NIO is still the default server factory so I'm guessing many users of 3.4 simply aren't configuring Netty. And our recommendation for users who want Netty could be to upgrade to a 3.5 release as that should be better in every way for them.
Is there a principle determining the difference between leaving the code available in 3.4 with a warning attached and removing the code entirely so that they would have to independently modify and package in order to use the feature? On Wed, Oct 2, 2019 at 8:48 AM Patrick Hunt <ph...@apache.org> wrote: > On Wed, Oct 2, 2019 at 1:49 AM Andor Molnar <an...@apache.org> wrote: > > > Hi Pat, > > > > Would you please clarify what do you mean “dropping netty support from > > 3.4”? > > > > > My simplistic thought was just that. Ship new versions of 3.4 that remove > support for netty. That could mean turning if off by default (not sure how > much work that would be) or just purging the netty code from the codebase > entirely. (3.4). It would be an exception to our "don't break b/w compact > in fix releases" policy, but this is an extreme case imo. We have no > intention of supporting netty in 3.4 going forward as evidenced by the fact > that the netty version is locked to netty 3 (long out of support by netty > as they are no longer backporting fixes) and we have no intention of > updating to the new version of netty on 3.4. Maybe this CVE don't affect > us, but at some point it will. Users have the option to move to a stable, > b/w compat, 3.5. release. Not optimal I agree. > > > > Does that mean we won’t submit security patches from now on, but keep the > > Netty classes (NettyServerCnxnFactory and ClientCnxnSocketNetty) > available > > OR remove these classes from the codebase? > > > > The latter means we’ll drop client SSL feature too. > > > > > Say there is a new CVE on netty and it's not backported to netty3, what > would we do in that case. I guess we could wait/kick the can down the road > till we really hit that. For the moment just say that it doesn't affect us > as you researched and add to 3.4 exceptions. > > This is just my suggestion/option rather than a recommendation, open to > other ideas. ;-) > > Patrick > > > > Andor > > > > > > > > > On 2019. Oct 2., at 2:27, Michael Han <h...@apache.org> wrote: > > > > > >>> How about officially dropping netty support from 3.4 and asking > people > > > to move to the new version > > > +1. This sounds a good opportunity to deprecate 3.4 branch. > > > > > > On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <eolive...@gmail.com> > > wrote: > > > > > >> Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt < > ph...@apache.org> > > ha > > >> scritto: > > >> > > >>> Another option/solution: How about officially dropping netty support > > from > > >>> 3.4 and asking people to move to the new version (3.5 stable or > later)? > > >>> > > >> > > >> Sounds good > > >> > > >> Enrico > > >> > > >> > > >>> > > >>> Patrick > > >>> > > >>> On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <an...@apache.org> > wrote: > > >>> > > >>>> I agree with 3.4 should not be refactored in any way even for a > > >> security > > >>>> fix. > > >>>> > > >>>> What's wrong with the "alpha story"? > > >>>> > > >>>> I think releasing in an early stage with "-alpha", "-beta" modifiers > > is > > >>>> not a bad thing alone, as long as it doesn't take years to get to > the > > >>>> stable release. > > >>>> > > >>>> Andor > > >>>> > > >>>> > > >>>> On Tue, 1 Oct 2019, Enrico Olivelli wrote: > > >>>> > > >>>>> Date: Tue, 1 Oct 2019 10:54:24 +0200 > > >>>>> From: Enrico Olivelli <eolive...@gmail.com> > > >>>>> Reply-To: dev@zookeeper.apache.org > > >>>>> To: dev@zookeeper.apache.org > > >>>>> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 > > >>>>> > > >>>>> Il mar 1 ott 2019, 10:38 Andor Molnar <an...@apache.org> ha > scritto: > > >>>>> > > >>>>>> Backporting Netty 4 would be a huge, cumbersome task, I hope we > > >> don’t > > >>>> have > > >>>>>> to do it. > > >>>>>> > > >>>>> > > >>>>> Yes, 3.4 is mature and stable and closed for refactors. > > >>>>> > > >>>>> > > >>>>>> However I had a quick look at the details of this CVE and it seems > > >> to > > >>> me > > >>>>>> that it only affects the HTTP codec: > > >>>>>> > > >>>>>> > > >>>> > > >>> > > >> > > > https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95 > > >>>>>> > > >>>>>> Can’t we just say 3.4.14 is not affected? > > >>>>>> We’re not running HTTP server inside ZooKeeper. > > >>>>>> > > >>>>>> Otherwise we might be able to release 3.6.0-alpha1 now, put a date > > >> for > > >>>> 3.4 > > >>>>>> EOL and highlight on the webpage that this > > >>>>>> > > >>>>> > > >>>>> Please do not start an 'alpha' story like for 3.5.... > > >>>>> > > >>>>> CVE probably won’t be resolved on that branch, please upgrade to > 3.5. > > >>>>>> > > >>>>> > > >>>>> +1 > > >>>>> > > >>>>> > > >>>>> Enrico > > >>>>> > > >>>>>> > > >>>>>> As a third option we could ask Norman to kindly fix 3.10.6.Final > as > > >>>> well… > > >>>>>> or submit a PR ourselves, it doesn’t seem to me a big deal. > > >>>>>> > > >>>>> > > >>>>> Not so useful > > >>>>> > > >>>>>> > > >>>>>> What do you think? > > >>>>>> > > >>>>>> Andor > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>>> On 2019. Oct 1., at 2:00, Patrick Hunt <ph...