zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andor Molnar <an...@apache.org>
Subject Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Date Thu, 03 Oct 2019 18:34:56 GMT
Looks like we only need some refactoring on the testing side:

testRaceBetweenSyncFlushAndZKShutdown() uses SimpleZooKeeperServer
class which is based on Netty and needs to be refactored to use NIO
instead.

Otherwise looks like a quite straightforward change.

+1 for removing from the codebase and release 3.4.15 without Netty.

Andor



-----Original Message-----
From: Patrick Hunt <phunt@apache.org>
Reply-To: dev@zookeeper.apache.org
To: DevZooKeeper <dev@zookeeper.apache.org>
Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Date: Thu, 3 Oct 2019 07:36:24 -0700

On Wed, Oct 2, 2019 at 9:59 PM Brian Nixon <
brian.nixon.cs@gmail.com
> wrote:

> NIO is still the default server factory so I'm guessing many users of
> 3.4
> simply aren't configuring Netty. And our recommendation for users who
> want
> Netty could be to upgrade to a 3.5 release as that should be better
> in
> every way for them.
> 
> Is there a principle determining the difference between leaving the
> code
> available in 3.4 with a warning attached and removing the code
> entirely so
> that they would have to independently modify and package in order to
> use
> the feature?
> 
> 

Primarily/historically what i mentioned - we don't introduce major
features/changes (esp non-b/w compat) in fix releases.

