+1 on releasing 0.22.1-rc2
I verified:
- hashes / gpg
- unit tests
- compared the src and bin packages against 0.22.0 to make sure there were
no unexpected changes
- attempted to trigger the jndi lookup functionality; it triggered on
0.22.0 but not 0.22.1-rc2
- verified that task logs look
Hi David,
Right now we are very much dedicating our efforts to getting a 0.22.1 patch
release out. It's taking longer than we'd hoped due to an unexpected issue
with the upgrade to log4j 2.15.0: https://github.com/apache/druid/pull/12056
.
Based on the testing we've done so far, though, I think
Let's do another RC. This vote is canceled now.
On Fri, Dec 10, 2021 at 5:56 PM Clint Wylie wrote:
> Also a +0 from me, because the fix for the issue Gian mentioned is
> available in https://github.com/apache/druid/pull/12056 and it seems
> low risk
>
> Release looked good otherwise, so anyone
Canceling to fix the bug that log4j shutdown hook doesn't start.
Also a +0 from me, because the fix for the issue Gian mentioned is
available in https://github.com/apache/druid/pull/12056 and it seems
low risk
Release looked good otherwise, so anyone that doesn't want to wait
would probably be ok to go ahead and start using RC1 if they don't
mind the logging
My vote is 0 on this release.
I verified the usual things, and compared the src and bin packages against
0.22.0 to make sure there were no unexpected changes. That all looks OK to
me. But there is an issue with weird errors at the end of logfiles for
processes that exit normally. It's especially
I will note that the `%m{nolookups}` workaround feels a lot more
challenging to feel comfortable using than the `-D`/env var
workarounds that work in the newer versions. For example, our
log4j2.xml file has two Appenders, one of which uses JsonLayout and
one of which uses PatternLayout. It's hard
I started a release vote an hour ago. If you want to use the patched
version soon, please help with reviewing the release :)
On Fri, Dec 10, 2021 at 12:22 PM Eyal Yurman
wrote:
> Thank you for the fast response.
>
> On Fri, Dec 10, 2021 at 11:35 AM Gian Merlino wrote:
>
> > We're working on
Hi all,
I have created a build for Apache Druid 0.22.1, release
candidate 1.
Thanks to everyone who has helped contribute to the release! You can read
the proposed release notes here:
https://github.com/apache/druid/issues/12054
The release candidate has been tagged in GitHub as
Thank you for the fast response.
On Fri, Dec 10, 2021 at 11:35 AM Gian Merlino wrote:
> We're working on this right now and will be getting a vote / release for
> 0.22.1 out asap.
>
> Btw, the log4j announcement mentions a mitigation that does work for our
> current version (2.8.2). It's part
We're working on this right now and will be getting a vote / release for
0.22.1 out asap.
Btw, the log4j announcement mentions a mitigation that does work for our
current version (2.8.2). It's part (b) here, specifying "%m{nolookups}" in
the PatternLayout configuration:
Since it is “critical” severity, I think it would be a good idea to
seriously consider pushing out a minor version of 0.22.x. Especially since
the mitigation strategy outlined in the CVE is not available in the log4j
version that exists today in the current stable release. There is past
precedent
Hi Eyal,
Yes. As this vulnerability seems critical, we are working on the 0.22.1.
release.
On Fri, Dec 10, 2021 at 10:14 AM Eyal Yurman
wrote:
> Hello, regarding https://github.com/apache/druid/pull/12051 which merged
> to
> master,
>
> Is it a common practice for the project to backport and
Hello, regarding https://github.com/apache/druid/pull/12051 which merged to
master,
Is it a common practice for the project to backport and release a new minor
for the latest version?
14 matches
Mail list logo