Hotfix release proposed: 2.0.1

We’d like to put out a hotfix release of OpenLMIS. The update would include only three changes:

  •     (fix) Patch a vulnerability in a third-party library
    
  •     (fix) Fix a build problem
    
  •     (enhancement) Display the version and build number on the login page
    

Sorry for the short notice - we’d like to push these fixes to master soon, possibly even today. As these are very small, isolated updates, we don’t anticipate any problems. Please reply back with any questions or concerns.

Rich

Thank you for the notice, Rich.

Can you provide more info regarding where/how the 3rd party library is used?

I didn’t realize the feedback on the version location from yesterday was time critical. That being said, I like the model of having it on the login page, but may want to have another option that the UI can call/include once the user has logged in.

In the future, it might be good to let the product committee know when you’d need feedback by, and perhaps working these into a sprint cycle of our biweekly calls?

Warm regards,

Brian Taliesin

Systems Analyst, Digital Health Solutions

···

From: openlmis_product_committee@googlegroups.com [mailto:openlmis_product_committee@googlegroups.com] On Behalf Of Rich Magnuson

Sent: Friday, March 18, 2016 9:26 AM

To: openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: Hotfix release proposed: 2.0.1

We’d like to put out a hotfix release of OpenLMIS. The update would include only three changes:

  •      (fix) Patch a vulnerability in a third-party library
    
  •      (fix) Fix a build problem
    
  •      (enhancement) Display the version and build number on the login page
    

Sorry for the short notice - we’d like to push these fixes to master soon, possibly even today. As these are very small, isolated updates, we don’t anticipate any problems. Please reply back with any questions or concerns.

Rich

You received this message because you are subscribed to the Google Groups “OpenLMIS Product Committee” group.

To unsubscribe from this group and stop receiving emails from it, send an email to openlmis_product_committee+unsubscribe@googlegroups.com.

To post to this group, send email to
openlmis_product_committee@googlegroups.com.

To view this discussion on the web visit
https://groups.google.com/d/msgid/openlmis_product_committee/BY2PR02MB028C5FCC52E0584343C0E78938C0%40BY2PR02MB028.namprd02.prod.outlook.com
.

For more options, visit https://groups.google.com/d/optout.

Hi Brian,

I appreciate your comments - we didn’t mean to rush anything through. We mainly wanted to get the two fixes in, as they don’t affect functionality and the build fix is important for daily feature work. The version number display we felt would help with any questions that might arise when looking at, for example, the demo server.

On the security stuff, it is an apache library called commons-collections – the vulnerability is described here:
https://commons.apache.org/proper/commons-collections/security-reports.html
. It is a general dependency in OpenLMIS, though I can’t list out now exactly which modules/processes leverage it without some research. We were alerted to it by a few good citizens on GitHub.

Your feedback cycle suggestion seems good to me – I’ll leave it for the committees to work out. WRT to version number display, would everyone be okay with the login page display as proposed, and Product can define any updates or changes? Now that the infrastructure is in place, it shouldn’t be difficult to adjust. That said, if there is strong reservation, we can hold off.

Thanks - Rich

···

From: Taliesin, Brian [mailto:btaliesin@path.org]

Sent: Friday, March 18, 2016 9:32 AM

To: Rich Magnuson rich.magnuson@villagereach.org; openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: RE: Hotfix release proposed: 2.0.1

Thank you for the notice, Rich.

Can you provide more info regarding where/how the 3rd party library is used?

I didn’t realize the feedback on the version location from yesterday was time critical. That being said, I like the model of having it on the login page, but may want to have another option that the UI can call/include once the user has logged in.

In the future, it might be good to let the product committee know when you’d need feedback by, and perhaps working these into a sprint cycle of our biweekly calls?

Warm regards,

Brian Taliesin

Systems Analyst, Digital Health Solutions

From:
openlmis_product_committee@googlegroups.com [mailto:openlmis_product_committee@googlegroups.com] On Behalf Of Rich Magnuson

Sent: Friday, March 18, 2016 9:26 AM

To: openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: Hotfix release proposed: 2.0.1

We’d like to put out a hotfix release of OpenLMIS. The update would include only three changes:

  •     (fix) Patch a vulnerability in a third-party library
    
  •     (fix) Fix a build problem
    
  •     (enhancement) Display the version and build number on the login page
    

Sorry for the short notice - we’d like to push these fixes to master soon, possibly even today. As these are very small, isolated updates, we don’t anticipate any problems. Please reply back with any questions or concerns.