Patrick


> On Wed, Oct 2, 2019 at 8:48 AM Patrick Hunt <
> phunt@apache.org
> > wrote:
> 
> > On Wed, Oct 2, 2019 at 1:49 AM Andor Molnar <
> > andor@apache.org
> > > wrote:
> > 
> > > Hi Pat,
> > > 
> > > Would you please clarify what do you mean “dropping netty support
> > > from
> > > 3.4”?
> > > 
> > > 
> > 
> > My simplistic thought was just that. Ship new versions of 3.4 that
> > remove
> > support for netty. That could mean turning if off by default (not
> > sure
> 
> how
> > much work that would be) or just purging the netty code from the
> > codebase
> > entirely. (3.4). It would be an exception to our "don't break b/w
> > compact
> > in fix releases" policy, but this is an extreme case imo. We have
> > no
> > intention of supporting netty in 3.4 going forward as evidenced by
> > the
> 
> fact
> > that the netty version is locked to netty 3 (long out of support by
> > netty
> > as they are no longer backporting fixes) and we have no intention
> > of
> > updating to the new version of netty on 3.4. Maybe this CVE don't
> > affect
> > us, but at some point it will. Users have the option to move to a
> > stable,
> > b/w compat, 3.5. release. Not optimal I agree.
> > 
> > 
> > > Does that mean we won’t submit security patches from now on, but
> > > keep
> 
> the
> > > Netty classes (NettyServerCnxnFactory and ClientCnxnSocketNetty)
> > 
> > available
> > > OR remove these classes from the codebase?
> > > 
> > > The latter means we’ll drop client SSL feature too.
> > > 
> > > 
> > 
> > Say there is a new CVE on netty and it's not backported to netty3,
> > what
> > would we do in that case. I guess we could wait/kick the can down
> > the
> 
> road
> > till we really hit that. For the moment just say that it doesn't
> > affect
> 
> us
> > as you researched and add to 3.4 exceptions.
> > 
> > This is just my suggestion/option rather than a recommendation,
> > open to
> > other ideas. ;-)
> > 
> > Patrick
> > 
> > 
> > > Andor
> > > 
> > > 
> > > 
> > > > On 2019. Oct 2., at 2:27, Michael Han <
> > > > hanm@apache.org
> > > > > wrote:
> > > > 
> > > > > > How about officially dropping netty support from 3.4 and
> > > > > > asking
> > 
> > people
> > > > to move to the new version
> > > > +1. This sounds a good opportunity to deprecate 3.4 branch.
> > > > 
> > > > On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <
> > > > eolivelli@gmail.com
> > > > >
> > > 
> > > wrote:
> > > > > Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <
> > 
> > phunt@apache.org
> > >
> > > ha
> > > > > scritto:
> > > > > 
> > > > > > Another option/solution: How about officially dropping
> > > > > > netty
> 
> support
> > > from
> > > > > > 3.4 and asking people to move to the new version (3.5
> > > > > > stable or
> > 
> > later)?
> > > > > 
> > > > > Sounds good
> > > > > 
> > > > > Enrico
> > > > > 
> > > > > 
> > > > > > Patrick
> > > > > > 
> > > > > > On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <
> > > > > > andor@apache.org
> > > > > > >
> > 
> > wrote:
> > > > > > > I agree with 3.4 should not be refactored in any way even
> > > > > > > for a
> > > > > 
> > > > > security
> > > > > > > fix.
> > > > > > > 
> > > > > > > What's wrong with the "alpha story"?
> > > > > > > 
> > > > > > > I think releasing in an early stage with "-alpha", "-
> > > > > > > beta"
> 
> modifiers
> > > is
> > > > > > > not a bad thing alone, as long as it doesn't take years
> > > > > > > to get to
> > 
> > the
> > > > > > > stable release.
> > > > > > > 
> > > > > > > Andor
> > > > > > > 
> > > > > > > 
> > > > > > > On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> > > > > > > 
> > > > > > > > Date: Tue, 1 Oct 2019 10:54:24 +0200
> > > > > > > > From: Enrico Olivelli <
> > > > > > > > eolivelli@gmail.com
> > > > > > > > >
> > > > > > > > Reply-To: 
> > > > > > > > dev@zookeeper.apache.org
> > > > > > > > 
> > > > > > > > To: 
> > > > > > > > dev@zookeeper.apache.org
> > > > > > > > 
> > > > > > > > Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6
> > > > > > > > candidate 2
> > > > > > > > 
> > > > > > > > Il mar 1 ott 2019, 10:38 Andor Molnar <
> > > > > > > > andor@apache.org
> > > > > > > > > ha
> > 
> > scritto:
> > > > > > > > > Backporting Netty 4 would be a huge, cumbersome
task,
> > > > > > > > > I hope we
> > > > > 
> > > > > don’t
> > > > > > > have
> > > > > > > > > to do it.
> > > > > > > > > 
> > > > > > > > 
> > > > > > > > Yes, 3.4 is mature and stable and closed for refactors.
> > > > > > > > 
> > > > > > > > 
> > > > > > > > > However I had a quick look at the details of
this CVE
> > > > > > > > > and it
> 
> seems
> > > > > to
> > > > > > me
> > > > > > > > > that it only affects the HTTP codec:
> > > > > > > > > 
> > > > > > > > > 
> 
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
> 
> > > > > > > > > Can’t we just say 3.4.14 is not affected?
> > > > > > > > > We’re not running HTTP server inside ZooKeeper.
> > > > > > > > > 
> > > > > > > > > Otherwise we might be able to release 3.6.0-alpha1
> > > > > > > > > now, put a
> 
> date
> > > > > for
> > > > > > > 3.4
> > > > > > > > > EOL and highlight on the webpage that this
> > > > > > > > > 
> > > > > > > > 
> > > > > > > > Please do not start an 'alpha' story like for 3.5....
> > > > > > > > 
> > > > > > > > CVE probably won’t be resolved on that branch, please
> > > > > > > > upgrade to
> > 
> > 3.5.
> > > > > > > > 
> > > > > > > > +1
> > > > > > > > 
> > > > > > > > 
> > > > > > > > Enrico
> > > > > > > > 
> > > > > > > > > As a third option we could ask Norman to kindly
fix
> > > > > > > > > 3.10.6.Final
> > 
> > as
> > > > > > > well…
> > > > > > > > > or submit a PR ourselves, it doesn’t seem to
me a big
> > > > > > > > > deal.
> > > > > > > > > 
> > > > > > > > 
> > > > > > > > Not so useful
> > > > > > > > 
> > > > > > > > > What do you think?
> > > > > > > > > 
> > > > > > > > > Andor
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > > On 2019. Oct 1., at 2:00, Patrick Hunt <
> > > > > > > > > > phunt@apache.org
> > > > > > > > > > >
> 
> wrote:
> > > > > > > > > > I pushed patches for 3.5 and trunk and the
tests
> > > > > > > > > > passed on my
> > 
> > mac.
> > > > > > > > > However
> > > > > > > > > > 3.4 is using netty 3.10.6.Final and as such
it's
> > > > > > > > > > not a simple
> > > > > > 
> > > > > > upgrade.
> > > > > > > > > > (there are no fixes against 3.10 for this
CVE, at
> > > > > > > > > > least not so
> > 
> > far)
> > > > > > Not
> > > > > > > > > > sure what we want to do about this... someone
would
> > > > > > > > > > need to
> > > > > 
> > > > > backport
> > > > > > > the
> > > > > > > > > > netty 4.1 changes into 3.4 afaict.
> > > > > > > > > > 
> > > > > > > > > > Patrick
> > > > > > > > > > 
> > > > > > > > > > On Mon, Sep 30, 2019 at 1:08 PM Patrick
Hunt <
> > > > > > > > > > phunt@apache.org
> > > > > > > > > > 
> > > > > > wrote:
> > > > > > > > > > > I'll work on it today.
> > > > > > > > > > > 
> > > > > > > > > > > Patrick
> > > > > > > > > > > 
> > > > > > > > > > > On Mon, Sep 30, 2019 at 11:59 AM Enrico
Olivelli
> > > > > > > > > > > <
> > > > > > 
> > > > > > eolivelli@gmail.com
> > > > > > 
> > > > > > > > > > > wrote:
> > > > > > > > > > > 
> > > > > > > > > > > > Okay
> > > > > > > > > > > > 
> > > > > > > > > > > > I am cancelling the release.
> > > > > > > > > > > > 
> > > > > > > > > > > > I have a problem with my box,
I can't work on
> > > > > > > > > > > > netty upgrade.
> > > > > > > > > > > > 
> > > > > > > > > > > > Any volounteer?
> > > > > > > > > > > > 
> > > > > > > > > > > > Enrico
> > > > > > > > > > > > 
> > > > > > > > > > > > Il lun 30 set 2019, 20:32 Andor
Molnar <
> > > > > > > > > > > > andor@apache.org
> > > > > > > > > > > > > ha
> > > > > > > 
> > > > > > > scritto:
> > > > > > > > > > > > > The good news is: we need
to release 3.4.15
> > > > > > > > > > > > > too. :)
> > > > > > > > > > > > > 
> > > > > > > > > > > > > Andor
> > > > > > > > > > > > > 
> > > > > > > > > > > > > 
> > > > > > > > > > > > > 
> > > > > > > > > > > > > > On 2019. Sep 30., at
20:26, Patrick Hunt <
> > > > > > > > > > > > > > phunt@apache.org
> > > > > > > > > > > > > > 
> > > > > > wrote:
> > > > > > > > > > > > > > created:
> > 
> > https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> > 
> > > > > > > > > > > > > > On Mon, Sep 30, 2019
at 11:20 AM Patrick
> > > > > > > > > > > > > > Hunt <
> > > > > 
> > > > > phunt@apache.org
> > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > -1 - when I run
dependency check on the
> > > > > > > > > > > > > > > release candidate
> > > > > > 
> > > > > > artifact
> > > > > > > > > > > > it's
> > > > > > > > > > > > > > > failing with:
> > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > [ERROR] netty-transport-4.1.29.Final.jar:

