> We can include Jordan's patch and Mate's fix for tests as well. Woot!
> On Feb 3, 2020, at 5:26 PM, Enrico Olivelli <eolive...@gmail.com> wrote: > > Il Lun 3 Feb 2020, 21:22 Patrick Hunt <ph...@apache.org> ha scritto: > >> Enrico, while what you are saying is true, and sounds reasonable wrt this >> release, keep in mind that often for our users ZK is not an end in and of >> itself - it's combined with other capabilities/components. As such those >> components may use related functionality which is impacted - providing >> support for third parties with clear bill of health can be important. >> Another aspect is that many companies have broad rules about not using code >> with known problems. I see this quite a bit where libraries with known >> issues are not allowed to production regardless statements such as "we are >> not affected" as a matter of policy. >> > > Can you please send a patch for the upgrade? Please remember to update the > license stuff. If you don't have time I will take care of it within the end > of this week. > > I am cancelling this vote now. > > We can include Jordan's patch and Mate's fix for tests as well. > > The next RC will include those patches and Netty upgrade, I don't expect > regressions that can be shown by unit tests. > > Enrico > > >> Regards, >> >> Patrick >> >> On Mon, Feb 3, 2020 at 12:10 PM Enrico Olivelli <eolive...@gmail.com> >> wrote: >> >>> Patrick >>> We are not affected by that issue >>> https://nvd.nist.gov/vuln/detail/CVE-2019-20445 >>> It is about HTTP. >>> >>> As Netty is a core dependency and in my experience sometimes it >> introduces >>> regressions I feel it is safer to not upgrade for 3.6.0. >>> We can upgrade it on master branch. >>> >>> Enrico >>> >>> Il Lun 3 Feb 2020, 20:06 Patrick Hunt <ph...@apache.org> ha scritto: >>> >>>> FYI owasp jenkins job is failing due to netty CVE: >>>> https://issues.apache.org/jira/browse/ZOOKEEPER-3716 >>>> >>>> Patrick >>>> >>>> On Mon, Feb 3, 2020 at 8:12 AM Enrico Olivelli <eolive...@gmail.com> >>>> wrote: >>>> >>>>> Il Lun 3 Feb 2020, 16:23 Norbert Kalmar <nkal...@cloudera.com.invalid >>> >>>> ha >>>>> scritto: >>>>> >>>>>> Máté's patch fixed it for me. I don't know if this is a blocker for >>>> 3.6.0 >>>>>> rc1 >>>>> >>>>> >>>>> I don't think it is a blocker. >>>>> It is not a regression >>>>> >>>>> Enrico >>>>> >>>>> , but since 3.5.7 is not even branched yet, I'll wait for this patch >> to >>>>>> make it there. >>>>>> >>>>>> Thanks Máté, good catch! >>>>>> >>>>>> Regards, >>>>>> Norbert >>>>>> >>>>>> On Mon, Feb 3, 2020 at 2:02 PM Szalay-Bekő Máté < >>>>>> szalay.beko.m...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> I created https://issues.apache.org/jira/browse/ZOOKEEPER-3715 >> and >>>>>> started >>>>>>> to work on it >>>>>>> >>>>>>> On Mon, Feb 3, 2020 at 1:12 PM Szalay-Bekő Máté < >>>>>>> szalay.beko.m...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> (FYI: I tried a few more versions, the problem seems to appear >>>>> between >>>>>>>> OpenJDK 8.232 and 8.242. And there are a lot of kerberos >> related >>>>>> changes >>>>>>>> after 8.232: see https://hg.openjdk.java.net/jdk8u/jdk8u/jdk ) >>>>>>>> >>>>>>>> On Mon, Feb 3, 2020 at 12:54 PM Norbert Kalmar >>>>>>>> <nkal...@cloudera.com.invalid> wrote: >>>>>>>> >>>>>>>>> I tested with zulu 1.8.212 on the linux machine, and with zulu >>>>>> 1.8.0_163 >>>>>>>>> on >>>>>>>>> MacOS (whoops). I use sdkman on both machine. I upgraded to >> the >>>>> newest >>>>>>> 1.8 >>>>>>>>> which is _242, at least with sdkman. >>>>>>>>> And sadly, the mentioned tests also fail for me after the >>> upgrade. >>>>>>>>> >>>>>>>>> So, something in the tests that the new versions of java >> doesn't >>>>> like >>>>>> :( >>>>>>>>> >>>>>>>>> I'm not sure either if it's a showstopper or not. But possibly >>>> this >>>>>>> could >>>>>>>>> come out when using kerberized ZK? Unfortunately kind of hard >> to >>>>> test >>>>>>>>> "live". >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Norbert >>>>>>>>> >>>>>>>>> On Mon, Feb 3, 2020 at 12:38 PM Szalay-Bekő Máté < >>>>>>>>> szalay.beko.m...@gmail.