Hi Roman! In fact, that particular issue you’re referring to was handled directly in JIRA [1] in order to address the reported CVE [2]. Now I see, that as one of the ticket reviewers, I should have initiated a broader discussion on @dev to avoid the point we came to today with the update notifier.
Speaking about the notifier in general, that’s not a new piece of code. It was originally donated to Ignite at the time of incubation and we planned to make use of it for the whole community (for instance, knowing such metrics as JDK version we can not only see what’s the most popular Java version Ignite runs on but to decide if there is a reason to support Java 7). However, due to a lack of resources and shifting priorities and interests inside of the community we haven’t completed the upgrade process of the notifier and none of the data gathered by it is used for any purpose. So, now, the reasonable decision would be to disable the notifier completely and initiate a separate discussion on @dev going over its scope, functionality and future. Thoughts? [1] https://issues.apache.org/jira/browse/IGNITE-4537 <https://issues.apache.org/jira/browse/IGNITE-4537> [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6805 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6805> > On Jun 5, 2017, at 6:27 PM, Roman Shaposhnik <r...@apache.org> wrote: > > Hi! > > there's a thread about an extremely questionable practice > that Apache Ignite engages in. A practice that borderlines > on unsolicited data collection (and as such may even be > illegal in some jurisdictions without an explicit opt-in): > > https://mail-archives.apache.org/mod_mbox/www-legal-discuss/201706.mbox/%3CCAGJoAUn-hiE89mWObh1Lb2S_vgqQJ%3DDC%3D1P_V1REQ9hUERCFog%40mail.gmail.com%3E > > This thread, however, is not focused on the legality (IANAL) of > the practice nor it is focused on security implications of it. I'd live > to talk about an absolute lack of any accounting for an extremely > disruptive functionality like this one. > > Because you see, when I asked myself a question "how the heck > could something like this possible end up in a project with > virtually 0 discussion that I remember?" My next thought was -- well > let me use Git and JIRA to get to the bottom of this. Quite to > my surprise every single commit that touches the URL in question > has virtually 0 accounting for why it is there. No JIRA IDs, not extended > comments -- nothing. > > My understanding is that you guys pride yourself on being RTC project. > Can someone please explain to me how all of these got reviewed: > https://github.com/apache/ignite/commit/952be8b995050b34379006dd6e739da3fe3b49e3 > https://github.com/apache/ignite/commit/33ec73f901ca5dba441c6ca4e118d55165f3d25e > https://github.com/apache/ignite/commit/551b3d1eab2a0b78d3f259f1bf24f1f6f3ff7b06 > https://github.com/apache/ignite/commit/c4030f926a7339cfcae14e19cec22d9d37cd94dd > https://github.com/apache/ignite/commit/73c5e43c6c161aa18aa9e8ff2b09e582c7aedce4 > > Thanks, > Roman.
