-1 (binding) Let me add the exclusion and prepare a new RC.
I am cancelling this VOTE Thanks to everyone Enrico Il Gio 10 Feb 2022, 17:47 Andor Molnar <an...@apache.org> ha scritto: > I agree with Pat. Though adding exclusions doesn’t make any difference in > the quality of our code, but a build is a build. It’s either green or red > (not green). No excuse. > > Andor > > > > > On 2022. Feb 10., at 16:51, Patrick Hunt <ph...@apache.org> wrote: > > > > On Thu, Feb 10, 2022 at 12:22 AM Enrico Olivelli <eolive...@gmail.com> > > wrote: > > > >> Patrick, > >> If you prefer I can send a patch for. the exclusion of > >> [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, > >> CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, > >> CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, > >> CVE-2021-21290 > >> > >> That said, this won't affect the goodness of the RC. > >> > >> Our code is safe and the dependencies we use are safe: > >> - to me it looks like those are false positive or at least not related > >> to ZooKeeper > >> - we are not using Netty TC Native features, it is a dependency we > >> inherit, and probably ZooKeeper works well without it > >> > >> Thank you all of taking time to test the release > >> > >> > > NP. My concern is highlighted by this (your) response. You had to say all > > this to explain why the build is failing on a simple security check. > > Post-log4shell folks are really sensitive to security issues, as they > > should be, as we all should be. Its very important that we take security > > seriously. If I download the release, and run the owasp check it fails. I > > then have questions in my mind why. All that you explained here, while > > perfectly reasonable, it won't be available to me at that point. I think > > rather we should ensure that releases are solid/clean before we push > them. > > This is a simple thing to fix before we go through the entire process of > > verifying/releasing a new version. > > > > Hopefully this explains my concerns. > > > > Regards, > > > > Patrick > > > > > >> Enrico > >> > >> Il giorno gio 10 feb 2022 alle ore 09:13 Szalay-Bekő Máté > >> <szalay.beko.m...@gmail.com> ha scritto: > >>> > >>> Thanks Enrico for working on the release candidate! > >>> > >>> The RC looks good to me if we are sure that the OWASP problem is a > false > >>> positive and we can skip this netty-tcnative jar check. However, these > >> CVEs > >>> are old... Is it possible that we just added this jar by accident with > >> the > >>> recent netty upgrade? If we don't need it, should we exclude it? > >>> > >>> I wouldn't vote with +1 until we clarify the state of these CVEs. > >>> > >>> My RC check: > >>> > >>> - apache-rat passed > >>> - I built the source code (-Pfull-build) on dockerized Ubuntu 18.04.6 > >> using > >>> OpenJDK 11.0.13 and maven 3.6.0. > >>> - all the java unit tests passed eventually. I had 4-8 tests failing in > >>> each run, but after 4 runs all tests passed at least once. (I used > >>> -Dsurefire-forkcount=1) We should somehow fix these flakies. There are > >>> flakies on the CI, but not this many. I executed in docker, maybe this > is > >>> the reason or the CI is using a different java version? > >>> - checkstyle and spotbugs passed > >>> - OWASP (CVE check) failed with the mentioned > >>> netty-tcnative-2.0.48.Final.jar failures. > >>> - I built the fatjar > >>> - I executed C client tests. Two of these failed constantly for me: > >>> Zookeeper_simpleSystem::testIPV6 and > >>> Zookeeper_SASLAuth::testClientSASLOverIPv6. (I think these fail for me > >>> because I execute C unit tests on docker, there might be some issues > with > >>> the IPv6 interface) I see these passed on CI running on the > >> branch-3.8.0. ( > >>> > >> > https://github.com/apache/zookeeper/runs/5048875668?check_suite_focus=true > >> ) > >>> - I also built and executed unit tests for zkpython > >>> - I executed quick rolling-upgrade tests (using > >>> https://github.com/symat/zk-rolling-upgrade-test): > >>> - rolling upgrade from 3.5.9 to 3.8.0 > >>> - rolling upgrade from 3.6.3 to 3.8.0 > >>> - rolling upgrade from 3.7.0 to 3.8.0 > >>> - The web page looks OK > >>> > >>> Best regards, > >>> Máté > >>> > >>> On Wed, Feb 9, 2022 at 8:04 PM Chris Nauroth <cnaur...