Max, with no doubt we should not release 2.11.1 with known CVE. вс, 19 дек. 2021 г. в 21:24, Maxim Muzafarov <mmu...@apache.org>:
> Ivan, > > I suppose the next 2.11.2 version should be released. Currently, from > my point of view, it's a bit strange releasing 2.11.1 with a known > CVE. It doesn't take too much time to prepare a new RC. > > > Folks, > > I've merged to the master branch the issue [1] which upgrades > dependency to 2.17.0 and here are two suggestions: > 1. Cherry-pick the issue [1] to the 2.11.1 and 2.12 branches. > 2. Prepare a new RC and send it for a vote with a little clarification > - do not keep the vote for 3 days and accept an RC when the +3 binding > votes and no vetos will be received from the community the same way as > the log4j community does [2]. > > WDYT? > > [1] https://issues.apache.org/jira/browse/IGNITE-16153 > [2] https://lists.apache.org/thread/w7kob4v6f3wm63g5j48wvcbj7l9y343q > > On Sat, 18 Dec 2021 at 19:31, Ivan Daschinsky <ivanda...@gmail.com> wrote: > > > > Haha, it becomes funny :) What if another vulnerability will be > discovered > > a few days later? > > > > сб, 18 дек. 2021 г. в 18:04, Maxim Muzafarov <mmu...@apache.org>: > > > > > Folks, > > > > > > > > > I've found that LOG4J2 2.17.0 version is released [1]. According to > > > the description and risk mitigation [2] it is recommended the version > > > update. Since the release has not happened yet I think it is possible > > > to update the dependency in the 2.11.1 release too. > > > > > > > > > WDYT? > > > > > > > > > [1] https://issues.apache.org/jira/browse/LOG4J2-3230 > > > [2] https://logging.apache.org/log4j/2.x/security.html > > > > > > On Fri, 17 Dec 2021 at 14:20, Petr Ivanov <mr.wei...@gmail.com> wrote: > > > > > > > > I've dropped GitBox in favour of GitHub — the build [1] has started. > > > > > > > > > > > > [1] > > > > https://ci.ignite.apache.org/buildConfiguration/Releases_ApacheIgniteMain_ReleaseBuild/6329862 > > > > > > > > > On 17 Dec 2021, at 13:24, Maxim Muzafarov <mmu...@apache.org> > wrote: > > > > > > > > > > Petr, > > > > > > > > > > Thank you. > > > > > > > > > > Yes, I've added changes related to the new release build actions > > > > > (IGNITE-15678, IGNITE-15677). The ignite-2.12 branch seems to be > > > > > working fine, however, at the ignite-2.11.1 the error with "too > many > > > > > requests" appears from time to time. Here is an example of such a > > > > > build [1]. > > > > > > > > > > > > > > > [1] > > > > https://ci.ignite.apache.org/viewLog.html?buildId=6329858&buildTypeId=Releases_ApacheIgniteMain_ReleaseBuild > > > > > > > > > > On Fri, 17 Dec 2021 at 13:20, Petr Ivanov <mr.wei...@gmail.com> > wrote: > > > > >> > > > > >> Concerning Too many requests error, I see the following problem: > > > > >> > > > > >> > > > > >> Your request has been rate limited, as we have detected excessive > > > usage from your IP or net block: > > > > >> 15.575 SECONDS OF TIME SPENT OVER 120 SECONDS, MAX ALLOWED IS 15. > > > > >> Rate-limits are automatic and reset every two minutes. > > > > >> If you feel this is in error, please contact the Apache > > > Infrastructure Team at: us...@infra.apache.org. > > > > >> > > > > >> > > > > >> Can someone check with them about it, please? > > > > >> > > > > >>> On 17 Dec 2021, at 13:14, Petr Ivanov <mr.wei...@gmail.com> > wrote: > > > > >>> > > > > >>> Permissions updated. > > > > >>> > > > > >>> > > > > >>>> On 17 Dec 2021, at 13:09, Petr Ivanov <mr.wei...@gmail.com> > wrote: > > > > >>>> > > > > >>>> Could you please add links to builds that are malfunctioning? > > > > >>>> As much as I see here [1] and here [2] — the release build > changed > > > to comply with 2.12 changes that are not merged to 2.11.1 > > > > >>>> > > > > >>>> > > > > >>>> [1] > > > > https://ci.ignite.apache.org/buildConfiguration/Releases_ApacheIgniteMain_ReleaseBuild/6329822 > > > > >>>> [2] > > > > https://ci.ignite.apache.org/buildConfiguration/Releases_ApacheIgniteMain_ReleaseBuild/6329824 > > > > >>>> > > > > >>>>> On 17 Dec 2021, at 12:11, Maxim Muzafarov <mmu...