I agree with 3.4 should not be refactored in any way even for a security
fix.
What's wrong with the "alpha story"?
I think releasing in an early stage with "-alpha", "-beta" modifiers is
not a bad thing alone, as long as it doesn't take years to get to the
stable release.
Andor
On Tue, 1 Oct 2019, Enrico Olivelli wrote:
Date: Tue, 1 Oct 2019 10:54:24 +0200
From: Enrico Olivelli <[email protected]>
Reply-To: [email protected]
To: [email protected]
Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Il mar 1 ott 2019, 10:38 Andor Molnar <[email protected]> ha scritto:
Backporting Netty 4 would be a huge, cumbersome task, I hope we don’t have
to do it.
Yes, 3.4 is mature and stable and closed for refactors.
However I had a quick look at the details of this CVE and it seems to me
that it only affects the HTTP codec:
https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
Can’t we just say 3.4.14 is not affected?
We’re not running HTTP server inside ZooKeeper.
Otherwise we might be able to release 3.6.0-alpha1 now, put a date for 3.4
EOL and highlight on the webpage that this
Please do not start an 'alpha' story like for 3.5....
CVE probably won’t be resolved on that branch, please upgrade to 3.5.
+1
Enrico
As a third option we could ask Norman to kindly fix 3.10.6.Final as well…
or submit a PR ourselves, it doesn’t seem to me a big deal.
Not so useful
What do you think?
Andor
On 2019. Oct 1., at 2:00, Patrick Hunt <[email protected]> wrote:
I pushed patches for 3.5 and trunk and the tests passed on my mac.
However
3.4 is using netty 3.10.6.Final and as such it's not a simple upgrade.
(there are no fixes against 3.10 for this CVE, at least not so far) Not
sure what we want to do about this... someone would need to backport the
netty 4.1 changes into 3.4 afaict.
Patrick
On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <[email protected]> wrote:
I'll work on it today.
Patrick
On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <[email protected]>
wrote:
Okay
I am cancelling the release.
I have a problem with my box, I can't work on netty upgrade.
Any volounteer?
Enrico
Il lun 30 set 2019, 20:32 Andor Molnar <[email protected]> ha scritto:
The good news is: we need to release 3.4.15 too. :)
Andor
On 2019. Sep 30., at 20:26, Patrick Hunt <[email protected]> wrote:
created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <[email protected]>
wrote:
-1 - when I run dependency check on the release candidate artifact
it's
failing with:
[ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
I ran this on trunk and it's passing, as such it must be an issue
with
the
the 3.5.6 netty version specifically. It's listed as a high, we
should
patch this as well before releasing.
Patrick
On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <
[email protected]
wrote:
This is a bugfix release candidate for 3.5.6.
It fixes 28 issues, including upgrade of third party libraries,
TTL Node APIs for C API, support for PCKS12 Keystores, and better
procedure
for the upgrade of servers from 3.4 to 3.5.
The full release notes is available at:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
*** Please download, test and vote by October 2nd 2019, 23:59
UTC+0.
***
Source files:
https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
Maven staging repo:
https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
The release candidate tag in git to be voted upon:
release-3.5.6-rc2
https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
ZooKeeper's KEYS file containing PGP keys we use to sign the
release:
https://www.apache.org/dist/zookeeper/KEYS
Should we release this candidate?
Enrico Olivelli
