Official discussion thread. Proposing release 3.2.1 based on git hash b48db8d7f3ad20e7df7a1452793ac49686f8e119
This has the urgent log4j change, and fixes bug DAFFODIL-2608 which was a critical bug in 3.2.0. On Wed, Dec 15, 2021 at 9:33 AM Interrante, John A (GE Research, US) <[email protected]> wrote: > > I agree too. Let's do the normal release workflow, only calling the release > 3.2.1 instead of 3.3.0 because of how little time has passed since we > released 3.2.0. In that period of time (9 days), we've merged 10 pull > requests: > > Update sbt to 1.5.7 > #706 merged 9 minutes ago > > Update os-lib to 0.8.0 > #704 merged yesterday > > Update log4j-api, log4j-core to 2.16.0 > #705 merged yesterday > > Update log4j-api, log4j-core to 2.15.0 > #702 merged 5 days ago > > Update sbt to 1.5.6 > #703 merged 5 days ago > > Rename version.h to daffodil_version.h > #701 merged 6 days ago > > Add test to illustrate checksum/layer bug > #700 merged 6 days ago > > Use same version for both log4j-api and log4j-core > #697 merged 9 days ago > > Ensure we use UTF-8 when outputting and comparing SAX output > #696 merged 8 days ago > > setup for 3.3.0-SNAPSHOT development > #695 merged 9 days ago > > All of these are relatively tiny safe changes except for the UTF-8 change > (https://github.com/apache/daffodil/pull/696/files), and even that change > shouldn't raise the risk of regressions very much (you can look at its > changes yourself). > > John > > -----Original Message----- > From: Steve Lawrence <[email protected]> > Sent: Wednesday, December 15, 2021 8:21 AM > To: [email protected] > Subject: EXT: Re: Need to create daffodil 3.2.1 ? > > WARNING: This email originated from outside of GE. Please validate the > sender's email address before clicking on links or attachments as they may > not be safe. > > I feel the changes to the main branch since v3.2.0 are small enough that the > risk of regressions is pretty low. So I'd lean towards keeping things simple > and base the 3.2.1 release off of the main branch without a fork. > > On 12/15/21 8:02 AM, Mike Beckerle wrote: > > I think we're going to need to create a Daffodil 3.2.1 release. > > > > We have this current critical bug > > https://issues.apache.org/jira/browse/DAFFODIL-2608 which is a flaw in > > unparsing associated with a primary 3.2.0 feature. I'll take the blame > > for inadequate testing there. I hope to work on this today. > > > > There is also a urgent CVE about Log4J. The cybersecurity community, > > which uses Daffodil quite a bit, is insisting on updates to software > > using Log4J within 15 days. The update for this is already in the > > 3.3.0-SNAPSHOT branch. > > > > There have been a number of other changes made on the 3.3.0-SNAPSHOT > > branch since the official 3.2.0 release. > > > > Are there any thoughts on whether we should just release > > 3.3.0-SNAPSHOT branch as 3.2.1, or whether we should fork from 3.2.0 > > and apply the minimum amount of fixes? > > >
