© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Looks like most of the datastores in trove outside of mysql and derivatives do not have user control settings. This means that mongo, redis, cassandra, couchbase, couchdb, db2 and postgresql may have similar issues.
If redis had root-enable with password then this would be a work around for the time being.
If we defaulted creating a password for redis instances then redis clustering would break.
I chatted with team member of trove to see how we handle situations like this with datastores that we call experimental. I plan on bringing this up at the next meeting as well to get more thoughts about it.
The 2 sides right now are:
1. Experimental datastores are experimental and expect issues similar to this security bug with them because they are not tested thoroughly in CI. (then we would have no embargo on this bug or others for the experimental datastores)
2. Experimental datastores code has been shipped and should be handled the same as any other security bug found in a stable datastore. (embargo the security bug)
If there is someone here that leans one way or another on this let me know.
The reason i added this as a private security issue is because i know there are people that have trove deployed with redis and mongo datastores even though they are considered experimental in the code currently.