This week, we had discussions about the release cycle and whether a six-month cycle may be more appropriate. Work continued on the 4.1.0 release, and Apache CloudStack 4.0.2 was released.

Major Discussions

Several major discussions this week, summarized below. Note that this is only a fraction of the activity in the project. For a full overview of project activity, you may want to subscribe to dev@cloudstack.apache.org.

Release Cycle: Four Months, or Six?

Animesh Chaturvedi started new thread for a discussion that cropped up in the timeline thread about the four-month vs. six-month release cycle ideas. After much discussion, Animesh summed up the discussion saying:

I still see there is difference of opinion and not a clear consensus with 12 out

of 21 ( approx. 60%) preferring 6 months. But going by the argument of not

having given proper shot to 4 month cycle I will say we can keep 4.2 as a 4

month cycle and pull in all effort to make it successful. If it turns out that

we can work with 4 month schedule that's well and good otherwise we can bring

this topic again based on the results of running 4 month cycle.

4.1.0 Approaches

After clearing out a number of last-minute blockers, it looks like 4.1.0 may be just about ready to roll. Chip Childers posted on Friday that he was waiting on confirmation on CLOUDSTACK-528 and CLOUDSTACK-2194 being fixed. If those are fixed, Chip says he will "proceed with starting the VOTE thread" Monday morning, Eastern time.

Apache CloudStack 4.0.2 Released

Joe Brockmeier announced the 4.0.2 release on 24 April, along with security fixes for two security vulnerabilities.

Security Vulnerabilities in CloudStack 4.0.x

John Kinsella sent out an announcement detailing two security vulnerabilities on 24 April:

Description:

The CloudStack PMC was notified of two issues found in Apache CloudStack:

1) An attacker with knowledge of CloudStack source code could gain

unauthorized access to the console of another tenant's VM.

2) Insecure hash values may lead to information disclosure. URLs

generated by Apache CloudStack to provide console access to virtual

machines contained a hash of a predictable sequence, the hash of

which was generated with a weak algorithm. While not easy to leverage,

this may allow a malicious user to gain unauthorized console access.

Mitigation:

Updating to Apache CloudStack versions 4.0.2 or higher will mitigate

these vulnerabilities.

Credit:

These issues were identified by Wolfram Schlich and Mathijs Schmittmann

to the Citrix security team, who in turn notified the Apache

CloudStack PMC.

Exposing APIs that carry POST data

Prasanna Santhanam raised a discussion about adding the ability to send user data as POST to commands.

I'm guessing we'll have to put in additional annotations on our APIs

that support POST so that API discovery can print the methods

supported (GET/POST). Right now it's only the deployVMCmd (AFAIK). But

I expect this will need to be done for others soon.

I've included POST support for every command in marvin but that's

just brute-force. To make it more intelligent I think we should apply

it to only apis that make sense as POST (causing side-effects). But

that needs to be exposed by the api endpoint.

Enabling GitHub Pull Request Notification

A discussion was brought up on dev@ this weekend about enabling notifications for pull requests made via GitHub. David Nalley remarked that in his opinion, "there really isn't an option - if we are going to have a GitHub mirror, we also need to be able to deal with the pull requests there. Ignoring folks that submit pull requests is inappropriate."

Chip questioned the need for a GitHub mirror at all. "Not sure the value, when you consider the confusion it causes WRT the canonical source repo."

CloudStack Planet - Posts from the CloudStack Community

  • More Fun with the CloudStack API - Kirk Jantzer writes about playing with the CloudStack API and writing a tool "in an effort to make deployment of a mass amount of servers with as little effort as possible."
  • Thanks to the Apache CloudStack community! - Shane Curcuru writes about the Apache CloudStack graduation and its incubation. "The desire to get things 'right' at Apache was clear in everything the CloudStack community did, and the end result looks to be an incredibly strong project that’s quickly gathering developers from a wide variety of vendors and users. Part of this growth is about the great technology; but a lot is due to the helpful and welcoming face that the CloudStack committers put on their project."

Upcoming Events

Jira

Checking in on the upcoming 4.2.0 release, we have added a few bugs over the past week:

New Committers and PMC Members

No new committers or PMC members announced this week.

Contributing to the Weekly News

Want to keep reading the CloudStack Weekly News? Many hands make light work, but having only one editor means getting the weekly news out every week is a "best effort" activity. A healthy community publication needs several contributors to ensure weekly issues go out on time.

If you have an event, discussion, or other item to contribute to the Weekly News, you can add it directly to the wiki by editing the issue you want your item to appear in. (The next week's issue is created before the current issue is published - so at any time there should be at least one issue ready to edit.)

Alternatively, you can send a note to the marketing@cloudstack.apache.org mailing list with a subject including News: description of topic or email the newsletter editor directly (jzb at apache.org), again with the subject News: description of topic. Please include a link to the discussion in the mailing list archive or Web page with details of the event, etc.