zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Hunt <ph...@apache.org>
Subject Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Date Thu, 03 Oct 2019 18:37:05 GMT
If we do go that route we should create a jira and discuss on a dedicated
thread on the dev and user lists so that folks know about it ahead of
time....

Patrick

On Thu, Oct 3, 2019 at 11:35 AM Andor Molnar <andor@apache.org> wrote:

> Looks like we only need some refactoring on the testing side:
>
> testRaceBetweenSyncFlushAndZKShutdown() uses SimpleZooKeeperServer
> class which is based on Netty and needs to be refactored to use NIO
> instead.
>
> Otherwise looks like a quite straightforward change.
>
> +1 for removing from the codebase and release 3.4.15 without Netty.
>
> Andor
>
>
>
> -----Original Message-----
> From: Patrick Hunt <phunt@apache.org>
> Reply-To: dev@zookeeper.apache.org
> To: DevZooKeeper <dev@zookeeper.apache.org>
> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> Date: Thu, 3 Oct 2019 07:36:24 -0700
>
> On Wed, Oct 2, 2019 at 9:59 PM Brian Nixon <
> brian.nixon.cs@gmail.com
> > wrote:
>
> > NIO is still the default server factory so I'm guessing many users of
> > 3.4
> > simply aren't configuring Netty. And our recommendation for users who
> > want
> > Netty could be to upgrade to a 3.5 release as that should be better
> > in
> > every way for them.
> >
> > Is there a principle determining the difference between leaving the
> > code
> > available in 3.4 with a warning attached and removing the code
> > entirely so
> > that they would have to independently modify and package in order to
> > use
> > the feature?
> >
> >
>
> Primarily/historically what i mentioned - we don't introduce major
> features/changes (esp non-b/w compat) in fix releases.
>
> Patrick
>
>
> > On Wed, Oct 2, 2019 at 8:48 AM Patrick Hunt <
> > phunt@apache.org
> > > wrote:
> >
> > > On Wed, Oct 2, 2019 at 1:49 AM Andor Molnar <
> > > andor@apache.org
> > > > wrote:
> > >
> > > > Hi Pat,
> > > >
> > > > Would you please clarify what do you mean “dropping netty support
> > > > from
> > > > 3.4”?
> > > >
> > > >
> > >
> > > My simplistic thought was just that. Ship new versions of 3.4 that
> > > remove
> > > support for netty. That could mean turning if off by default (not
> > > sure
> >
> > how
> > > much work that would be) or just purging the netty code from the
> > > codebase
> > > entirely. (3.4). It would be an exception to our "don't break b/w
> > > compact
> > > in fix releases" policy, but this is an extreme case imo. We have
> > > no
> > > intention of supporting netty in 3.4 going forward as evidenced by
> > > the
> >
> > fact
> > > that the netty version is locked to netty 3 (long out of support by
> > > netty
> > > as they are no longer backporting fixes) and we have no intention
> > > of
> > > updating to the new version of netty on 3.4. Maybe this CVE don't
> > > affect
> > > us, but at some point it will. Users have the option to move to a
> > > stable,
> > > b/w compat, 3.5. release. Not optimal I agree.
> > >
> > >
> > > > Does that mean we won’t submit security patches from now on, but
> > > > keep
> >
> > the
> > > > Netty classes (NettyServerCnxnFactory and ClientCnxnSocketNetty)
> > >
> > > available
> > > > OR remove these classes from the codebase?
> > > >
> > > > The latter means we’ll drop client SSL feature too.
> > > >
> > > >
> > >
> > > Say there is a new CVE on netty and it's not backported to netty3,
> > > what
> > > would we do in that case. I guess we could wait/kick the can down
> > > the
> >
> > road
> > > till we really hit that. For the moment just say that it doesn't
> > > affect
> >
> > us
> > > as you researched and add to 3.4 exceptions.
> > >
> > > This is just my suggestion/option rather than a recommendation,
> > > open to
> > > other ideas. ;-)
> > >
> > > Patrick
> > >
> > >
> > > > Andor
> > > >
> > > >
> > > >
> > > > > On 2019. Oct 2., at 2:27, Michael Han <
> > > > > hanm@apache.org
> > > > > > wrote:
> > > > >
> > > > > > > How about officially dropping netty support from 3.4 and
> > > > > > > asking
> > >
> > > people
> > > > > to move to the new version
> > > > > +1. This sounds a good opportunity to deprecate 3.4 branch.
> > > > >
> > > > > On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <
> > > > > eolivelli@gmail.com
> > > > > >
> > > >
> > > > wrote:
> > > > > > Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <
> > >
> > > phunt@apache.org
> > > >
> > > > ha
> > > > > > scritto:
> > > > > >
> > > > > > > Another option/solution: How about officially dropping
> > > > > > > netty
> >
> > support
> > > > from
> > > > > > > 3.4 and asking people to move to the new version (3.5
> > > > > > > stable or
> > >
> > > later)?