@apache.org> > >> wrote: > >>> > >>>> Enrico, thank you for putting together a release candidate. > >>>> > >>>> I briefly looked at the OWASP check failure. It's flagging multiple > old > >>>> CVEs against netty-tcnative-2.0.48.Final.jar. I can't imagine how > >> these are > >>>> still applicable. This is the newest version of the dependency, so we > >> don't > >>>> have another upgrade path we can try. > >>>> > >>>> I don't understand it. Unfortunately, I haven't found a solution yet. > >>>> > >>>> Chris Nauroth > >>>> > >>>> > >>>> On Wed, Feb 9, 2022 at 2:05 AM Szalay-Bekő Máté < > >>>> szalay.beko.m...@gmail.com> > >>>> wrote: > >>>> > >>>>> I started to test it. apache-rat passed for me, but owasp first > >> failed > >>>> due > >>>>> to some environment issue: > >>>>> > >>>>> [ERROR] Failed to execute goal > >>>> org.owasp:dependency-check-maven:5.3.0:check > >>>>> (default-cli) on project parent: Fatal exception(s) analyzing Apache > >>>>> ZooKeeper: One or more exceptions occurred during analysis: > >>>>> [ERROR] Unable to download meta file: > >>>>> https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta > >>>>> [ERROR] No documents exist > >>>>> [ERROR] -> [Help 1] > >>>>> > >>>>> Now I just re-run and this error disappeared, I assume nvd.nist.gov > >> was > >>>>> down for a while. > >>>>> Now the owasp is failing for me with this error: > >>>>> > >>>>> [ERROR] Failed to execute goal > >>>> org.owasp:dependency-check-maven:5.3.0:check > >>>>> (default-cli) on project zookeeper: > >>>>> [ERROR] > >>>>> [ERROR] One or more dependencies were identified with vulnerabilities > >>>> that > >>>>> have a CVSS score greater than or equal to '0.0': > >>>>> [ERROR] > >>>>> [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, > >> CVE-2019-16869, > >>>>> CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, > >>>>> CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, > >>>>> CVE-2021-21290 > >>>>> [ERROR] > >>>>> [ERROR] See the dependency-check report for more details. > >>>>> > >>>>> > >>>>> I still continue to test the RC, let me know if it gets cancelled. > >>>>> > >>>>> > >>>>> On Tue, Feb 8, 2022 at 9:52 PM Patrick Hunt <ph...@apache.org> > >> wrote: > >>>>> > >>>>>> On Tue, Feb 8, 2022 at 12:36 PM Enrico Olivelli < > >> eolive...@gmail.com> > >>>>>> wrote: > >>>>>> > >>>>>>> Any comments? > >>>>>>> > >>>>>> > >>>>>> owasp is still red - as such I assumed this release candidate is on > >>>> hold > >>>>>> until that's fixed. Is that not the case? > >>>>>> > >>>>>> Patrick > >>>>>> > >>>>>> > >>>>>>> > >>>>>>> Il Ven 4 Feb 2022, 12:07 Enrico Olivelli <eolive...@apache.org> > >> ha > >>>>>>> scritto: > >>>>>>> > >>>>>>>> This is a release candidate for 3.8.0. > >>>>>>>> > >>>>>>>> It is a major release and it introduces a lot of new features, > >> most > >>>>>>>> notably: > >>>>>>>> - Migration of the logging framework from Apache Log4j1 to > >> LogBack > >>>>>>>> - Read Key/trust store password from file (and other security > >>>> related > >>>>>>>> improvements) > >>>>>>>> - Restored support for OSGI > >>>>>>>> - Reduced the performance impact of Prometheus metrics > >>>>>>>> - Official support for JDK17 (all tests are passing) > >>>>>>>> - Updates to all the third party dependencies to get rid of > >> every > >>>>> known > >>>>>>>> CVE. > >>>>>>>> > >>>>>>>> The full release notes is available at: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>> > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12349587 > >>>>>>>> > >>>>>>>> *** Please download, test and vote by February 7th 2022, 23:59 > >>>> UTC+0. > >>>>>> *** > >>>>>>>> > >>>>>>>> Source files: > >>>>>>>> > >> https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > >>>>>>>> > >>>>>>>> Maven staging repo: > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>> > >> > https://repository.apache.org/content/repositories/orgapachezookeeper-1072/ > >>>>>>>> > >>>>>>>> The release candidate tag in git to be voted upon: > >> release-3.8.0-0 > >>>>>>>> https://github.com/apache/zookeeper/tree/release-3.8.0-0 > >>>>>>>> > >>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the > >>>> release: > >>>>>>>> https://www.apache.org/dist/zookeeper/KEYS > >>>>>>>> > >>>>>>>> The staging version of the website is: > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>> > >> > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > >>>>>>>> > >>>>>>>> > >>>>>>>> Should we release this candidate? > >>>>>>>> Enrico Olivelli > >
