Sounds good to me!
On 12/15/21 12:56 PM, Mike Beckerle wrote:
Official discussion thread. Proposing release 3.2.1 based on git hash
b48db8d7f3ad20e7df7a1452793ac49686f8e119
This has the urgent log4j change, and fixes bug DAFFODIL-2608 which
was a critical bug in 3.2.0.
On Wed, Dec 15, 2021 at 9:33 AM Interrante, John A (GE Research, US)
<[email protected]> wrote:
I agree too. Let's do the normal release workflow, only calling the release
3.2.1 instead of 3.3.0 because of how little time has passed since we released
3.2.0. In that period of time (9 days), we've merged 10 pull requests:
Update sbt to 1.5.7
#706 merged 9 minutes ago
Update os-lib to 0.8.0
#704 merged yesterday
Update log4j-api, log4j-core to 2.16.0
#705 merged yesterday
Update log4j-api, log4j-core to 2.15.0
#702 merged 5 days ago
Update sbt to 1.5.6
#703 merged 5 days ago
Rename version.h to daffodil_version.h
#701 merged 6 days ago
Add test to illustrate checksum/layer bug
#700 merged 6 days ago
Use same version for both log4j-api and log4j-core
#697 merged 9 days ago
Ensure we use UTF-8 when outputting and comparing SAX output
#696 merged 8 days ago
setup for 3.3.0-SNAPSHOT development
#695 merged 9 days ago
All of these are relatively tiny safe changes except for the UTF-8 change
(https://github.com/apache/daffodil/pull/696/files), and even that change
shouldn't raise the risk of regressions very much (you can look at its changes
yourself).
John
-----Original Message-----
From: Steve Lawrence <[email protected]>
Sent: Wednesday, December 15, 2021 8:21 AM
To: [email protected]
Subject: EXT: Re: Need to create daffodil 3.2.1 ?
WARNING: This email originated from outside of GE. Please validate the sender's
email address before clicking on links or attachments as they may not be safe.
I feel the changes to the main branch since v3.2.0 are small enough that the
risk of regressions is pretty low. So I'd lean towards keeping things simple
and base the 3.2.1 release off of the main branch without a fork.
On 12/15/21 8:02 AM, Mike Beckerle wrote:
I think we're going to need to create a Daffodil 3.2.1 release.
We have this current critical bug
https://issues.apache.org/jira/browse/DAFFODIL-2608 which is a flaw in
unparsing associated with a primary 3.2.0 feature. I'll take the blame
for inadequate testing there. I hope to work on this today.
There is also a urgent CVE about Log4J. The cybersecurity community,
which uses Daffodil quite a bit, is insisting on updates to software
using Log4J within 15 days. The update for this is already in the
3.3.0-SNAPSHOT branch.
There have been a number of other changes made on the 3.3.0-SNAPSHOT
branch since the official 3.2.0 release.
Are there any thoughts on whether we should just release
3.3.0-SNAPSHOT branch as 3.2.1, or whether we should fork from 3.2.0
and apply the minimum amount of fixes?