Rich

You received this message because you are subscribed to the Google Groups “OpenLMIS Product Committee” group.

To unsubscribe from this group and stop receiving emails from it, send an email to openlmis_product_committee+unsubscribe@googlegroups.com.

To post to this group, send email to
openlmis_product_committee@googlegroups.com.

To view this discussion on the web visit
https://groups.google.com/d/msgid/openlmis_product_committee/BY2PR02MB028C5FCC52E0584343C0E78938C0%40BY2PR02MB028.namprd02.prod.outlook.com
.

For more options, visit https://groups.google.com/d/optout.

Thank you for the link, Rich, and it is always good to keep up to date on patches such as these.

My assumption is that this vulnerability may exist across the existing OpenLMIS implementations unless they have applied a similar patch?

I have no reservations to the update to the login page display. It is directionally correct for the product and will help with ongoing support as you describe.

Warm regards,

Brian Taliesin

Systems Analyst, PATH Digital Health Solutions

···

From: Rich Magnuson [mailto:rich.magnuson@villagereach.org]

Sent: Friday, March 18, 2016 9:57 AM

To: Taliesin, Brian btaliesin@path.org; openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: RE: Hotfix release proposed: 2.0.1

Hi Brian,

I appreciate your comments - we didn’t mean to rush anything through. We mainly wanted to get the two fixes in, as they don’t affect functionality and the build fix is important for daily feature work. The version number display we felt would help with any questions that might arise when looking at, for example, the demo server.

On the security stuff, it is an apache library called commons-collections – the vulnerability is described here:
https://commons.apache.org/proper/commons-collections/security-reports.html
. It is a general dependency in OpenLMIS, though I can’t list out now exactly which modules/processes leverage it without some research. We were alerted to it by a few good citizens on GitHub.

Your feedback cycle suggestion seems good to me – I’ll leave it for the committees to work out. WRT to version number display, would everyone be okay with the login page display as proposed, and Product can define any updates or changes? Now that the infrastructure is in place, it shouldn’t be difficult to adjust. That said, if there is strong reservation, we can hold off.

Thanks - Rich

From: Taliesin, Brian [mailto:btaliesin@path.org]

Sent: Friday, March 18, 2016 9:32 AM

To: Rich Magnuson rich.magnuson@villagereach.org; openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: RE: Hotfix release proposed: 2.0.1

Thank you for the notice, Rich.

Can you provide more info regarding where/how the 3rd party library is used?

I didn’t realize the feedback on the version location from yesterday was time critical. That being said, I like the model of having it on the login page, but may want to have another option that the UI can call/include once the user has logged in.

In the future, it might be good to let the product committee know when you’d need feedback by, and perhaps working these into a sprint cycle of our biweekly calls?

Warm regards,

Brian Taliesin

Systems Analyst, Digital Health Solutions

From:
openlmis_product_committee@googlegroups.com [mailto:openlmis_product_committee@googlegroups.com] On Behalf Of Rich Magnuson

Sent: Friday, March 18, 2016 9:26 AM

To: openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: Hotfix release proposed: 2.0.1

We’d like to put out a hotfix release of OpenLMIS. The update would include only three changes:

  •      (fix) Patch a vulnerability in a third-party library
    
  •      (fix) Fix a build problem
    
  •      (enhancement) Display the version and build number on the login page
    

Sorry for the short notice - we’d like to push these fixes to master soon, possibly even today. As these are very small, isolated updates, we don’t anticipate any problems. Please reply back with any questions or concerns.

Rich

You received this message because you are subscribed to the Google Groups “OpenLMIS Product Committee” group.

To unsubscribe from this group and stop receiving emails from it, send an email to openlmis_product_committee+unsubscribe@googlegroups.com.

To post to this group, send email to
openlmis_product_committee@googlegroups.com.

To view this discussion on the web visit
https://groups.google.com/d/msgid/openlmis_product_committee/BY2PR02MB028C5FCC52E0584343C0E78938C0%40BY2PR02MB028.namprd02.prod.outlook.com
.

For more options, visit https://groups.google.com/d/optout.

Hi Brian,

I think our schedules are already well aligned. The global teams sprint ends today, and starts on next Monday which matches well with our Tuesday product committee call (the sprint will always start the day before a product committee call). Brian, what further alignment would you like to see?

