I think COUCHDB-1413 wouldn't hurt to have for 1.2.0, after all it's about correct query results. 1.2.1 is also aceptable. If no objections, I'll push the fix to 1.2.x as well.
On Tue, Feb 21, 2012 at 6:32 PM, Jason Smith <[email protected]> wrote: > My reading of the JIRA ticket (FWIW) is that Paul explained pretty > convincingly why this is only a minor bug if at all. For this release, > Paul had a simple fix; although I do not see it in 1.2.x nor JIRA and > don't recall offhand what it was exactly. > > On Tue, Feb 21, 2012 at 10:50 PM, Robert Newson <[email protected]> wrote: >> heh, actually I don't think we did. >> >> On 21 February 2012 22:41, Paul Davis <[email protected]> wrote: >>> Did we fix the original JSON thing that started this whole broughaha? >>> >>> On Tue, Feb 21, 2012 at 3:57 PM, Noah Slater <[email protected]> wrote: >>>> Thanks. >>>> >>>> On Tue, Feb 21, 2012 at 9:46 PM, Jan Lehnardt <[email protected]> wrote: >>>> >>>>> On 21.02.2012, at 22:38, Robert Newson <[email protected]> wrote: >>>>> >>>>> > I resolved the ipv6 ticket as 'cannot reproduce' given that two >>>>> > committers have verified ipv6 replication with 1.2.x. Time for round >>>>> > 2? >>>>> >>>>> +1 >>>>> >>>>> >>>>> > >>>>> > On 21 February 2012 21:11, Noah Slater <[email protected]> wrote: >>>>> >> Are we blocked on anything else? Are we good to go? >>>>> >> >>>>> >> On Tue, Feb 21, 2012 at 7:21 PM, Jan Lehnardt <[email protected]> wrote: >>>>> >> >>>>> >>> Thanks guys, committed. >>>>> >>> >>>>> >>> Noah, 1.2.0 is unblocked on this one. >>>>> >>> >>>>> >>> On Feb 21, 2012, at 20:13 , Paul Davis wrote: >>>>> >>> >>>>> >>>> +1 on the patch to require admin for _changes. >>>>> >>>> >>>>> >>>> On Tue, Feb 21, 2012 at 3:36 AM, Jan Lehnardt <[email protected]> >>>>> >>>> wrote: >>>>> >>>>> *nudge* >>>>> >>>>> >>>>> >>>>> I don't feel very confident with a single opinion (thanks Robert), >>>>> and >>>>> >>> would love your input on this one. >>>>> >>>>> >>>>> >>>>> Cheers >>>>> >>>>> Jan >>>>> >>>>> -- >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Feb 16, 2012, at 16:12 , Jan Lehnardt wrote: >>>>> >>>>> >>>>> >>>>>> >>>>> >>>>>> On Feb 14, 2012, at 13:14 , Noah Slater wrote: >>>>> >>>>>> >>>>> >>>>>>> Devs, >>>>> >>>>>>> >>>>> >>>>>>> Please outline: >>>>> >>>>>>> >>>>> >>>>>>> - What remains to be fixed for regression purposes >>>>> >>>>>> >>>>> >>>>>> I want to bring up one more thing (sorry :). >>>>> >>>>>> >>>>> >>>>>> /_users/_changes is currently end-user readable. While >>>>> >>> /_users/_changes?include_docs=true will not fetch docs the requesting >>>>> user >>>>> >>> doesn't have access to, it still gets all doc ids in the /_users db >>>>> >>> and >>>>> >>> thus easily can generate a list of all users. >>>>> >>>>>> >>>>> >>>>>> I'd like to propose to make /_user/_changes also admin-only before >>>>> we >>>>> >>> ship 1.2.0. Again, I'm happy to revisit and make things configurable >>>>> down >>>>> >>> the road. >>>>> >>>>>> >>>>> >>>>>> Note that the information that a particular user is registered is >>>>> >>> leaked (a user can't sign up with a username that is already taken, >>>>> from >>>>> >>> that it can be deduced that that particular username is already >>>>> >>> registered). This is in line with most signup systems. Making >>>>> >>> /_users/_changes admin-only doesn't prevent all leakage of what users >>>>> have >>>>> >>> signed up, but it stops bulk-leakage of *all* users in one swoop. >>>>> >>>>>> >>>>> >>>>>> What do you think? >>>>> >>>>>> >>>>> >>>>>> Cheers >>>>> >>>>>> Jan >>>>> >>>>>> -- >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>> >>>>> >>> >>>>> >>> >>>>> > > > > -- > Iris Couch -- Filipe David Manana, "Reasonable men adapt themselves to the world. Unreasonable men adapt the world to themselves. That's why all progress depends on unreasonable men."