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> - I compiled and run all the unit tests using Ubuntu 18.04 >>>> (incl. >>>>>> the >>>>>>> C >>>>>>>>>> client), using OpenJDK 1.8.212 >>>>>>>>>> - I also built and unit tested the python client >>>>>>>>>> - I did some manual tests for the multi-address feature with >>>>>> multiple >>>>>>>>>> virtual networks (using >>>>>>> https://github.com/symat/zookeeper-docker-test) >>>>>>>>>> >>>>>>>>>> everything seemed to be OK, however... >>>>>>>>>> >>>>>>>>>> using OpenJDK 1.8.242 or OpenJDK 11.0.6, I got some kerberos >>>>> related >>>>>>>>>> exceptions when running the following tests: >>>>>>>>>> - QuorumKerberosAuthTest >>>>>>>>>> - QuorumKerberosHostBasedAuthTest >>>>>>>>>> - SaslKerberosAuthOverSSLTest >>>>>>>>>> >>>>>>>>>> the error: >>>>>>>>>> 2020-02-03 12:11:07,197 [myid:localhost:11223] - ERROR >>>>>>>>>> [main-SendThread(localhost:11223):ZooKeeperSaslClient@336] >> - >>> An >>>>>>> error: >>>>>>>>>> (java.security.PrivilegedActionException: >>>>>>>>>> javax.security.sasl.SaslException: GSS initiate failed >> [Caused >>>> by >>>>>>>>>> GSSException: No valid credentials provided (Mechanism >> level: >>>> null >>>>>>>>>> (5001))]) occurred when evaluating Zookeeper Quorum Member's >>>>>> received >>>>>>>>> SASL >>>>>>>>>> token. Zookeeper Client will go to AUTH_FAILED state. >>>>>>>>>> >>>>>>>>>> I tried it with Zulu 11.0.3 version and OpenJDK 11.0.2 >> version >>>> and >>>>>>> both >>>>>>>>>> were working fine. So it looks there might some >>> incompatibility >>>>> with >>>>>>> the >>>>>>>>>> more recent JDK releases. (between 1.8.212 - 1.8.242, and >> also >>>>>> between >>>>>>>>>> 11.0.3 and 11.0.6) >>>>>>>>>> >>>>>>>>>> I also tested on OpenJDK 13.ea.30 and that worked. >>>>>>>>>> >>>>>>>>>> I am not sure if it is a -1 or not... clearly these are some >>>> test >>>>>> and >>>>>>>>> JDK >>>>>>>>>> related issues. Also it can be only some strange thing with >> my >>>>>>>>> environment. >>>>>>>>>> Can someone try to reproduce my problem? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> Mate >>>>>>>>>> >>>>>>>>>> On Mon, Feb 3, 2020 at 4:31 AM Jordan Zimmerman < >>>>>>>>>> jor...@jordanzimmerman.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> No big issues with Curator that I could find >>>>>>>>>>> >>>>>>>>>>> +1 (non binding) >>>>>>>>>>> >>>>>>>>>>> -Jordan >>>>>>>>>>> >>>>>>>>>>>> On Feb 1, 2020, at 10:02 AM, Enrico Olivelli < >>>>>> eolive...@gmail.com >>>>>>>> >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> This is the second release candidate for Apache >> ZooKeeper >>>>> 3.6.0. >>>>>>>>>>>> >>>>>>>>>>>> It is a major release and it introduces a lot of new >>>> features, >>>>>>> most >>>>>>>>>>> notably: >>>>>>>>>>>> - Built-in data consistency check inside ZooKeeper >>>>>>>>>>>> - Allow Followers to host Observers >>>>>>>>>>>> - Authentication enforcement >>>>>>>>>>>> - Pluggable metrics system for ZooKeeper (and >>> Prometheus.io >>>>>>>>>> integration) >>>>>>>>>>>> - TLS Port unification >>>>>>>>>>>> - Audit logging in ZooKeeper servers >>>>>>>>>>>> - Improve resilience to network (advertise multiple >>>> addresses >>>>>> for >>>>>>>>>>>> members of a Zookeeper cluster) >>>>>>>>>>>> - Persistent Recursive Watches >>>>>>>>>>>> - add an API and the corresponding CLI to get total >> count >>> of >>>>>>>>> recursive >>>>>>>>>>>> sub nodes under a specific path >>>>>>>>>>>> >>>>>>>>>>>> The full release notes is available at: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12326518 >>>>>>>>>>>> >>>>>>>>>>>> *** Please download, test and vote by February 4th 2020, >>>> 23:59 >>>>>>>>> UTC+0. >>>>>>>>>> *** >>>>>>>>>>>> >>>>>>>>>>>> Source files: >>>>>>>>>>>> >>>>>> https://people.apache.org/~eolivelli/zookeeper-3.6.0-candidate-1/ >>>>>>>>>>>> >>>>>>>>>>>> Maven staging repo: >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> https://repository.apache.org/content/repositories/orgapachezookeeper-1047/ >>>>>>>>>>>> >>>>>>>>>>>> The staging version of the website is: >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> https://people.apache.org/~eolivelli/zookeeper-3.6.0-candidate-1/website/ >>>>>>>>>>>> >>>>>>>>>>>> The release candidate tag in git to be voted upon: >>>>>> release-3.6.0-1 >>>>>>>>>>>> >> https://github.com/apache/zookeeper/tree/release-3.6.0-1 >>>>>>>>>>>> >>>>>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign >>> the >>>>>>>>> release: >>>>>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS >>>>>>>>>>>> >>>>>>>>>>>> Please note that we are adding a new jar to the >> dependency >>>> set >>>>>> for >>>>>>>>>>>> clients: zookeeper-metrics-providers. >>>>>>>>>>>> >>>>>>>>>>>> Should we release this candidate? >>>>>>>>>>>> >>>>>>>>>>>> Enrico Olivelli >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>