@apache.org> > > > wrote: > > > > >>>>> > > > > >>>>> Hello Petr, > > > > >>>>> > > > > >>>>> Can you please assist with configuring the Release Teamcity > suite > > > that > > > > >>>>> has been changed for 2.x a month ago? These changes haven't > been > > > > >>>>> discussed on the dev-list, so I'm not familiar with them. > > > > >>>>> > > > > >>>>> I've faced several issues: > > > > >>>>> - the default role for Apache Ignite 2.x (Release) suite is > `Agent > > > > >>>>> manager`, however, it seems the right value is `Project > developer > > > and > > > > >>>>> queue manager`. I've looked through the documentation pages and > > > > >>>>> doesn't get an idea of how it can be changed. > > > > >>>>> - there was an issue with the > > > Releases_ApacheIgniteMain_GitBoxIgnite > > > > >>>>> that throws `429 too many requests` exception each time a new > list > > > of > > > > >>>>> branches is fetched. I've changed the poll interval to 180 sec > > > > >>>>> (default value 60 sec), however, this change doesn't look good > > > from my > > > > >>>>> side. What should I do here? > > > > >>>>> > > > > >>>>> On Thu, 16 Dec 2021 at 22:09, Вячеслав Коптилин > > > > >>>>> <slava.kopti...@gmail.com> wrote: > > > > >>>>>> > > > > >>>>>> Hi Maxim, > > > > >>>>>> > > > > >>>>>> Thanks a lot! > > > > >>>>>> > > > > >>>>>>> Check the following links below. > > > > >>>>>> Looks good to me. > > > > >>>>>> > > > > >>>>>> > > > > >>>>>> чт, 16 дек. 2021 г. в 20:19, Maxim Muzafarov < > mmu...@apache.org>: > > > > >>>>>> > > > > >>>>>>> Folks, > > > > >>>>>>> > > > > >>>>>>> > > > > >>>>>>> I'm OK with this. Let's go through the fastest way we have. > > > > >>>>>>> > > > > >>>>>>> > > > > >>>>>>> Check the following links below. I'll prepare the vote > shortly. > > > > >>>>>>> > > > > >>>>>>> Compare branches 2.11 and 2.11.1: > > > > >>>>>>> > > > https://github.com/apache/ignite/compare/ignite-2.11...ignite-2.11.1 > > > > >>>>>>> > > > > >>>>>>> The release branch: > > > > >>>>>>> https://github.com/apache/ignite/tree/ignite-2.11.1 > > > > >>>>>>> > > > > >>>>>>> JIRA 2.11.1 version: > > > > >>>>>>> > > > > >>>>>>> > > > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20IGNITE%20AND%20fixVersion%20%3D%202.11.1 > > > > >>>>>>> > > > > >>>>>>> Release notes: > > > > >>>>>>> > > > https://github.com/apache/ignite/blob/ignite-2.11.1/RELEASE_NOTES.txt > > > > >>>>>>> > > > > >>>>>>> On Thu, 16 Dec 2021 at 19:30, Ilya Kasnacheev < > > > ilya.kasnach...@gmail.com> > > > > >>>>>>> wrote: > > > > >>>>>>>> > > > > >>>>>>>> Hello! > > > > >>>>>>>> > > > > >>>>>>>> I also agree with Stephen. If we wanted to do a > stabilization > > > release we > > > > >>>>>>>> should unbound it from this urgent fix. > > > > >>>>>>>> > > > > >>>>>>>> I wonder why 2.12 is not with us already, given that it was > > > scheduled to > > > > >>>>>>> go > > > > >>>>>>>> out in August. > > > > >>>>>>>> > > > > >>>>>>>> Regards, > > > > >>>>>>>> -- > > > > >>>>>>>> Ilya Kasnacheev > > > > >>>>>>>> > > > > >>>>>>>> > > > > >>>>>>>> чт, 16 дек. 2021 г. в 19:25, Вячеслав Коптилин < > > > slava.kopti...@gmail.com > > > > >>>>>>>> : > > > > >>>>>>>> > > > > >>>>>>>>> Hello, > > > > >>>>>>>>> > > > > >>>>>>>>>> Given that 2.12 is so close, my preference would be to > limit > > > the > > > > >>>>>>> scope of > > > > >>>>>>>>> 2.11.1 to just the log4j update. > > > > >>>>>>>>> I agree with Stephen. Apache Ignite 2.11.1 is an emergency > > > release. > > > > >>>>>>> Using > > > > >>>>>>>>> log4j 2.16 instead of 2.14 is a quite small change that > only > > > requires a > > > > >>>>>>>>> "sanity" check and can be quickly released. A wider release > > > scope > > > > >>>>>>> requires > > > > >>>>>>>>> full testing, IMHO. > > > > >>>>>>>>> > > > > >>>>>>>>> Thanks, > > > > >>>>>>>>> S. > > > > >>>>>>>>> > > > > >>>>>>>>> > > > > >>>>>>>>> чт, 16 дек. 2021 г. в 16:03, Maxim Muzafarov < > > > mmu...@apache.org>: > > > > >>>>>>>>> > > > > >>>>>>>>>> I think it is completely possible to move vote/release > dates > > > > >>>>>>>>>> significantly forward with keeping the scope. I will take > a > > > look at > > > > >>>>>>>>>> the list of fixed bugs more narrowly and exclude some of > them > > > that > > > > >>>>>>>>>> require additional verification. > > > > >>>>>>>>>> > > > > >>>>>>>>>> On Thu, 16 Dec 2021 at 15:55, Stephen Darlington > > > > >>>>>>>>>> <stephen.darling...@gridgain.com> wrote: > > > > >>>>>>>>>>> > > > > >>>>>>>>>>> Given that 2.12 is so close, my preference would be to > limit > > > the > > > > >>>>>>> scope > > > > >>>>>>>>>> of 2.11.1 to just the log4j update. Would that help bring > the > > > > >>>>>>>>> vote/release > > > > >>>>>>>>>> date forward? > > > > >>>>>>>>>>> > > > > >>>>>>>>>>>> On 16 Dec 2021, at 12:44, Maxim Muzafarov < > > > mmu...