>> How about officially dropping netty support from 3.4 and asking people to move to the new version +1. This sounds a good opportunity to deprecate 3.4 branch.
On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <[email protected]> wrote: > Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <[email protected]> ha > scritto: > > > Another option/solution: How about officially dropping netty support from > > 3.4 and asking people to move to the new version (3.5 stable or later)? > > > > Sounds good > > Enrico > > > > > > Patrick > > > > On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <[email protected]> wrote: > > > > > I agree with 3.4 should not be refactored in any way even for a > security > > > fix. > > > > > > What's wrong with the "alpha story"? > > > > > > I think releasing in an early stage with "-alpha", "-beta" modifiers is > > > not a bad thing alone, as long as it doesn't take years to get to the > > > stable release. > > > > > > Andor > > > > > > > > > On Tue, 1 Oct 2019, Enrico Olivelli wrote: > > > > > > > Date: Tue, 1 Oct 2019 10:54:24 +0200 > > > > From: Enrico Olivelli <[email protected]> > > > > Reply-To: [email protected] > > > > To: [email protected] > > > > Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 > > > > > > > > Il mar 1 ott 2019, 10:38 Andor Molnar <[email protected]> ha scritto: > > > > > > > >> Backporting Netty 4 would be a huge, cumbersome task, I hope we > don’t > > > have > > > >> to do it. > > > >> > > > > > > > > Yes, 3.4 is mature and stable and closed for refactors. > > > > > > > > > > > >> However I had a quick look at the details of this CVE and it seems > to > > me > > > >> that it only affects the HTTP codec: > > > >> > > > >> > > > > > > https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95 > > > >> > > > >> Can’t we just say 3.4.14 is not affected? > > > >> We’re not running HTTP server inside ZooKeeper. > > > >> > > > >> Otherwise we might be able to release 3.6.0-alpha1 now, put a date > for > > > 3.4 > > > >> EOL and highlight on the webpage that this > > > >> > > > > > > > > Please do not start an 'alpha' story like for 3.5.... > > > > > > > > CVE probably won’t be resolved on that branch, please upgrade to 3.5. > > > >> > > > > > > > > +1 > > > > > > > > > > > > Enrico > > > > > > > >> > > > >> As a third option we could ask Norman to kindly fix 3.10.6.Final as > > > well… > > > >> or submit a PR ourselves, it doesn’t seem to me a big deal. > > > >> > > > > > > > > Not so useful > > > > > > > >> > > > >> What do you think? > > > >> > > > >> Andor > > > >> > > > >> > > > >> > > > >> > > > >>> On 2019. Oct 1., at 2:00, Patrick Hunt <[email protected]> wrote: > > > >>> > > > >>> I pushed patches for 3.5 and trunk and the tests passed on my mac. > > > >> However > > > >>> 3.4 is using netty 3.10.6.Final and as such it's not a simple > > upgrade. > > > >>> (there are no fixes against 3.10 for this CVE, at least not so far) > > Not > > > >>> sure what we want to do about this... someone would need to > backport > > > the > > > >>> netty 4.1 changes into 3.4 afaict. > > > >>> > > > >>> Patrick > > > >>> > > > >>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <[email protected]> > > wrote: > > > >>> > > > >>>> I'll work on it today. > > > >>>> > > > >>>> Patrick > > > >>>> > > > >>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli < > > [email protected] > > > > > > > >>>> wrote: > > > >>>> > > > >>>>> Okay > > > >>>>> > > > >>>>> I am cancelling the release. > > > >>>>> > > > >>>>> I have a problem with my box, I can't work on netty upgrade. > > > >>>>> > > > >>>>> Any volounteer? > > > >>>>> > > > >>>>> Enrico > > > >>>>> > > > >>>>> Il lun 30 set 2019, 20:32 Andor Molnar <[email protected]> ha > > > scritto: > > > >>>>> > > > >>>>>> The good news is: we need to release 3.4.15 too. :) > > > >>>>>> > > > >>>>>> Andor > > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <[email protected]> > > wrote: > > > >>>>>>> > > > >>>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563 > > > >>>>>>> > > > >>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt < > [email protected]> > > > >>>>> wrote: > > > >>>>>>> > > > >>>>>>>> -1 - when I run dependency check on the release candidate > > artifact > > > >>>>> it's > > > >>>>>>>> failing with: > > > >>>>>>>> > > > >>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869 > > > >>>>>>>> > > > >>>>>>>> I ran this on trunk and it's passing, as such it must be an > > issue > > > >>>>> with > > > >>>>>> the > > > >>>>>>>> the 3.5.6 netty version specifically. It's listed as a high, > we > > > >>>>> should > > > >>>>>>>> patch this as well before releasing. > > > >>>>>>>> > > > >>>>>>>> Patrick > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli < > > > >> [email protected] > > > >>>>>> > > > >>>>>>>> wrote: > > > >>>>>>>> > > > >>>>>>>>> This is a bugfix release candidate for 3.5.6. > > > >>>>>>>>> > > > >>>>>>>>> It fixes 28 issues, including upgrade of third party > libraries, > > > >>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and > > better > > > >>>>>>>>> procedure > > > >>>>>>>>> for the upgrade of servers from 3.4 to 3.5. > > > >>>>>>>>> > > > >>>>>>>>> The full release notes is available at: > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>> > > > >>>>> > > > >> > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 > > > >>>>>>>>> > > > >>>>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59 > > > >> UTC+0. > > > >>>>>> *** > > > >>>>>>>>> > > > >>>>>>>>> Source files: > > > >>>>>>>>> > > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2 > > > >>>>>>>>> > > > >>>>>>>>> Maven staging repo: > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>> > > > >>>>> > > > >> > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1042/ > > > >>>>>>>>> > > > >>>>>>>>> The release candidate tag in git to be voted upon: > > > >> release-3.5.6-rc2 > > > >>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2 > > > >>>>>>>>> > > > >>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the > > > >>>>> release: > > > >>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS > > > >>>>>>>>> > > > >>>>>>>>> Should we release this candidate? > > > >>>>>>>>> Enrico Olivelli > > > >>>>>>>>> > > > >>>>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>> > > > >>>> > > > >> > > > >> > > > > > > >