> > > > > > > > > > > > > > > CVE-2019-16869
> > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > I ran this on trunk
and it's passing, as
> > > > > > > > > > > > > > > such it must be
> 
> an
> > > > > > issue
> > > > > > > > > > > > with
> > > > > > > > > > > > > the
> > > > > > > > > > > > > > > the 3.5.6 netty
version specifically.
> > > > > > > > > > > > > > > It's listed as
a
> 
> high,
> > > > > we
> > > > > > > > > > > > should
> > > > > > > > > > > > > > > patch this as well
before releasing.
> > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > Patrick
> > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > On Sun, Sep 29,
2019 at 7:29 AM Enrico
> > > > > > > > > > > > > > > Olivelli <
> > > > > > > > > 
> > > > > > > > > eolivelli@gmail.com
> > > > > > > > > 
> > > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > > This is a
bugfix release candidate for
> > > > > > > > > > > > > > > > 3.5.6.
> > > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > > It fixes 28
issues, including upgrade
> > > > > > > > > > > > > > > > of third party
> > > > > 
> > > > > libraries,
> > > > > > > > > > > > > > > > TTL Node APIs
for C API, support for
> > > > > > > > > > > > > > > > PCKS12 Keystores,
> 
> and
> > > > > > better
> > > > > > > > > > > > > > > > procedure
> > > > > > > > > > > > > > > > for the upgrade
of servers from 3.4 to
> > > > > > > > > > > > > > > > 3.5.
> > > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > > The full release
notes is available at:
> > > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > > 
> 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> 
> > > > > > > > > > > > > > > > *** Please
download, test and vote by
> > > > > > > > > > > > > > > > October 2nd
2019,
> > 
> > 23:59
> > > > > > > > > UTC+0.
> > > > > > > > > > > > > ***
> > > > > > > > > > > > > > > > Source files:
> > > > > > > > > > > > > > > > 
> > > > > > 
> > > > > > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> > > > > > 
> > > > > > > > > > > > > > > > Maven staging
repo:
> > > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > > 
> 
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> 
> > > > > > > > > > > > > > > > The release
candidate tag in git to be
> > > > > > > > > > > > > > > > voted upon:
> > > > > > > > > 
> > > > > > > > > release-3.5.6-rc2
> 
> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> 
> > > > > > > > > > > > > > > > ZooKeeper's
KEYS file containing PGP
> > > > > > > > > > > > > > > > keys we use
to sign
> > 
> > the
> > > > > > > > > > > > release:
> > > > > > > > > > > > > > > > https://www.apache.org/dist/zookeeper/KEYS
> > > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > > Should we
release this candidate?
> > > > > > > > > > > > > > > > Enrico Olivelli
> > > > > > > > > > > > > > > > 
> > > > > > > > > > > > > 
> > > > > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > 
> > > 


Mime
View raw message