Re: [DISCUSS] Apache Pulsar 3.2.0 release

2023-12-21 Thread guo jiwei 
Hi community
  I have cut branch 3.2 and will freeze the code for the next two weeks.

Regards
Jiwei Guo (Tboy)


On Thu, Dec 14, 2023 at 11:40 AM guo jiwei  wrote:

> Hi community,
>It has been more than three months since the release of 3.1.0.  we now
> have more than 305 commits
> 
>  and
> 26 PIPs
> 
> merged.  We'd better prepare for the 3.2.0 release. I would like to cut
> branch-3.2 in the next week and freeze the code for two weeks.
>Please leave any ideas or concerns.
>
>
> Regards
> Jiwei Guo (Tboy)
>

[DISCUSS] Add Docker image vulnerability scans

2023-12-21 Thread Chris Bono 
Similar to how we scan our dependencies using OWASP vulnerability
scans (links below) we are working on a solution to scan our Docker
images as well.

This topic was initially introduced at the Pulsar community meeting on
2023-12-21 and we decided to expand the discussion to a wider audience
before proceeding.

Ultimate Goal: Create CVE-free Pulsar Docker container images

Immediate Goal: Create Pulsar Docker container images w/ no newly
introduced CVEs

We are working on a prototype
(https://github.com/onobc/github-actions-sandbox) that uses Trivy in a
Github action workflow to scan a container(s) in a scheduled manner.

Plan is as follows:

Step 1: Introduce a scheduled Github Action workflow that performs the scan

Step 2: Trigger the scan when the containers are rebuilt to prevent
publishing w/ CVEs

We chose to iteratively introduce the scan first via an offline
schedule as it is a non-intrusive (Step 1), low-risk entry point.
This benefit is also the downside (tradeoff) in that there is nothing
to prevent changes from introducing new CVEs into newly built
container images. Humans are not reliable at polling a resource for an
error before proceeding w/ their work.

As such, the intention is to continue (Step 2) and move the trigger
into the CI pipeline at the proper point so that if new CVEs are
introduced, the pipeline fails (user is blocked and issue is
addressed). Long term, rather than "new CVE introduced" we would like
it to be if "any CVE exists then block".

Does anyone have objections to using Trivy for the scanner tool? If
so, please explain.

Does anyone else have any objections, concerns, or direction before we
proceed w/ the above plan?

Thanks,
Chris

Trivy container scan prototype: https://github.com/onobc/github-actions-sandbox

Current OWASP dependency scanner links:
* https://jeremylong.github.io/DependencyCheck/dependency-check-maven/
* 
https://github.com/apache/pulsar/blob/8beac8b12ef7c0ef54529fbb7e4e76c54dea6283/pom.xml#L2428
* 
https://github.com/apache/pulsar/blob/master/.github/workflows/ci-owasp-dependency-check.yaml#L30

Re: [VOTE] PIP-326: Create a BOM to ease dependency management

2023-12-21 Thread Apurva Telang 
+1 (non-binding)

On Thu, Dec 21, 2023 at 4:30 PM Matteo Merli  wrote:

> +1
>
>
> --
> Matteo Merli
> 
>
>
> On Thu, Dec 21, 2023 at 4:24 PM Nicolò Boschi 
> wrote:
>
> > +1 binding
> >
> > Nicolò Boschi
> >
> >
> > Il giorno gio 21 dic 2023 alle 21:21 Lari Hotari  ha
> > scritto:
> >
> > > +1 (binding)
> > >
> > > -Lari
> > >
> > >
> > > On Thu, 21 Dec 2023 at 22:10, Chris Bono  wrote:
> > > >
> > > > I'm starting the vote for PIP-326, since it has been reviewed by
> > > > several members with no objections.
> > > >
> > > > PIP link: https://github.com/apache/pulsar/pull/21747
> > > >
> > > > Thanks,
> > > >
> > > > Chris
> > >
> >
>


-- 
Best regards,
Apurva Telang.

Re: [VOTE] PIP-326: Create a BOM to ease dependency management

2023-12-21 Thread Matteo Merli 
+1


--
Matteo Merli



On Thu, Dec 21, 2023 at 4:24 PM Nicolò Boschi  wrote:

> +1 binding
>
> Nicolò Boschi
>
>
> Il giorno gio 21 dic 2023 alle 21:21 Lari Hotari  ha
> scritto:
>
> > +1 (binding)
> >
> > -Lari
> >
> >
> > On Thu, 21 Dec 2023 at 22:10, Chris Bono  wrote:
> > >
> > > I'm starting the vote for PIP-326, since it has been reviewed by
> > > several members with no objections.
> > >
> > > PIP link: https://github.com/apache/pulsar/pull/21747
> > >
> > > Thanks,
> > >
> > > Chris
> >
>

Re: [VOTE] PIP-326: Create a BOM to ease dependency management

2023-12-21 Thread Nicolò Boschi 
+1 binding

Nicolò Boschi


Il giorno gio 21 dic 2023 alle 21:21 Lari Hotari  ha
scritto:

> +1 (binding)
>
> -Lari
>
>
> On Thu, 21 Dec 2023 at 22:10, Chris Bono  wrote:
> >
> > I'm starting the vote for PIP-326, since it has been reviewed by
> > several members with no objections.
> >
> > PIP link: https://github.com/apache/pulsar/pull/21747
> >
> > Thanks,
> >
> > Chris
>

Re: [VOTE] PIP-326: Create a BOM to ease dependency management

2023-12-21 Thread Lari Hotari 
+1 (binding)

-Lari


On Thu, 21 Dec 2023 at 22:10, Chris Bono  wrote:
>
> I'm starting the vote for PIP-326, since it has been reviewed by
> several members with no objections.
>
> PIP link: https://github.com/apache/pulsar/pull/21747
>
> Thanks,
>
> Chris

[VOTE] PIP-326: Create a BOM to ease dependency management

2023-12-21 Thread Chris Bono 
I'm starting the vote for PIP-326, since it has been reviewed by
several members with no objections.

PIP link: https://github.com/apache/pulsar/pull/21747

Thanks,

Chris

[ANNOUNCE] Apache Pulsar Helm Chart version 3.1.0 Released

2023-12-21 Thread Lari Hotari 
Dear Pulsar community,

The Apache Pulsar team is pleased to announce the release of the Apache
Pulsar Helm Chart 3.1.0.

The official source release, as well as the binary Helm Chart release,
are available at
https://downloads.apache.org/pulsar/helm-chart/3.1.0/.

The helm chart index at https://pulsar.apache.org/charts/ has been
updated and the release is also available directly via helm.

Release Notes:
https://github.com/apache/pulsar-helm-chart/releases/tag/pulsar-3.1.0
Docs: https://github.com/apache/pulsar-helm-chart#readme and
https://pulsar.apache.org/docs/helm-overview
ArtifactHub: https://artifacthub.io/packages/helm/apache/pulsar/3.1.0

Thanks to all the contributors who made this possible.

Regards,

The Apache Pulsar Team