[pbs-devel] [PATCH proxmox 04/12] auth-api: move to hmac signing for csrf tokens

Stefan Sterz s.sterz at proxmox.com
Fri Feb 23 11:52:44 CET 2024


On Fri Feb 23, 2024 at 11:48 AM CET, Thomas Lamprecht wrote:
> Am 23/02/2024 um 10:26 schrieb Stefan Sterz:
> > the alternative is not having a fallback at all and breaking all open
> > session once on upgrade. but basically we should be able to remove this
> > check even between minor versions since we don't support version
> > skipping to my knowledge. sessions are only valid for two hours and
> > usually we don't release those versions *that* quickly 😉
>
> Not sure if I understood you correctly, but one can update from any
> previous minor version to the newer one,independent of how many versions
> there are in-between. Just like one can update from the latest previous
> major version to the next major version and the latest of it's minor
> version.
>
> So no, this check cannot be removed between minor version.
> E.g., if this would get rolled out for PBS 3, then PBS 4 would be the
> first version where it would be 100% fine to remove it without any
> realistic user impact. As while could update from 3.1 to 3.4 and then
> to 4.x in a matter of two hours easily, our official upgrade how-to
> then documents that a reboot of the host and a (force) refresh the
> web UI is required, which then makes it 100% fine.
>
> If we wouldn't require reboots and refreshes then, users could update
> ancient installations over a few major releases in a row, and we could
> basically never drop such backward-compatibility code.

ahye, sorry for that than. in that case yeah, this fallback could only
be removed with the next major version. sorry for the misinformation.




More information about the pbs-devel mailing list