Re: Minutes [corrected]: JDO TCK Conference Call Thursday Dec 16 11 AM PST 20 CET

2021-12-19 Thread Craig Russell 
Hi Andy,

> On Dec 19, 2021, at 6:01 AM, Andy Jefferson  wrote:
> 
>> 1. Log4j issue CVE-2021-44228 JDO-800 "Update Log4j Version" 
>> https://issues.apache.org/jira/browse/JDO-800
>> TCK pom has been updated to log4j 2.16.0. 
>> What are the DataNucleus versions that we should use that have been or will 
>> be updated with the latest log4j releases?
> 
> The exact same ones as you are using. 

Great, glad to get confirmation that nothing is needed for the JDO dependency.

Warm regards,
Craig

> DN does not make direct use of any Log4j internal API etc, just gets a 
> LogManager and a Logger from that. The API for those calls is unchanged by 
> this "issue". Consequently it is only at RUNTIME that such an issue could be 
> exploited, and the user (of DN) chooses what version of Log4j to make use of 
> at runtime. No plans to update our pom (for v5.x) for an optional dependency. 
> 
> 
> 
> Regards
> -- 
> Andy
> DataNucleus (Web: http://www.datanucleus.org   Twitter: @datanucleus)
> 
> 

Craig L Russell
c...@apache.org

Fwd: [jira] [Comment Edited] (INFRA-22540) Change "Apache Rules" in Nexus to check for sha256/512 instead of sha1/md5

2021-12-19 Thread Tilmann Zäschke 

Hi,

the INFRA ticket just got updated.

Could someone have a look whether I am describing the process/issue
correctly?

https://issues.apache.org/jira/browse/INFRA-22540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461830#comment-17461830

Thanks,
Til



 Forwarded Message 
Subject:[jira] [Comment Edited] (INFRA-22540) Change "Apache Rules" in
Nexus to check for sha256/512 instead of sha1/md5
Date:   Sat, 18 Dec 2021 10:26:00 + (UTC)
From:   Herve Boutemy (Jira) 
To: tilma...@apache.org




[
https://issues.apache.org/jira/browse/INFRA-22540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461830#comment-17461830
]
Herve Boutemy edited comment on INFRA-22540 at 12/18/21, 10:25 AM:
---

we had such discussion at Maven level: there is in general a confusion
between
1. Apache rules on source release to dist, which mandate sha256/sha512
2. Central rules on every artifacts (jar, pom, anything not related to
Apache source release), which still asks for sha1/md5 for checksums and
PGP signature for more serious checks

in Apache parent POM release 24 MPOM-244, we added a configuration to
generate sha512 for source-release artifacts when publishing to
Nexus/Central to help projects: see documentation
https://maven.apache.org/pom/asf/#The_apache-release_Profile

but not every project uses Apache parent POM, or did not upgrade to 24,
or do not even use Maven to build, so I don't know what's the best
solution for [~tilmannz]

at least, please consider the difference in policy of Apache source
release archive vs any other artifact published to Central if you change
something


was (Author: hboutemy):
we had such discussion at Maven level: there is in general a confusion
between
1. Apache rules on source release to dist, which mandate sha256/sha512
2. Central rules on every artifacts (jar, pom, anything not related to
Apache source release), which still asks for sha1/md5 for checksums and
PGP signature for more serious checks

in Apache parent POM release 24 MPOM-244, we added a configuration to
generate sha512 for source-release artifacts when publishing to
Nexus/Central to help projects: see documentation
https://maven.apache.org/pom/asf/#The_apache-release_Profile

but not every project uses Apache parent POM, or did not upgrade to 24,
or do not even use Maven to build, so I don't know what's the best
solution for [~tilmannz]

at least, please consider the difference in policy of Apache release
source release vs any artifact published to Central if you change something


Change "Apache Rules" in Nexus to check for sha256/512 instead of sha1/md5
--

Key: INFRA-22540
URL: https://issues.apache.org/jira/browse/INFRA-22540
Project: Infrastructure
Issue Type: Improvement
Components: Nexus
Reporter: Tilmann Zäschke
Priority: Major

The Release Distribution Policy
(https://infra.apache.org/release-distribution) states:
"PMCs must supply SHA-256 and/or SHA-512 and should not supply MD5 or
SHA-1.".
However, currently, the Apache Rules in Nexus appear to enforce that
all files (including .zip and .tar.gz) to have .sha1 and .md5
pendants. For our project "closing" a release candidate fails with:
Event: Failed: Checksum Validation
typeId checksum-staging
failureMessage Required SHA-1:
'/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.sha1'
failureMessage Required MD5:
'/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.md5'
failureMessage Required SHA-1:
'/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.sha1'
failureMessage Required MD5:
'/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.md5' Can
the Apache Rules in Nexus be adapted to allow or even enforce that
files (other than .jar/.pom) to be signed with sha256/sha512 instead
of sha1/md5?




--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: Minutes [corrected]: JDO TCK Conference Call Thursday Dec 16 11 AM PST 20 CET

2021-12-19 Thread Andy Jefferson 
> 1. Log4j issue CVE-2021-44228 JDO-800 "Update Log4j Version" 
> https://issues.apache.org/jira/browse/JDO-800
> TCK pom has been updated to log4j 2.16.0. 
> What are the DataNucleus versions that we should use that have been or will 
> be updated with the latest log4j releases?

The exact same ones as you are using. 
DN does not make direct use of any Log4j internal API etc, just gets a 
LogManager and a Logger from that. The API for those calls is unchanged by 
this "issue". Consequently it is only at RUNTIME that such an issue could be 
exploited, and the user (of DN) chooses what version of Log4j to make use of 
at runtime. No plans to update our pom (for v5.x) for an optional dependency. 



Regards
-- 
Andy
DataNucleus (Web: http://www.datanucleus.org   Twitter: @datanucleus)