Regarding the content of this hotfix, I’ve been fairly involved so I’m comfortable with the release. Two updates don’t affect functionality and the third can be built on in later releases to match what you (Brian) describe. However, lets start the conversation on how we coordinate releases.

Cheers,

···

Kevin Cussen | kevin.cussen@villagereach.org

Manager, Information Systems

Village****Reach Starting at the Last Mile

2900 Eastlake Ave. E, Suite 230, Seattle, WA 98102, USA

CELL: 1.206.604.4209 FAX: 1.206.860.6972

SKYPE: kevin.cussen.vr

www.villagereach.org

Connect on Facebook,
Twitter and our Blog


From: openlmis_product_committee@googlegroups.com openlmis_product_committee@googlegroups.com on behalf of Rich Magnuson rich.magnuson@villagereach.org

Sent: Friday, March 18, 2016 09:57

To: Taliesin, Brian; openlmis_product_committee@googlegroups.com; OpenLMIS Dev

Subject: RE: Hotfix release proposed: 2.0.1

Hi Brian,

I appreciate your comments - we didn’t mean to rush anything through. We mainly wanted to get the two fixes in, as they don’t affect functionality and the build fix is important for daily feature work. The version number display we felt would help with any questions that might arise when looking at, for example, the demo server.

On the security stuff, it is an apache library called commons-collections – the vulnerability is described here:
https://commons.apache.org/proper/commons-collections/security-reports.html
. It is a general dependency in OpenLMIS, though I can’t list out now exactly which modules/processes leverage it without some research. We were alerted to it by a few good citizens on GitHub.

Your feedback cycle suggestion seems good to me – I’ll leave it for the committees to work out. WRT to version number display, would everyone be okay with the login page display as proposed, and Product can define any updates or changes? Now that the infrastructure is in place, it shouldn’t be difficult to adjust. That said, if there is strong reservation, we can hold off.

Thanks - Rich

From: Taliesin, Brian [mailto:btaliesin@path.org]

Sent: Friday, March 18, 2016 9:32 AM

To: Rich Magnuson rich.magnuson@villagereach.org; openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: RE: Hotfix release proposed: 2.0.1

Thank you for the notice, Rich.

Can you provide more info regarding where/how the 3rd party library is used?

I didn’t realize the feedback on the version location from yesterday was time critical. That being said, I like the model of having it on the login page, but may want to have another option that the UI can call/include once the user has logged in.

In the future, it might be good to let the product committee know when you’d need feedback by, and perhaps working these into a sprint cycle of our biweekly calls?

Warm regards,

Brian Taliesin

Systems Analyst, Digital Health Solutions

From:
openlmis_product_committee@googlegroups.com [mailto:openlmis_product_committee@googlegroups.com] On Behalf Of Rich Magnuson

Sent: Friday, March 18, 2016 9:26 AM

To:
openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: Hotfix release proposed: 2.0.1

We’d like to put out a hotfix release of OpenLMIS. The update would include only three changes:

  •     (fix) Patch a vulnerability in a third-party library
    
  •     (fix) Fix a build problem
    
  •     (enhancement) Display the version and build number on the login page
    

Sorry for the short notice - we’d like to push these fixes to master soon, possibly even today. As these are very small, isolated updates, we don’t anticipate any problems. Please reply back with any questions or concerns.

Rich

You received this message because you are subscribed to the Google Groups “OpenLMIS Product Committee” group.

To unsubscribe from this group and stop receiving emails from it, send an email to
openlmis_product_committee+unsubscribe@googlegroups.com.

To post to this group, send email to
openlmis_product_committee@googlegroups.com.

To view this discussion on the web visit
https://groups.google.com/d/msgid/openlmis_product_committee/BY2PR02MB028C5FCC52E0584343C0E78938C0%40BY2PR02MB028.namprd02.prod.outlook.com
.

For more options, visit
https://groups.google.com/d/optout
.

You received this message because you are subscribed to the Google Groups “OpenLMIS Product Committee” group.

To unsubscribe from this group and stop receiving emails from it, send an email to
openlmis_product_committee+unsubscribe@googlegroups.com.

To post to this group, send email to
openlmis_product_committee@googlegroups.com.

To view this discussion on the web visit
https://groups.google.com/d/msgid/openlmis_product_committee/BY2PR02MB028FF5AD76154C44A99AA60938C0%40BY2PR02MB028.namprd02.prod.outlook.com
.

