs, not extended > comments -- nothing. > > My understanding is that you guys pride yourself on being RTC project. > Can someone please explain to me how all of these got reviewed: > https://github.com/apache/ignite/commit/952be8b995050b34379006dd6e739da3fe3b49e3 > https://github.com/apache/ignite/commit/33ec73f901ca5dba441c6ca4e118d55165f3d25e > https://github.com/apache/ignite/commit/551b3d1eab2a0b78d3f259f1bf24f1f6f3ff7b06 > https://github.com/apache/ignite/commit/c4030f926a7339cfcae14e19cec22d9d37cd94dd > https://github.com/apache/ignite/commit/73c5e43c6c161aa18aa9e8ff2b09e582c7aedce4 > > Thanks, > Roman. |
«
Return to Apache Ignite Developers - Legacy Mail Archive
|
1 view|%1 views
| Free forum by Nabble | Edit this page |