zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andor Molnar <an...@apache.org>
Subject Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Date Tue, 01 Oct 2019 11:22:42 GMT
I agree with 3.4 should not be refactored in any way even for a security 
fix.

What's wrong with the "alpha story"?

I think releasing in an early stage with "-alpha", "-beta" modifiers is 
not a bad thing alone, as long as it doesn't take years to get to the 
stable release.

Andor


On Tue, 1 Oct 2019, Enrico Olivelli wrote:

> Date: Tue, 1 Oct 2019 10:54:24 +0200
> From: Enrico Olivelli <eolivelli@gmail.com>
> Reply-To: dev@zookeeper.apache.org
> To: dev@zookeeper.apache.org
> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> 
> Il mar 1 ott 2019, 10:38 Andor Molnar <andor@apache.org> ha scritto:
>
>> Backporting Netty 4 would be a huge, cumbersome task, I hope we don’t have
>> to do it.
>>
>
> Yes, 3.4 is mature and stable and closed for refactors.
>
>
>> However I had a quick look at the details of this CVE and it seems to me
>> that it only affects the HTTP codec:
>>
>> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
>>
>> Can’t we just say 3.4.14 is not affected?
>> We’re not running HTTP server inside ZooKeeper.
>>
>> Otherwise we might be able to release 3.6.0-alpha1 now, put a date for 3.4
>> EOL and highlight on the webpage that this
>>
>
> Please do not start an 'alpha' story like for 3.5....
>
> CVE probably won’t be resolved on that branch, please upgrade to 3.5.
>>
>
> +1
>
>
> Enrico
>
>>
>> As a third option we could ask Norman to kindly fix 3.10.6.Final as well…
>> or submit a PR ourselves, it doesn’t seem to me a big deal.
>>
>
> Not so useful
>
>>
>> What do you think?
>>
>> Andor
>>
>>
>>
>>
>>> On 2019. Oct 1., at 2:00, Patrick Hunt <phunt@apache.org> wrote:
>>>
>>> I pushed patches for 3.5 and trunk and the tests passed on my mac.
>> However
>>> 3.4 is using netty 3.10.6.Final and as such it's not a simple upgrade.
>>> (there are no fixes against 3.10 for this CVE, at least not so far) Not
>>> sure what we want to do about this... someone would need to backport the
>>> netty 4.1 changes into 3.4 afaict.
>>>
>>> Patrick
>>>
>>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <phunt@apache.org> wrote:
>>>
>>>> I'll work on it today.
>>>>
>>>> Patrick
>>>>
>>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <eolivelli@gmail.com>
>>>> wrote:
>>>>
>>>>> Okay
>>>>>
>>>>> I am cancelling the release.
>>>>>
>>>>> I have a problem with my box, I can't work on netty upgrade.
>>>>>
>>>>> Any volounteer?
>>>>>
>>>>> Enrico
>>>>>
>>>>> Il lun 30 set 2019, 20:32 Andor Molnar <andor@apache.org> ha scritto:
>>>>>
>>>>>> The good news is: we need to release 3.4.15 too. :)
>>>>>>
>>>>>> Andor
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <phunt@apache.org>
wrote:
>>>>>>>
>>>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
>>>>>>>
>>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <phunt@apache.org>
>>>>> wrote:
>>>>>>>
>>>>>>>> -1 - when I run dependency check on the release candidate
artifact
>>>>> it's
>>>>>>>> failing with:
>>>>>>>>
>>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
>>>>>>>>
>>>>>>>> I ran this on trunk and it's passing, as such it must be
an issue
>>>>> with
>>>>>> the
>>>>>>>> the 3.5.6 netty version specifically. It's listed as a high,
we
>>>>> should
>>>>>>>> patch this as well before releasing.
>>>>>>>>
>>>>>>>> Patrick
>>>>>>>>
>>>>>>>>
>>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <
>> eolivelli@gmail.com
>>>>>>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> This is a bugfix release candidate for 3.5.6.
>>>>>>>>>
>>>>>>>>> It fixes 28 issues, including upgrade of third party
libraries,
>>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores,
and better
>>>>>>>>> procedure
>>>>>>>>> for the upgrade of servers from 3.4 to 3.5.
>>>>>>>>>
>>>>>>>>> The full release notes is available at:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
>>>>>>>>>
>>>>>>>>> *** Please download, test and vote by October 2nd 2019,
23:59
>> UTC+0.
>>>>>> ***
>>>>>>>>>
>>>>>>>>> Source files:
>>>>>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
>>>>>>>>>
>>>>>>>>> Maven staging repo:
>>>>>>>>>
>>>>>>>>>
>>>>>>
>>>>>
>> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
>>>>>>>>>
>>>>>>>>> The release candidate tag in git to be voted upon:
>> release-3.5.6-rc2
>>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
>>>>>>>>>
>>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign
the
>>>>> release:
>>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS
>>>>>>>>>
>>>>>>>>> Should we release this candidate?
>>>>>>>>> Enrico Olivelli
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>
>>
>
Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message