For more options, visit
https://groups.google.com/d/optout
.

Thanks Brian. Good point about older releases. Looks like it is an issue in the “1.x” line on github. I’ll open a ticket. It looks like this was already patched on eLMIS.

Everyone: I’ve started a
checklist
of tasks for completing an OpenLMIS release. Feel free to update, add comments, etc.

Thanks - Rich

···

From: Taliesin, Brian [mailto:btaliesin@path.org]

Sent: Friday, March 18, 2016 10:20 AM

To: Rich Magnuson rich.magnuson@villagereach.org; openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: RE: Hotfix release proposed: 2.0.1

Thank you for the link, Rich, and it is always good to keep up to date on patches such as these.

My assumption is that this vulnerability may exist across the existing OpenLMIS implementations unless they have applied a similar patch?

I have no reservations to the update to the login page display. It is directionally correct for the product and will help with ongoing support as you describe.

Warm regards,

Brian Taliesin

Systems Analyst, PATH Digital Health Solutions

From: Rich Magnuson [mailto:rich.magnuson@villagereach.org]

Sent: Friday, March 18, 2016 9:57 AM

To: Taliesin, Brian btaliesin@path.org; openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: RE: Hotfix release proposed: 2.0.1

Hi Brian,

I appreciate your comments - we didn’t mean to rush anything through. We mainly wanted to get the two fixes in, as they don’t affect functionality and the build fix is important for daily feature work. The version number display we felt would help with any questions that might arise when looking at, for example, the demo server.

On the security stuff, it is an apache library called commons-collections – the vulnerability is described here:
https://commons.apache.org/proper/commons-collections/security-reports.html
. It is a general dependency in OpenLMIS, though I can’t list out now exactly which modules/processes leverage it without some research. We were alerted to it by a few good citizens on GitHub.

Your feedback cycle suggestion seems good to me – I’ll leave it for the committees to work out. WRT to version number display, would everyone be okay with the login page display as proposed, and Product can define any updates or changes? Now that the infrastructure is in place, it shouldn’t be difficult to adjust. That said, if there is strong reservation, we can hold off.

Thanks - Rich

From: Taliesin, Brian [mailto:btaliesin@path.org]

Sent: Friday, March 18, 2016 9:32 AM

To: Rich Magnuson rich.magnuson@villagereach.org; openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: RE: Hotfix release proposed: 2.0.1

Thank you for the notice, Rich.

Can you provide more info regarding where/how the 3rd party library is used?

I didn’t realize the feedback on the version location from yesterday was time critical. That being said, I like the model of having it on the login page, but may want to have another option that the UI can call/include once the user has logged in.

In the future, it might be good to let the product committee know when you’d need feedback by, and perhaps working these into a sprint cycle of our biweekly calls?

Warm regards,

Brian Taliesin

Systems Analyst, Digital Health Solutions

From:
openlmis_product_committee@googlegroups.com [mailto:openlmis_product_committee@googlegroups.com] On Behalf Of Rich Magnuson

Sent: Friday, March 18, 2016 9:26 AM

To: openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: Hotfix release proposed: 2.0.1

We’d like to put out a hotfix release of OpenLMIS. The update would include only three changes:

  •     (fix) Patch a vulnerability in a third-party library
    
  •     (fix) Fix a build problem
    
  •     (enhancement) Display the version and build number on the login page
    

Sorry for the short notice - we’d like to push these fixes to master soon, possibly even today. As these are very small, isolated updates, we don’t anticipate any problems. Please reply back with any questions or concerns.

Rich

You received this message because you are subscribed to the Google Groups “OpenLMIS Product Committee” group.

To unsubscribe from this group and stop receiving emails from it, send an email to openlmis_product_committee+unsubscribe@googlegroups.com.

To post to this group, send email to
openlmis_product_committee@googlegroups.com.

To view this discussion on the web visit
https://groups.google.com/d/msgid/openlmis_product_committee/BY2PR02MB028C5FCC52E0584343C0E78938C0%40BY2PR02MB028.namprd02.prod.outlook.com
.

For more options, visit https://groups.google.com/d/optout.

Yes, eLMIS was patched. Thanks

···

On Fri, Mar 18, 2016 at 1:29 PM, Rich Magnuson rich.magnuson@villagereach.org wrote:

Thanks Brian. Good point about older releases. Looks like it is an issue in the “1.x” line on github. I’ll open a ticket. It looks like this was already patched on eLMIS.