@apache.org> > > > > >>>>>>> wrote: > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> Dear Ignite Community! > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> I suggest preparing the Apache Ignite 2.11.1 release > and I > > > want > > > > >>>>>>> to > > > > >>>>>>>>>>>> propose myself to be the release manager of the minor > > > release. > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> * RELEASE TIMELINE * > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> Scope Freeze: December 16, 2021 > > > > >>>>>>>>>>>> Code Freeze: December 16, 2021 > > > > >>>>>>>>>>>> Voting Date: December 21, 2021 > > > > >>>>>>>>>>>> Release Date: December 24, 2021 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> * RELEASE SCOPE * > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> LOG4J dependency update > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-16101 > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-16127 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> B+Tree Corrupted exception when using a key extracted > from a > > > > >>>>>>>>>> BinaryObject > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-12911 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> Regression: Ignite node crash(CorruptedTreeException: > > > B+Tree is > > > > >>>>>>>>>> corrupted) > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-15943 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> .NET: ClientFailoverSocket sets logger too late, > resulting > > > in > > > > >>>>>>> null > > > > >>>>>>>>>>>> loggers downstream > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-14776 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> The iterator of the ClientCacheQueryCursor can be closed > > > during > > > > >>>>>>>>>> serialization. > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-15346 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> Possible owners desync when a node is restarted while > > > rebalancing > > > > >>>>>>>>> with > > > > >>>>>>>>>>>> enabled persistence > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-15315 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> Thin client: Tx can fail if there are concurrent tx > > > rollbacks by > > > > >>>>>>>>>> timeout > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-15732 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> AssertionError: Unexpected rebalance on rebalanced > cluster > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-15033 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> JmxMetricExporterSpi throws assertion error on a > filtered > > > metric > > > > >>>>>>>>>> unregister > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-15252 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> ClassNotFoundException on an attempt to invoke service > > > method > > > > >>>>>>> from > > > > >>>>>>>>>>>> Java ThinClient after a cluster failover > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-15256 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> NullPointerException on an attempt to create a Java > > > ThinClient > > > > >>>>>>> with > > > > >>>>>>>>>>>> BinaryConfiguration > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-15138 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> Java thin client: Type name is not cached on > client-side for > > > > >>>>>>>>>>>> OptimizerMarshaller types > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-15924 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> select count * returns multiple rows > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-14120 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> Fix StackOverflowError in case if an exception is > > > suppressed with > > > > >>>>>>>>>> itself > > > > >>>>>>>>>>>> https://issues.apache.org/jira/browse/IGNITE-15716 > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> > > > > >>>>>>>>>>>> WDYT? > > > > >>>>>>>>>>> > > > > >>>>>>>>>>> > > > > >>>>>>>>>> > > > > >>>>>>>>> > > > > >>>>>>> > > > > >>>> > > > > >>> > > > > >> > > > > > > > > > > > > > -- > > Sincerely yours, Ivan Daschinskiy > -- Sincerely yours, Ivan Daschinskiy
