Apache CloudStack Weekly News - 29 April 2013
This week, we had discussions about the release cycle and whether a six-month cycle may be more appropriate. Work continued on the 4.1.0 release, and Apache CloudStack 4.0.2 was released.
Major Discussions
Several major discussions this week, summarized below. Note that this is only a fraction of the activity in the project. For a full overview of project activity, you may want to subscribe to dev@cloudstack.apache.org.
Release Cycle: Four Months, or Six?
Animesh Chaturvedi started new thread for a discussion that cropped up in the timeline thread about the four-month vs. six-month release cycle ideas. After much discussion, Animesh summed up the discussion saying:
I still see there is difference of opinion and not a clear consensus with 12 out
of 21 ( approx. 60%) preferring 6 months. But going by the argument of not
having given proper shot to 4 month cycle I will say we can keep 4.2 as a 4
month cycle and pull in all effort to make it successful. If it turns out that
we can work with 4 month schedule that's well and good otherwise we can bring
this topic again based on the results of running 4 month cycle.
4.1.0 Approaches
After clearing out a number of last-minute blockers, it looks like 4.1.0 may be just about ready to roll. Chip Childers posted on Friday that he was waiting on confirmation on CLOUDSTACK-528 and CLOUDSTACK-2194 being fixed. If those are fixed, Chip says he will "proceed with starting the VOTE thread" Monday morning, Eastern time.
Apache CloudStack 4.0.2 Released
Joe Brockmeier announced the 4.0.2 release on 24 April, along with security fixes for two security vulnerabilities.
Security Vulnerabilities in CloudStack 4.0.x
John Kinsella sent out an announcement detailing two security vulnerabilities on 24 April:
Description:
The CloudStack PMC was notified of two issues found in Apache CloudStack:1) An attacker with knowledge of CloudStack source code could gain
unauthorized access to the console of another tenant's VM.2) Insecure hash values may lead to information disclosure. URLs
generated by Apache CloudStack to provide console access to virtual
machines contained a hash of a predictable sequence, the hash of
which was generated with a weak algorithm. While not easy to leverage,
this may allow a malicious user to gain unauthorized console access.Mitigation:
Updating to Apache CloudStack versions 4.0.2 or higher will mitigate
these vulnerabilities.Credit:
These issues were identified by Wolfram Schlich and Mathijs Schmittmann
to the Citrix security team, who in turn notified the Apache
CloudStack PMC.
Exposing APIs that carry POST data
Prasanna Santhanam raised a discussion about adding the ability to send user data as POST to commands.
I'm guessing we'll have to put in additional annotations on our APIs
that support POST so that API discovery can print the methods
supported (GET/POST). Right now it's only the deployVMCmd (AFAIK). But
I expect this will need to be done for others soon.I've included POST support for every command in marvin but that's
just brute-force. To make it more intelligent I think we should apply
it to only apis that make sense as POST (causing side-effects). But
that needs to be exposed by the api endpoint.
Enabling GitHub Pull Request Notification
A discussion was brought up on dev@ this weekend about enabling notifications for pull requests made via GitHub. David Nalley remarked that in his opinion, "there really isn't an option - if we are going to have a GitHub mirror, we also need to be able to deal with the pull requests there. Ignoring folks that submit pull requests is inappropriate."
Chip questioned the need for a GitHub mirror at all. "Not sure the value, when you consider the confusion it causes WRT the canonical source repo."
CloudStack Planet - Posts from the CloudStack Community
- More Fun with the CloudStack API - Kirk Jantzer writes about playing with the CloudStack API and writing a tool "in an effort to make deployment of a mass amount of servers with as little effort as possible."
- Doing it Twice? Write it Down! - A post by Joe Brockmeier talking about the need for documenting crucial operations for maintaining projects.
- Thanks to the Apache CloudStack community! - Shane Curcuru writes about the Apache CloudStack graduation and its incubation. "The desire to get things 'right' at Apache was clear in everything the CloudStack community did, and the end result looks to be an incredibly strong project that’s quickly gathering developers from a wide variety of vendors and users. Part of this growth is about the great technology; but a lot is due to the helpful and welcoming face that the CloudStack committers put on their project."
- Release Verification Tool for CloudStack - Chip Childers writes about a "simple tool to use for CloudStack release voting verification." The tool is on GitHub, as a Python script that will help verifying releases.
Upcoming Events
- Storage in Apache CloudStack being held by the CloudStack SF Bay Area Users Group on April 30, 2013 @ Citrix Conference Center, sign up on the Meetup.com Website.
- Build a Cloud Day CloudCon San Francisco being held at the South San Francisco Conference Center on 15 May.
- CloudStack Collaboration Conference 2013 is being held from 23 June to 25 June in Santa Clara, CA at the Santa Clara Convention Center. See the Call for Proposals if you're interested in speaking!
- Open Cloud Day in Zurich, June 11th. Sebastien Goasguen will talk about the Apache Cloud ecosystem
- Bucarest JUG May 30th, Sebastien Goasguen will talk about CloudStack and Big Data. Announcement yet to be posted
- Linux Tag Berlin, May 22-25, Sebastien Goasguen will talk about CloudStack and Big Data. There will also be a CloudStack booth at the expo.
Jira
Checking in on the upcoming 4.2.0 release, we have added a few bugs over the past week:
- Last week we had 5 blocker bugs for 4.2.0. This week, we have 11 blocker bugs for 4.2.0.
- Last week we had 34 critical bugs for 4.2.0. This week, we have 40 critical bugs for 4.2.0.
- Last week we had 263 major bugs for 4.2.0. This week, we have 273 major bugs for 4.2.0.
- Last week we had 35 minor bugs for 4.2.0. This week we have 37 minor bugs for 4.2.0.
New Committers and PMC Members
No new committers or PMC members announced this week.
Contributing to the Weekly News
Want to keep reading the CloudStack Weekly News? Many hands make light work, but having only one editor means getting the weekly news out every week is a "best effort" activity. A healthy community publication needs several contributors to ensure weekly issues go out on time.
If you have an event, discussion, or other item to contribute to the Weekly News, you can add it directly to the wiki by editing the issue you want your item to appear in. (The next week's issue is created before the current issue is published - so at any time there should be at least one issue ready to edit.)
Alternatively, you can send a note to the marketing@cloudstack.apache.org mailing list with a subject including News: description of topic or email the newsletter editor directly (jzb at apache.org), again with the subject News: description of topic. Please include a link to the discussion in the mailing list archive or Web page with details of the event, etc.