Everyone: I’ve started a
checklist
of tasks for completing an OpenLMIS release. Feel free to update, add comments, etc.

Thanks - Rich

From: Taliesin, Brian [mailto:btaliesin@path.org]

Sent: Friday, March 18, 2016 10:20 AM

To: Rich Magnuson rich.magnuson@villagereach.org; openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: RE: Hotfix release proposed: 2.0.1

Thank you for the link, Rich, and it is always good to keep up to date on patches such as these.

My assumption is that this vulnerability may exist across the existing OpenLMIS implementations unless they have applied a similar patch?

I have no reservations to the update to the login page display. It is directionally correct for the product and will help with ongoing support as you describe.

Warm regards,

Brian Taliesin

Systems Analyst, PATH Digital Health Solutions

From: Rich Magnuson [mailto:rich.magnuson@villagereach.org]

Sent: Friday, March 18, 2016 9:57 AM

To: Taliesin, Brian btaliesin@path.org; openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: RE: Hotfix release proposed: 2.0.1

Hi Brian,

I appreciate your comments - we didn’t mean to rush anything through. We mainly wanted to get the two fixes in, as they don’t affect functionality and the build fix is important for daily feature work. The version number display we felt would help with any questions that might arise when looking at, for example, the demo server.

On the security stuff, it is an apache library called commons-collections – the vulnerability is described here:
https://commons.apache.org/proper/commons-collections/security-reports.html
. It is a general dependency in OpenLMIS, though I can’t list out now exactly which modules/processes leverage it without some research. We were alerted to it by a few good citizens on GitHub.

Your feedback cycle suggestion seems good to me – I’ll leave it for the committees to work out. WRT to version number display, would everyone be okay with the login page display as proposed, and Product can define any updates or changes? Now that the infrastructure is in place, it shouldn’t be difficult to adjust. That said, if there is strong reservation, we can hold off.

Thanks - Rich

From: Taliesin, Brian [mailto:btaliesin@path.org]

Sent: Friday, March 18, 2016 9:32 AM

To: Rich Magnuson rich.magnuson@villagereach.org; openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: RE: Hotfix release proposed: 2.0.1

Thank you for the notice, Rich.

Can you provide more info regarding where/how the 3rd party library is used?

I didn’t realize the feedback on the version location from yesterday was time critical. That being said, I like the model of having it on the login page, but may want to have another option that the UI can call/include once the user has logged in.

In the future, it might be good to let the product committee know when you’d need feedback by, and perhaps working these into a sprint cycle of our biweekly calls?

Warm regards,

Brian Taliesin

Systems Analyst, Digital Health Solutions

From:
openlmis_product_committee@googlegroups.com [mailto:openlmis_product_committee@googlegroups.com] On Behalf Of Rich Magnuson

Sent: Friday, March 18, 2016 9:26 AM

To: openlmis_product_committee@googlegroups.com; OpenLMIS Dev openlmis-dev@googlegroups.com

Subject: Hotfix release proposed: 2.0.1

We’d like to put out a hotfix release of OpenLMIS. The update would include only three changes:

  •     (fix) Patch a vulnerability in a third-party library
    
  •     (fix) Fix a build problem
    
  •     (enhancement) Display the version and build number on the login page
    

Sorry for the short notice - we’d like to push these fixes to master soon, possibly even today. As these are very small, isolated updates, we don’t anticipate any problems. Please reply back with any questions or concerns.

Rich

You received this message because you are subscribed to the Google Groups “OpenLMIS Product Committee” group.

To unsubscribe from this group and stop receiving emails from it, send an email to openlmis_product_committee+unsubscribe@googlegroups.com.

To post to this group, send email to
openlmis_product_committee@googlegroups.com.

To view this discussion on the web visit
https://groups.google.com/d/msgid/openlmis_product_committee/BY2PR02MB028C5FCC52E0584343C0E78938C0%40BY2PR02MB028.namprd02.prod.outlook.com
.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “OpenLMIS Product Committee” group.

To unsubscribe from this group and stop receiving emails from it, send an email to openlmis_product_committee+unsubscribe@googlegroups.com.

To post to this group, send email to openlmis_product_committee@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/openlmis_product_committee/BY2PR02MB02885F475698D8E665B76D2938C0%40BY2PR02MB028.namprd02.prod.outlook.com.

For more options, visit https://groups.google.com/d/optout.

Thanks,

Ashraf