Il Lun 3 Feb 2020, 21:22 Patrick Hunt <ph...@apache.org> ha scritto: > Enrico, while what you are saying is true, and sounds reasonable wrt this > release, keep in mind that often for our users ZK is not an end in and of > itself - it's combined with other capabilities/components. As such those > components may use related functionality which is impacted - providing > support for third parties with clear bill of health can be important. > Another aspect is that many companies have broad rules about not using code > with known problems. I see this quite a bit where libraries with known > issues are not allowed to production regardless statements such as "we are > not affected" as a matter of policy. >
Can you please send a patch for the upgrade? Please remember to update the license stuff. If you don't have time I will take care of it within the end of this week. I am cancelling this vote now. We can include Jordan's patch and Mate's fix for tests as well. The next RC will include those patches and Netty upgrade, I don't expect regressions that can be shown by unit tests. Enrico > Regards, > > Patrick > > On Mon, Feb 3, 2020 at 12:10 PM Enrico Olivelli <eolive...@gmail.com> > wrote: > > > Patrick > > We are not affected by that issue > > https://nvd.nist.gov/vuln/detail/CVE-2019-20445 > > It is about HTTP. > > > > As Netty is a core dependency and in my experience sometimes it > introduces > > regressions I feel it is safer to not upgrade for 3.6.0. > > We can upgrade it on master branch. > > > > Enrico > > > > Il Lun 3 Feb 2020, 20:06 Patrick Hunt <ph...@apache.org> ha scritto: > > > > > FYI owasp jenkins job is failing due to netty CVE: > > > https://issues.apache.org/jira/browse/ZOOKEEPER-3716 > > > > > > Patrick > > > > > > On Mon, Feb 3, 2020 at 8:12 AM Enrico Olivelli <eolive...@gmail.com> > > > wrote: > > > > > > > Il Lun 3 Feb 2020, 16:23 Norbert Kalmar <nkal...@cloudera.com.invalid > > > > > ha > > > > scritto: > > > > > > > > > Máté's patch fixed it for me. I don't know if this is a blocker for > > > 3.6.0 > > > > > rc1 > > > > > > > > > > > > I don't think it is a blocker. > > > > It is not a regression > > > > > > > > Enrico > > > > > > > > , but since 3.5.7 is not even branched yet, I'll wait for this patch > to > > > > > make it there. > > > > > > > > > > Thanks Máté, good catch! > > > > > > > > > > Regards, > > > > > Norbert > > > > > > > > > > On Mon, Feb 3, 2020 at 2:02 PM Szalay-Bekő Máté < > > > > > szalay.beko.m...@gmail.com> > > > > > wrote: > > > > > > > > > > > I created https://issues.apache.org/jira/browse/ZOOKEEPER-3715 > and > > > > > started > > > > > > to work on it > > > > > > > > > > > > On Mon, Feb 3, 2020 at 1:12 PM Szalay-Bekő Máté < > > > > > > szalay.beko.m...@gmail.com> > > > > > > wrote: > > > > > > > > > > > > > (FYI: I tried a few more versions, the problem seems to appear > > > > between > > > > > > > OpenJDK 8.232 and 8.242. And there are a lot of kerberos > related > > > > > changes > > > > > > > after 8.232: see https://hg.openjdk.java.net/jdk8u/jdk8u/jdk ) > > > > > > > > > > > > > > On Mon, Feb 3, 2020 at 12:54 PM Norbert Kalmar > > > > > > > <nkal...@cloudera.com.invalid> wrote: > > > > > > > > > > > > > >> I tested with zulu 1.8.212 on the linux machine, and with zulu > > > > > 1.8.0_163 > > > > > > >> on > > > > > > >> MacOS (whoops). I use sdkman on both machine. I upgraded to > the > > > > newest > > > > > > 1.8 > > > > > > >> which is _242, at least with sdkman. > > > > > > >> And sadly, the mentioned tests also fail for me after the > > upgrade. > > > > > > >> > > > > > > >> So, something in the tests that the new versions of java > doesn't > > > > like > > > > > :( > > > > > > >> > > > > > > >> I'm not sure either if it's a showstopper or not. But possibly > > > this > > > > > > could > > > > > > >> come out when using kerberized ZK? Unfortunately kind of hard > to > > > > test > > > > > > >> "live". > > > > > > >> > > > > > > >> Regards, > > > > > > >> Norbert > > > > > > >> > > > > > > >> On Mon, Feb 3, 2020 at 12:38 PM Szalay-Bekő Máté < > > > > > > >> szalay.beko.m...