> > > > > >
> > > > > > Sounds good
> > > > > >
> > > > > > Enrico
> > > > > >
> > > > > >
> > > > > > > Patrick
> > > > > > >
> > > > > > > On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <
> > > > > > > andor@apache.org
> > > > > > > >
> > >
> > > wrote:
> > > > > > > > I agree with 3.4 should not be refactored in any way
even
> > > > > > > > for a
> > > > > >
> > > > > > security
> > > > > > > > fix.
> > > > > > > >
> > > > > > > > What's wrong with the "alpha story"?
> > > > > > > >
> > > > > > > > I think releasing in an early stage with "-alpha",
"-
> > > > > > > > beta"
> >
> > modifiers
> > > > is
> > > > > > > > not a bad thing alone, as long as it doesn't take
years
> > > > > > > > to get to
> > >
> > > the
> > > > > > > > stable release.
> > > > > > > >
> > > > > > > > Andor
> > > > > > > >
> > > > > > > >
> > > > > > > > On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> > > > > > > >
> > > > > > > > > Date: Tue, 1 Oct 2019 10:54:24 +0200
> > > > > > > > > From: Enrico Olivelli <
> > > > > > > > > eolivelli@gmail.com
> > > > > > > > > >
> > > > > > > > > Reply-To:
> > > > > > > > > dev@zookeeper.apache.org
> > > > > > > > >
> > > > > > > > > To:
> > > > > > > > > dev@zookeeper.apache.org
> > > > > > > > >
> > > > > > > > > Subject: Re: [VOTE] Apache ZooKeeper release
3.5.6
> > > > > > > > > candidate 2
> > > > > > > > >
> > > > > > > > > Il mar 1 ott 2019, 10:38 Andor Molnar <
> > > > > > > > > andor@apache.org
> > > > > > > > > > ha
> > >
> > > scritto:
> > > > > > > > > > Backporting Netty 4 would be a huge, cumbersome
task,
> > > > > > > > > > I hope we
> > > > > >
> > > > > > don’t
> > > > > > > > have
> > > > > > > > > > to do it.
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > Yes, 3.4 is mature and stable and closed for
refactors.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > However I had a quick look at the details
of this CVE
> > > > > > > > > > and it
> >
> > seems
> > > > > > to
> > > > > > > me
> > > > > > > > > > that it only affects the HTTP codec:
> > > > > > > > > >
> > > > > > > > > >
> >
> >
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
> >
> > > > > > > > > > Can’t we just say 3.4.14 is not affected?
> > > > > > > > > > We’re not running HTTP server inside ZooKeeper.
> > > > > > > > > >
> > > > > > > > > > Otherwise we might be able to release 3.6.0-alpha1
> > > > > > > > > > now, put a
> >
> > date
> > > > > > for
> > > > > > > > 3.4
> > > > > > > > > > EOL and highlight on the webpage that this
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > Please do not start an 'alpha' story like for
3.5....
> > > > > > > > >
> > > > > > > > > CVE probably won’t be resolved on that branch,
please
> > > > > > > > > upgrade to
> > >
> > > 3.5.
> > > > > > > > >
> > > > > > > > > +1
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Enrico
> > > > > > > > >
> > > > > > > > > > As a third option we could ask Norman to
kindly fix
> > > > > > > > > > 3.10.6.Final
> > >
> > > as
> > > > > > > > well…
> > > > > > > > > > or submit a PR ourselves, it doesn’t seem
to me a big
> > > > > > > > > > deal.
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > Not so useful
> > > > > > > > >
> > > > > > > > > > What do you think?
> > > > > > > > > >
> > > > > > > > > > Andor
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > On 2019. Oct 1., at 2:00, Patrick Hunt
<
> > > > > > > > > > > phunt@apache.org
> > > > > > > > > > > >
> >
> > wrote:
> > > > > > > > > > > I pushed patches for 3.5 and trunk
and the tests
> > > > > > > > > > > passed on my
> > >
> > > mac.
> > > > > > > > > > However
> > > > > > > > > > > 3.4 is using netty 3.10.6.Final and
as such it's
> > > > > > > > > > > not a simple
> > > > > > >
> > > > > > > upgrade.
> > > > > > > > > > > (there are no fixes against 3.10 for
this CVE, at
> > > > > > > > > > > least not so
> > >
> > > far)
> > > > > > > Not
> > > > > > > > > > > sure what we want to do about this...
someone would
> > > > > > > > > > > need to
> > > > > >
> > > > > > backport
> > > > > > > > the
> > > > > > > > > > > netty 4.1 changes into 3.4 afaict.
> > > > > > > > > > >
> > > > > > > > > > > Patrick
> > > > > > > > > > >
> > > > > > > > > > > On Mon, Sep 30, 2019 at 1:08 PM Patrick
Hunt <
> > > > > > > > > > > phunt@apache.org
> > > > > > > > > > >
> > > > > > > wrote:
> > > > > > > > > > > > I'll work on it today.
> > > > > > > > > > > >
> > > > > > > > > > > > Patrick
> > > > > > > > > > > >
> > > > > > > > > > > > On Mon, Sep 30, 2019 at 11:59
AM Enrico Olivelli
> > > > > > > > > > > > <
> > > > > > >
> > > > > > > eolivelli@gmail.com
> > > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Okay
> > > > > > > > > > > > >
> > > > > > > > > > > > > I am cancelling the release.
> > > > > > > > > > > > >
> > > > > > > > > > > > > I have a problem with my
box, I can't work on
> > > > > > > > > > > > > netty upgrade.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Any volounteer?
> > > > > > > > > > > > >
> > > > > > > > > > > > > Enrico
> > > > > > > > > > > > >
> > > > > > > > > > > > > Il lun 30 set 2019, 20:32
Andor Molnar <
> > > > > > > > > > > > > andor@apache.org
> > > > > > > > > > > > > > ha
> > > > > > > >
> > > > > > > > scritto:
> > > > > > > > > > > > > > The good news is: we
need to release 3.4.15
> > > > > > > > > > > > > > too. :)
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Andor
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > On 2019. Sep 30.,
at 20:26, Patrick Hunt <
> > > > > > > > > > > > > > > phunt@apache.org
> > > > > > > > > > > > > > >
> > > > > > > wrote:
> > > > > > > > > > > > > > > created:
> > >
> > > https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> > >
> > > > > > > > > > > > > > > On Mon, Sep 30,
2019 at 11:20 AM Patrick
> > > > > > > > > > > > > > > Hunt <
> > > > > >
> > > > > > phunt@apache.org
> > > > > > >
> > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > > -1 - when
I run dependency check on the
> > > > > > > > > > > > > > > > release candidate
> > > > > > >
> > > > > > > artifact
> > > > > > > > > > > > > it's
> > > > > > > > > > > > > > > > failing with:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > [ERROR] netty-transport-4.1.29.Final.jar:
> > > > > > > > > > > > > > > > CVE-2019-16869
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > I ran this
on trunk and it's passing, as
> > > > > > > > > > > > > > > > such it must
be
> >
> > an
> > > > > > > issue
> > > > > > > > > > > > > with
> > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > the 3.5.6
netty version specifically.
> > > > > > > > > > > > > > > > It's listed
as a
> >
> > high,
> > > > > > we
> > > > > > > > > > > > > should
> > > > > > > > > > > > > > > > patch this
as well before releasing.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Patrick
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > On Sun, Sep
29, 2019 at 7:29 AM Enrico
> > > > > > > > > > > > > > > > Olivelli <
> > > > > > > > > >
> > > > > > > > > > eolivelli@gmail.com
> > > > > > > > > >
> > > > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > This
is a bugfix release candidate for
> > > > > > > > > > > > > > > > > 3.5.6.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > It fixes
28 issues, including upgrade
> > > > > > > > > > > > > > > > > of third
party
> > > > > >
> > > > > > libraries,
> > > > > > > > > > > > > > > > > TTL Node
APIs for C API, support for
> > > > > > > > > > > > > > > > > PCKS12
Keystores,
> >
> > and
> > > > > > > better
> > > > > > > > > > > > > > > > > procedure
> > > > > > > > > > > > > > > > > for the
upgrade of servers from 3.4 to
> > > > > > > > > > > > > > > > > 3.5.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > The full
release notes is available at:
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> >
> > > > > > > > > > > > > > > > > *** Please
download, test and vote by
> > > > > > > > > > > > > > > > > October
2nd 2019,
> > >
> > > 23:59
> > > > > > > > > > UTC+0.
> > > > > > > > > > > > > > ***
> > > > > > > > > > > > > > > > > Source
files:
> > > > > > > > > > > > > > > > >
> > > > > > >
> > > > > > >
> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> > > > > > >
> > > > > > > > > > > > > > > > > Maven
staging repo:
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> >
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> >
> > > > > > > > > > > > > > > > > The release
candidate tag in git to be
> > > > > > > > > > > > > > > > > voted
upon:
> > > > > > > > > >
> > > > > > > > > > release-3.5.6-rc2
> >
> > https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> >
> > > > > > > > > > > > > > > > > ZooKeeper's
KEYS file containing PGP
> > > > > > > > > > > > > > > > > keys
we use to sign
> > >
> > > the
> > > > > > > > > > > > > release:
> > > > > > > > > > > > > > > > > https://www.apache.org/dist/zookeeper/KEYS
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > Should
we release this candidate?
> > > > > > > > > > > > > > > > > Enrico
Olivelli
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > >
> > > >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message