Yes, we need fix for security bug - STORM-3251. -Kishor
On Thu, Oct 11, 2018 at 12:26 PM Derek Dagit <[email protected]> wrote: > I agree with Aaron, we should fix STORM-3251 first. > -1 > > On Thu, Oct 11, 2018 at 11:22 AM Aaron Gresch <[email protected]> wrote: > > > -1 (non-binding?) https://issues.apache.org/jira/browse/STORM-3251 > > > > Just found a security-related issue related to a change I recently made > > (original change causing the bug: > > > > > https://github.com/apache/storm/commit/06a64949c8c5b764a33a10beb6088cdd8f182aa0 > > ). > > > > > > On Wed, Oct 10, 2018 at 6:46 PM Jungtaek Lim <[email protected]> wrote: > > > > > Thanks all for the quick turnaround! Here's my +1 (binding). > > > > > > > source > > > > > > - verify file (signature, MD5, SHA) > > > -- source, tar.gz : OK > > > -- source, zip : OK > > > > > > - extract file > > > -- source, tar.gz : OK > > > -- source, zip : OK > > > > > > - diff-ing extracted files between tar.gz and zip : OK > > > > > > - build source with JDK 8 (-Pall-tests && -Pexternals) > > > -- source, tar.gz : OK > > > > > > - build source dist > > > -- source, tar.gz : OK > > > > > > - build binary dist > > > -- source, tar.gz : OK > > > > > > > binary > > > > > > - verify file (signature, MD5, SHA) > > > -- binary, tar.gz : OK > > > -- binary, zip : OK > > > > > > - extract file > > > -- binary, tar.gz : OK > > > -- binary, zip : OK > > > > > > - diff-ing extracted files between tar.gz and zip : OK > > > > > > - launch daemons : OK > > > > > > - run RollingTopWords (local) : OK > > > > > > - run RollingTopWords (remote) : OK > > > - activate / deactivate / rebalance / kill : OK > > > - logviewer (worker dir, daemon dir) :OK > > > - change log level : OK > > > - thread dump, heap dump, restart worker : OK > > > - log search :OK > > > > > > Note that "profiling worker" and "topology log search" works now which > > were > > > failing in RC1. > > > > > > Thanks, > > > Jungtaek Lim (HeartSaVioR) > > > > > > 2018년 10월 11일 (목) 오전 3:02, Stig Rohde Døssing <[email protected] > >님이 > > > 작성: > > > > > > > +1 > > > > > > > > Built and ran unit tests from the tag. > > > > Ran ExclamationTopology locally using the Storm tar, verified that UI > > > looks > > > > as expected, that logviewer works, and that there were no errors in > the > > > > logs. > > > > Verified the signature and SHA512 for the source and binary tars. > > > > > > > > We should consider deleting the md5 files, Apache's release policy > > > > recommends against including them in a release > > > > https://www.apache.org/dev/release-distribution#sigs-and-sums. > > > > > > > > > > > > Den ons. 10. okt. 2018 kl. 17.02 skrev Bobby Evans <[email protected] > >: > > > > > > > > > +1 > > > > > > > > > > built and ran all of the unit tests from the tag. > > > > > Ran some small perf tests on a single node cluster. Things look > > really > > > > > good there. > > > > > > > > > > > > > > > On a side note our CI pipeline has been running and passing builds > > very > > > > > close to this release too. (we are following master currently) and > > it > > > is > > > > > looking good. > > > > > > > > > > Thanks, > > > > > > > > > > Bobby > > > > > > > > > > On Tue, Oct 9, 2018 at 4:02 PM Kishorkumar Patil > > > <[email protected] > > > > > > > > > > wrote: > > > > > > > > > > > +1 to release this package. > > > > > > > > > > > > I ran basic tests, and fucntionality tested manually some of the > UI > > > > > > features and profiling issues reported as part of the blockers. I > > did > > > > not > > > > > > notice any silent failures either - or any failures/exception in > > the > > > > > logs. > > > > > > > > > > > > Regards > > > > > > -Kishor > > > > > > > > > > > > > > > > > > On Tue, Oct 9, 2018 at 4:05 PM P. Taylor Goetz < > [email protected] > > > > > > > > wrote: > > > > > > > > > > > > > This is a call to vote on releasing Apache Storm 2.0.0 (rc2) > > > > > > > > > > > > > > Full list of changes in this release: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/storm/apache-storm-2.0.0-rc2/RELEASE_NOTES.html > > > > > > > > > > > > > > The tag/commit to be voted upon is v2.0.0: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://git-wip-us.apache.org/repos/asf?p=storm.git;a=tree;h=f8d04910dc3fd14534c186232ecf7882d8916f67;hb=f8d04910dc3fd14534c186232ecf7882d8916f67 > > > > > > > > > > > > > > The source archive being voted upon can be found here: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/storm/apache-storm-2.0.0-rc2/apache-storm-2.0.0-src.tar.gz > > > > > > > > > > > > > > Other release files, signatures and digests can be found here: > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/storm/apache-storm-2.0.0-rc2/ > > > > > > > > > > > > > > The release artifacts are signed with the following key: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://git-wip-us.apache.org/repos/asf?p=storm.git;a=blob_plain;f=KEYS;hb=22b832708295fa2c15c4f3c70ac0d2bc6fded4bd > > > > > > > > > > > > > > The Nexus staging repository for this release is: > > > > > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachestorm-1071 > > > > > > > > > > > > > > Please vote on releasing this package as Apache Storm 2.0.0. > > > > > > > > > > > > > > When voting, please list the actions taken to verify the > release. > > > > > > > > > > > > > > This vote will be open for at least 72 hours. > > > > > > > > > > > > > > [ ] +1 Release this package as Apache Storm 2.0.0 > > > > > > > [ ] 0 No opinion > > > > > > > [ ] -1 Do not release this package because... > > > > > > > > > > > > > > Thanks to everyone who contributed to this release. > > > > > > > > > > > > > > -Taylor > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > Derek >
