Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <ph...@apache.org> ha scritto:
> Another option/solution: How about officially dropping netty support from > 3.4 and asking people to move to the new version (3.5 stable or later)? > Sounds good Enrico > > Patrick > > On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <an...@apache.org> wrote: > > > I agree with 3.4 should not be refactored in any way even for a security > > fix. > > > > What's wrong with the "alpha story"? > > > > I think releasing in an early stage with "-alpha", "-beta" modifiers is > > not a bad thing alone, as long as it doesn't take years to get to the > > stable release. > > > > Andor > > > > > > On Tue, 1 Oct 2019, Enrico Olivelli wrote: > > > > > Date: Tue, 1 Oct 2019 10:54:24 +0200 > > > From: Enrico Olivelli <eolive...@gmail.com> > > > Reply-To: dev@zookeeper.apache.org > > > To: dev@zookeeper.apache.org > > > Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 > > > > > > Il mar 1 ott 2019, 10:38 Andor Molnar <an...@apache.org> ha scritto: > > > > > >> Backporting Netty 4 would be a huge, cumbersome task, I hope we don’t > > have > > >> to do it. > > >> > > > > > > Yes, 3.4 is mature and stable and closed for refactors. > > > > > > > > >> However I had a quick look at the details of this CVE and it seems to > me > > >> that it only affects the HTTP codec: > > >> > > >> > > > https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95 > > >> > > >> Can’t we just say 3.4.14 is not affected? > > >> We’re not running HTTP server inside ZooKeeper. > > >> > > >> Otherwise we might be able to release 3.6.0-alpha1 now, put a date for > > 3.4 > > >> EOL and highlight on the webpage that this > > >> > > > > > > Please do not start an 'alpha' story like for 3.5.... > > > > > > CVE probably won’t be resolved on that branch, please upgrade to 3.5. > > >> > > > > > > +1 > > > > > > > > > Enrico > > > > > >> > > >> As a third option we could ask Norman to kindly fix 3.10.6.Final as > > well… > > >> or submit a PR ourselves, it doesn’t seem to me a big deal. > > >> > > > > > > Not so useful > > > > > >> > > >> What do you think? > > >> > > >> Andor > > >> > > >> > > >> > > >> > > >>> On 2019. Oct 1., at 2:00, Patrick Hunt <ph...@apache.org> wrote: > > >>> > > >>> I pushed patches for 3.5 and trunk and the tests passed on my mac. > > >> However > > >>> 3.4 is using netty 3.10.6.Final and as such it's not a simple > upgrade. > > >>> (there are no fixes against 3.10 for this CVE, at least not so far) > Not > > >>> sure what we want to do about this... someone would need to backport > > the > > >>> netty 4.1 changes into 3.4 afaict. > > >>> > > >>> Patrick > > >>> > > >>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <ph...@apache.org> > wrote: > > >>> > > >>>> I'll work on it today. > > >>>> > > >>>> Patrick > > >>>> > > >>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli < > eolive...@gmail.com > > > > > >>>> wrote: > > >>>> > > >>>>> Okay > > >>>>> > > >>>>> I am cancelling the release. > > >>>>> > > >>>>> I have a problem with my box, I can't work on netty upgrade. > > >>>>> > > >>>>> Any volounteer? > > >>>>> > > >>>>> Enrico > > >>>>> > > >>>>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha > > scritto: > > >>>>> > > >>>>>> The good news is: we need to release 3.4.15 too. :) > > >>>>>> > > >>>>>> Andor > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <ph...@apache.org> > wrote: > > >>>>>>> > > >>>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563 > > >>>>>>> > > >>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <ph...@apache.org> > > >>>>> wrote: > > >>>>>>> > > >>>>>>>> -1 - when I run dependency check on the release candidate > artifact > > >>>>> it's > > >>>>>>>> failing with: > > >>>>>>>> > > >>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869 > > >>>>>>>> > > >>>>>>>> I ran this on trunk and it's passing, as such it must be an > issue > > >>>>> with > > >>>>>> the > > >>>>>>>> the 3.5.6 netty version specifically. It's listed as a high, we > > >>>>> should > > >>>>>>>> patch this as well before releasing. > > >>>>>>>> > > >>>>>>>> Patrick > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli < > > >> eolive...@gmail.com > > >>>>>> > > >>>>>>>> wrote: > > >>>>>>>> > > >>>>>>>>> This is a bugfix release candidate for 3.5.6. > > >>>>>>>>> > > >>>>>>>>> It fixes 28 issues, including upgrade of third party libraries, > > >>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and > better > > >>>>>>>>> procedure > > >>>>>>>>> for the upgrade of servers from 3.4 to 3.5. > > >>>>>>>>> > > >>>>>>>>> The full release notes is available at: > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > >>>>>> > > >>>>> > > >> > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 > > >>>>>>>>> > > >>>>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59 > > >> UTC+0. > > >>>>>> *** > > >>>>>>>>> > > >>>>>>>>> Source files: > > >>>>>>>>> > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2 > > >>>>>>>>> > > >>>>>>>>> Maven staging repo: > > >>>>>>>>> > > >>>>>>>>> > > >>>>>> > > >>>>> > > >> > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1042/ > > >>>>>>>>> > > >>>>>>>>> The release candidate tag in git to be voted upon: > > >> release-3.5.6-rc2 > > >>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2 > > >>>>>>>>> > > >>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the > > >>>>> release: > > >>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS > > >>>>>>>>> > > >>>>>>>>> Should we release this candidate? > > >>>>>>>>> Enrico Olivelli > > >>>>>>>>> > > >>>>>>>> > > >>>>>> > > >>>>>> > > >>>>> > > >>>> > > >> > > >> > > > >