@gmail.com> > > > > > > >> wrote: > > > > > > >> > > > > > > >> > - I compiled and run all the unit tests using Ubuntu 18.04 > > > (incl. > > > > > the > > > > > > C > > > > > > >> > client), using OpenJDK 1.8.212 > > > > > > >> > - I also built and unit tested the python client > > > > > > >> > - I did some manual tests for the multi-address feature with > > > > > multiple > > > > > > >> > virtual networks (using > > > > > > https://github.com/symat/zookeeper-docker-test) > > > > > > >> > > > > > > > >> > everything seemed to be OK, however... > > > > > > >> > > > > > > > >> > using OpenJDK 1.8.242 or OpenJDK 11.0.6, I got some kerberos > > > > related > > > > > > >> > exceptions when running the following tests: > > > > > > >> > - QuorumKerberosAuthTest > > > > > > >> > - QuorumKerberosHostBasedAuthTest > > > > > > >> > - SaslKerberosAuthOverSSLTest > > > > > > >> > > > > > > > >> > the error: > > > > > > >> > 2020-02-03 12:11:07,197 [myid:localhost:11223] - ERROR > > > > > > >> > [main-SendThread(localhost:11223):ZooKeeperSaslClient@336] > - > > An > > > > > > error: > > > > > > >> > (java.security.PrivilegedActionException: > > > > > > >> > javax.security.sasl.SaslException: GSS initiate failed > [Caused > > > by > > > > > > >> > GSSException: No valid credentials provided (Mechanism > level: > > > null > > > > > > >> > (5001))]) occurred when evaluating Zookeeper Quorum Member's > > > > > received > > > > > > >> SASL > > > > > > >> > token. Zookeeper Client will go to AUTH_FAILED state. > > > > > > >> > > > > > > > >> > I tried it with Zulu 11.0.3 version and OpenJDK 11.0.2 > version > > > and > > > > > > both > > > > > > >> > were working fine. So it looks there might some > > incompatibility > > > > with > > > > > > the > > > > > > >> > more recent JDK releases. (between 1.8.212 - 1.8.242, and > also > > > > > between > > > > > > >> > 11.0.3 and 11.0.6) > > > > > > >> > > > > > > > >> > I also tested on OpenJDK 13.ea.30 and that worked. > > > > > > >> > > > > > > > >> > I am not sure if it is a -1 or not... clearly these are some > > > test > > > > > and > > > > > > >> JDK > > > > > > >> > related issues. Also it can be only some strange thing with > my > > > > > > >> environment. > > > > > > >> > Can someone try to reproduce my problem? > > > > > > >> > > > > > > > >> > > > > > > > >> > Cheers, > > > > > > >> > Mate > > > > > > >> > > > > > > > >> > On Mon, Feb 3, 2020 at 4:31 AM Jordan Zimmerman < > > > > > > >> > jor...@jordanzimmerman.com> > > > > > > >> > wrote: > > > > > > >> > > > > > > > >> > > No big issues with Curator that I could find > > > > > > >> > > > > > > > > >> > > +1 (non binding) > > > > > > >> > > > > > > > > >> > > -Jordan > > > > > > >> > > > > > > > > >> > > > On Feb 1, 2020, at 10:02 AM, Enrico Olivelli < > > > > > eolive...@gmail.com > > > > > > > > > > > > > >> > > wrote: > > > > > > >> > > > > > > > > > >> > > > This is the second release candidate for Apache > ZooKeeper > > > > 3.6.0. > > > > > > >> > > > > > > > > > >> > > > It is a major release and it introduces a lot of new > > > features, > > > > > > most > > > > > > >> > > notably: > > > > > > >> > > > - Built-in data consistency check inside ZooKeeper > > > > > > >> > > > - Allow Followers to host Observers > > > > > > >> > > > - Authentication enforcement > > > > > > >> > > > - Pluggable metrics system for ZooKeeper (and > > Prometheus.io > > > > > > >> > integration) > > > > > > >> > > > - TLS Port unification > > > > > > >> > > > - Audit logging in ZooKeeper servers > > > > > > >> > > > - Improve resilience to network (advertise multiple > > > addresses > > > > > for > > > > > > >> > > > members of a Zookeeper cluster) > > > > > > >> > > > - Persistent Recursive Watches > > > > > > >> > > > - add an API and the corresponding CLI to get total > count > > of > > > > > > >> recursive > > > > > > >> > > > sub nodes under a specific path > > > > > > >> > > > > > > > > > >> > > > The full release notes is available at: > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12326518 > > > > > > >> > > > > > > > > > >> > > > *** Please download, test and vote by February 4th 2020, > > > 23:59 > > > > > > >> UTC+0. > > > > > > >> > *** > > > > > > >> > > > > > > > > > >> > > > Source files: > > > > > > >> > > > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.6.0-candidate-1/ > > > > > > >> > > > > > > > > > >> > > > Maven staging repo: > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1047/ > > > > > > >> > > > > > > > > > >> > > > The staging version of the website is: > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.6.0-candidate-1/website/ > > > > > > >> > > > > > > > > > >> > > > The release candidate tag in git to be voted upon: > > > > > release-3.6.0-1 > > > > > > >> > > > > https://github.com/apache/zookeeper/tree/release-3.6.0-1 > > > > > > >> > > > > > > > > > >> > > > ZooKeeper's KEYS file containing PGP keys we use to sign > > the > > > > > > >> release: > > > > > > >> > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > >> > > > > > > > > > >> > > > Please note that we are adding a new jar to the > dependency > > > set > > > > > for > > > > > > >> > > > clients: zookeeper-metrics-providers. > > > > > > >> > > > > > > > > > >> > > > Should we release this candidate? > > > > > > >> > > > > > > > > > >> > > > Enrico Olivelli > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > >
