I agree with both of your points Remko. On Mon, Dec 13, 2021 at 2:40 AM Remko Popma <remko.po...@gmail.com> wrote:
> I am also okay with removing Message Lookups from 2.x. > A release with that change should be called 2.16.0 though, not 2.15.1 or > 2.15.2. > > Also it makes sense to *only* have that security change (removing Message > Lookups) in such a 2.16.0 release and not add other features. > This will reduce the testing burden for people looking to upgrade. > > > > On Mon, Dec 13, 2021 at 8:12 Ralph Goers <ralph.go...@dslextreme.com> > wrote: > > > Volkan, > > > > While ASF rules say a -1 vote is not a veto for all practical purposes > the > > release manager is going to consider it a blocker. > > > > A release that removes JNDI will prevent people from inadvertently using > > the JNDI Lookup, JMS, or JndiContextSelector > > without understanding the security risk using them. Message Lookups are a > > different problem. We are not disabling JNDI > > so people can re-enable message lookups. That would be crazy. We are > > disabling JNDI because, despite all the fixes we > > have made, I still don’t trust it. > > > > We have all agreed Message Lookups need to be killed in master. If we are > > all in agreement to kill them now in 2.x I’m > > fine with that but the two are separate issues. > > > > If you are OK with the release than your vote should be anything but -1. > > If you really feel it needs a -1 then we need to see > > if we are all ok completely removing the option to re-enable message > > lookups. I would completely understand if that is what > > you want and I would support that so please don’t feel pressured to give > > in. > > > > Ralph > > > > > > > On Dec 12, 2021, at 2:08 PM, Volkan Yazıcı <vol...@yazi.ci> wrote: > > > > > > You don't need my vote. As far as I count, you already have more than > 3. > > > > > > I can imagine Ralph and the rest have worked sleeplessly for days. > Hence > > if > > > they think disabling JNDI buys us a benefit, so be it. > > > > > > If not millions, tens of thousands of people tried to upgrade Log4j to > > > 2.15.0 recently. A release where JNDI lookup disabled will only adress > > > people who still (astonishingly!) want to use "message lookups" – > correct > > > me if I'm wrong. Hence, I think in its current form, 2.15.1 will bring > > more > > > confusion than benefit to the general audience. I think the fix to the > > > vulnerability is to disable message lookups, not patches to the JNDI > > > lookup. I want to believe that users get this fact right and have > already > > > disabled it. We need to be really careful with our next release. We > can't > > > expect people to upgrade once a week. Putting aside the damage it does > to > > > the reputation of the project. > > > > > > On Sun, Dec 12, 2021 at 9:47 PM Remko Popma <remko.po...@gmail.com> > > wrote: > > > > > >> First, is this really a blocker for 2.15.1? > > >> I think it is prudent to do urgent releases soon. > > >> This JNDI change (LOG4J2-3208 > > >> <https://issues.apache.org/jira/browse/LOG4J2-3208>) feels urgent > > enough > > >> to > > >> warrant another shortened vote window. > > >> A larger change like removing message lookups should not be rushed out > > like > > >> this, it needs review time. > > >> > > >> Second, do we really want to do this? Are we not overreacting? > > >> Would it not be better to remove lookups in message parameters only? > > >> (In implementation terms, resolve all lookups *before* interpolating > the > > >> message parameters?) > > >> > > >> Also, let me state the obvious, lookups *in configuration* are > > tremendously > > >> useful and should not be removed. > > >> This may be obvious to some of us, but I just want to make sure there > > is no > > >> confusion about that (because I personally was confused about this at > > some > > >> point). :-) > > >> > > >> Finally, if we decide to do this, should a change like this be in a > > >> point/bugfix release (2.15.1) or should it be a separate minor release > > like > > >> 2.16.0? > > >> > > >> > > >> > > >> On Mon, Dec 13, 2021 at 5:10 AM Remko Popma <remko.po...@gmail.com> > > wrote: > > >> > > >>> Shall we discuss this first please? > > >>> > > >>> On Mon, Dec 13, 2021 at 5:10 AM Matt Sicker <boa...@gmail.com> > wrote: > > >>> > > >>>> If you can handle that change, I can roll a new release candidate. > > >>>> > > >>>> Matt Sicker > > >>>> > > >>>>> On Dec 12, 2021, at 14:07, Volkan Yazıcı <vol...@yazi.ci> wrote: > > >>>>> > > >>>>> I know. I want them to be removed, not disabled. > > >>>>> > > >>>>>> On Sun, Dec 12, 2021 at 9:01 PM Matt Sicker <boa...@gmail.com> > > >> wrote: > > >>>>>> > > >>>>>> Those were already disabled in 2.15.0. > > >>>>>> > > >>>>>> Matt Sicker > > >>>>>> > > >>>>>>>> On Dec 12, 2021, at 13:41, Volkan Yazıcı <vol...@yazi.ci> > wrote: > > >>>>>>> > > >>>>>>> I very well recognize your heroic effort on tackling this issue > > and > > >>>> I am > > >>>>>>> very thankful for that. > > >>>>>>> I vote -1, because I want message (not configuration!) lookups to > > be > > >>>>>>> removed. > > >>>>>>> > > >>>>>>> Message lookups create a vast attack surface. Anything they offer > > >> can > > >>>>>>> simply be implemented by the user. > > >>>>>>> > > >>>>>>>> On Sun, Dec 12, 2021 at 4:48 AM Matt Sicker <boa...@gmail.com> > > >>>> wrote: > > >>>>>>>> > > >>>>>>>> This is a vote to release Log4j 2.15.1, the next version of the > > >>>> Log4j 2 > > >>>>>>>> project. > > >>>>>>>> > > >>>>>>>> Please download, test, and cast your votes on the log4j > developers > > >>>> list. > > >>>>>>>> [] +1, release the artifacts > > >>>>>>>> [] -1, don't release because... > > >>>>>>>> > > >>>>>>>> The vote will remain open for 72 hours (or more if required). > All > > >>>> votes > > >>>>>>>> are welcome and we encourage everyone to test the release, but > > only > > >>>>>> Logging > > >>>>>>>> PMC votes are “officially” counted. As always, at least 3 +1 > votes > > >>>> and > > >>>>>> more > > >>>>>>>> positive than negative votes are required. > > >>>>>>>> > > >>>>>>>> Changes in this release include: > > >>>>>>>> > > >>>>>>>> Fixed Bugs > > >>>>>>>> > > >>>>>>>> * LOG4J2-3208: Disable JNDI by default. Require > log4j2.enableJndi > > >> to > > >>>> be > > >>>>>>>> set to true to allow JNDI. > > >>>>>>>> > > >>>>>>>> Tag: > > >>>>>>>> a) for a new copy do "git clone > > >>>>>>>> https://github.com/apache/logging-log4j2.git < > > >>>>>>>> https://github.com/apache/logging-log4j2.git>" and then "git > > >>>> checkout > > >>>>>>>> tags/log4j-2.15.1-rc1” or just "git clone -b log4j-2.15.1-rc1 > > >>>>>>>> https://github.com/apache/logging-log4j2.git < > > >>>>>>>> https://github.com/apache/logging-log4j2.git>" > > >>>>>>>> b) for an existing working copy to “git pull” and then “git > > >> checkout > > >>>>>>>> tags/log4j-2.15.1-rc1” > > >>>>>>>> > > >>>>>>>> Web Site: > https://logging.staged.apache.org/log4j/2.x/index.html > > >> < > > >>>>>>>> https://logging.staged.apache.org/log4j/2.x/index.html>. > > >>>>>>>> > > >>>>>>>> Maven Artifacts: > > >>>>>>>> > > >>>>>> > > >>>> > > >> > > > https://repository.apache.org/content/repositories/orgapachelogging-1067/ > > >>>>>>>> > > >>>>>>>> Distribution archives: > > >>>>>>>> https://dist.apache.org/repos/dist/dev/logging/log4j/ < > > >>>>>>>> https://dist.apache.org/repos/dist/dev/logging/log4j/> > > >>>>>>>> > > >>>>>>>> You may download all the Maven artifacts by executing: > > >>>>>>>> wget -e robots=off --cut-dirs=7 -nH -r -p -np > > >> --no-check-certificate > > >>>>>>>> > > >>>>>> > > >>>> > > >> > > > https://repository.apache.org/content/repositories/orgapachelogging-1067/org/apache/logging/log4j/ > > >>>>>> > > >>>> > > >>> > > >> > > > > > > >
