Changing my vote to -1 binding, which ends this VOTE under the abbreviated consensus plan that's part of the vote.
Half the reason for this release was the Log4J dependency CVE. I don't want to explain to people "which CVE" is fixed and which isn't and why the DoS is less of a concern, etc. I will create rc2 with newer Log4J and we'll start a new VOTE. This VOTE thread: https://lists.apache.org/thread/dxhyfnv67d1dk0ychqy15km3mcs6rov1 -MikeB On Mon, Dec 20, 2021 at 10:40 AM Steve Lawrence <slawre...@apache.org> wrote: > > I just downloaded the OWASP dependency check command line tool [1] (note > that there is an sbt plugin, but I couldn't get it to work). > > I first ran it against the 3.2.0 release and it found only the expected, > and now fixed, JDOM and Log4J CVEs. > > I then ran it against 3.2.1-rc1 and it found nothing. This was a bit > surprising since I expected the latest Log4J CVE, but maybe this CVE is > just too new. It did happen over the weekend, so maybe it isn't in the > database where the tool downloads from yet? > > So I think there are no known CVE's aside from the newest Log4J one. > > As to if we are done with Log4j CVEs, I don't know. It wouldn't surprise > me if more CVE's come out with the extra scrutiny it's getting, but we > don't know of any more at the moment. > > If we did do an rc2, all the binaries should be exactly the same except > for the Log4J jar, so the verification process should be pretty easy. > Another compressed vote seems reasonable, especially since we already > have 3 +1's for this release, maybe even extra compressed considering > the very small change and no binary differences in Daffodil. > > [1] https://owasp.org/www-project-dependency-check/ > > On 12/20/21 9:38 AM, Mike Beckerle wrote: > > I could go either way on this. > > > > My questions, which are perhaps not ones we can easily get answers to... > > > > * Do we actually know there are no CVEs against other things we depend on? > > > > * Has this Log4J flurry now concluded, or is that software now "under > > scrutiny" such that there are now going to be a bunch more CVEs and > > fixes? > > > > On Mon, Dec 20, 2021 at 7:27 AM Steve Lawrence <slawre...@apache.org> wrote: > >> > >> It looks like another CVE was found that affects Log4J 2.16.0. This seem > >> less severe then he previous CVE's--it's only a DoS, and I think > >> Daffodil CLI isn't effected. But I *think* API users of Daffodil could > >> potentially be affected if they have custom Log4J configs with a special > >> Pattern Layout. > >> > >> Dependabot already has a PR open for Log4J 2.17.0 with a fix. Do we want > >> to cancel this rc1 vote, merge the patch, and create an rc2? > >> > >> (Dependabot also opened a PR to udpate jackson-core, which has a bug fix > >> for json parsing of quotes which might be worth merging as well?) > >> > >> On 12/16/21 4:02 PM, Mike Beckerle wrote: > >>> Hi all, > >>> > >>> I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so > >>> with an abbreviated approval cycle (to be used only for urgent patch > >>> releases). > >>> > >>> Your vote covers the release as usual, but also due to the urgency of > >>> this patch release, you are also voting on these 4 deltas from our more > >>> usual release process: > >>> > >>> * You agree the patch release is urgent and this abbreviated approval > >>> cycle is warranted and appropriate. > >>> > >>> * The DISCUSS email thread will be superceded by this VOTE thread. > >>> > >>> * Shortened 48 hours of work-day time for lazy consensus on the VOTE > >>> > >>> * A minimum of three +1 and zero -1 binding votes are needed > >>> > >>> For a summary of the changes in this release, see the release notes page: > >>> > >>> https://daffodil.apache.org/releases/3.2.1/ > >>> > >>> All distribution packages, including signatures, digests, etc. can be > >>> found at: > >>> > >>> https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/ > >>> > >>> Staging artifacts can be found at: > >>> > >>> https://repository.apache.org/content/repositories/orgapachedaffodil-1026/ > >>> > >>> This release has been signed with PGP key 274B8F1413A680AF, corresponding > >>> to mbecke...@apache.org, which is included in the KEYS file here: > >>> > >>> https://downloads.apache.org/daffodil/KEYS > >>> > >>> The release candidate has been tagged in git with v3.2.1-rc1. > >>> > >>> For reference, here is a list of all closed JIRAs tagged with 3.2.1: > >>> > >>> https://s.apache.org/daffodil-issues-3.2.1 > >>> > >>> Please review and vote. > >>> > >>> Per the abbreviated process, the vote will be open for 48 hours. > >>> (Until Monday 20 December 2021 17:00 EST.US). > >>> > >>> [ ] +1 approve the release, and this abbreviated release process > >>> [ ] +0 no opinion > >>> [ ] -1 disapprove of the release, or of this abbreviated release > >>> process (and reason why) > >>> > >> >