@apache.org> wrote: > > >>>>>>> > > >>>>>>> I pushed patches for 3.5 and trunk and the tests passed on my > mac. > > >>>>>> However > > >>>>>>> 3.4 is using netty 3.10.6.Final and as such it's not a simple > > >>> upgrade. > > >>>>>>> (there are no fixes against 3.10 for this CVE, at least not so > far) > > >>> Not > > >>>>>>> sure what we want to do about this... someone would need to > > >> backport > > >>>> the > > >>>>>>> netty 4.1 changes into 3.4 afaict. > > >>>>>>> > > >>>>>>> Patrick > > >>>>>>> > > >>>>>>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <ph...@apache.org> > > >>> wrote: > > >>>>>>> > > >>>>>>>> I'll work on it today. > > >>>>>>>> > > >>>>>>>> Patrick > > >>>>>>>> > > >>>>>>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli < > > >>> eolive...@gmail.com > > >>>>> > > >>>>>>>> wrote: > > >>>>>>>> > > >>>>>>>>> Okay > > >>>>>>>>> > > >>>>>>>>> I am cancelling the release. > > >>>>>>>>> > > >>>>>>>>> I have a problem with my box, I can't work on netty upgrade. > > >>>>>>>>> > > >>>>>>>>> Any volounteer? > > >>>>>>>>> > > >>>>>>>>> Enrico > > >>>>>>>>> > > >>>>>>>>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha > > >>>> scritto: > > >>>>>>>>> > > >>>>>>>>>> The good news is: we need to release 3.4.15 too. :) > > >>>>>>>>>> > > >>>>>>>>>> Andor > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <ph...@apache.org> > > >>> wrote: > > >>>>>>>>>>> > > >>>>>>>>>>> created: > https://issues.apache.org/jira/browse/ZOOKEEPER-3563 > > >>>>>>>>>>> > > >>>>>>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt < > > >> ph...@apache.org> > > >>>>>>>>> wrote: > > >>>>>>>>>>> > > >>>>>>>>>>>> -1 - when I run dependency check on the release candidate > > >>> artifact > > >>>>>>>>> it's > > >>>>>>>>>>>> failing with: > > >>>>>>>>>>>> > > >>>>>>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869 > > >>>>>>>>>>>> > > >>>>>>>>>>>> I ran this on trunk and it's passing, as such it must be an > > >>> issue > > >>>>>>>>> with > > >>>>>>>>>> the > > >>>>>>>>>>>> the 3.5.6 netty version specifically. It's listed as a high, > > >> we > > >>>>>>>>> should > > >>>>>>>>>>>> patch this as well before releasing. > > >>>>>>>>>>>> > > >>>>>>>>>>>> Patrick > > >>>>>>>>>>>> > > >>>>>>>>>>>> > > >>>>>>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli < > > >>>>>> eolive...@gmail.com > > >>>>>>>>>> > > >>>>>>>>>>>> wrote: > > >>>>>>>>>>>> > > >>>>>>>>>>>>> This is a bugfix release candidate for 3.5.6. > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> It fixes 28 issues, including upgrade of third party > > >> libraries, > > >>>>>>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and > > >>> better > > >>>>>>>>>>>>> procedure > > >>>>>>>>>>>>> for the upgrade of servers from 3.4 to 3.5. > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> The full release notes is available at: > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>> > > >>>>>> > > >>>> > > >>> > > >> > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> *** Please download, test and vote by October 2nd 2019, > 23:59 > > >>>>>> UTC+0. > > >>>>>>>>>> *** > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> Source files: > > >>>>>>>>>>>>> > > >>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2 > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> Maven staging repo: > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>> > > >>>>>> > > >>>> > > >>> > > >> > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1042/ > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> The release candidate tag in git to be voted upon: > > >>>>>> release-3.5.6-rc2 > > >>>>>>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2 > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign > the > > >>>>>>>>> release: > > >>>>>>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> Should we release this candidate? > > >>>>>>>>>>>>> Enrico Olivelli > > >>>>>>>>>>>>> > > >>>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>> > > >>>>>>>> > > >>>>>> > > >>>>>> > > >>>>> > > >>> > > >> > > > > >
