You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by Enrico Olivelli <eo...@gmail.com> on 2022/01/27 15:08:01 UTC
Cutting 3.8.0 release
Hello ZooKeepers,
I believe that the master branch is in good shape.
I would like to start the release procedure for 3.8.0.
This is the list of issues for 3.8.0
https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0
We recently addressed all of the CVEs by updating some key
dependencies, like Netty, and moving away from Log4j1 (we switched to
LogBack)
If no one has objections I will start the release procedure on Monday
Regards
Enrico
Re: Cutting 3.8.0 release
Posted by Patrick Hunt <ph...@apache.org>.
On Fri, Feb 4, 2022 at 2:29 PM Enrico Olivelli <eo...@gmail.com> wrote:
> Il Ven 4 Feb 2022, 19:27 Patrick Hunt <ph...@apache.org> ha scritto:
>
> > The branches, including 3.8.0, are still failing the owasp check due to
> > netty-tcnative
> >
> >
> https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.8.0/3/console
> > I see this jira was closed:
> > https://issues.apache.org/jira/browse/ZOOKEEPER-4462
> > and I can't find any other - what's the plan on addressing this? I'm not
> > familiar with this dependency, has anyone dug into this?
> >
>
> I am sorry.
> I saw the jenkins job and I did not report it to the list.
>
>
No worries at all Enrico, appreciate your efforts.
> I closed the issue without adding the exclusion.
>
> I checked some of those CVEs, and they seem to be not directly related to
> that version in particular.
>
> I have upgraded to the latest version that is available.
>
> Also I think that we are not using that library directly as we are not
> using Netty native TLS support. We should include the Netty Boring SSL
> library and activate time.
>
> We should add the exclusion.
>
> I believe that the release candidate is safe
>
> Thanks for reporting this
>
>
NP. I also see a number of JIRA that are now invalid, iiuc. Could you
review/close/address as appropriate? They are all relative to netty CVE in
ZK:
https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20and%20resolution%20%3D%20unresolved%20and%20summary%20~%20%22netty%20cve*%22%20ORDER%20BY%20created%20DESC
Thanks!
Patrick
> Enrico
>
> >
> > *23:07:49* One or more dependencies were identified with known
> > vulnerabilities in Apache ZooKeeper - Server:*23:07:49* *23:07:49*
> > netty-tcnative-2.0.48.Final.jar
> > (pkg:maven/io.netty/netty-tcnative@2.0.48.Final,
> > cpe:2.3:a:netty:netty:2.0.48:*:*:*:*:*:*:*) : CVE-2014-3488,
> > CVE-2015-2156, CVE-2019-16869, CVE-2019-20444, CVE-2019-20445,
> > CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136,
> > CVE-2021-37137, CVE-2021-43797
> >
> >
> >
> > Patrick
> >
> > On Mon, Jan 31, 2022 at 4:22 AM Enrico Olivelli <eo...@gmail.com>
> > wrote:
> >
> > > updates..
> > > I am still waiting for CI on this Netty TCNative upgrade, that has a
> CVE
> > > report
> > > https://github.com/apache/zookeeper/pull/1810
> > >
> > > it also needs a reviewer please
> > >
> > > Enrico
> > >
> > > Il giorno lun 31 gen 2022 alle ore 11:33 Enrico Olivelli
> > > <eo...@gmail.com> ha scritto:
> > > >
> > > > Andor,
> > > > sorry, I misunderstood your question.
> > > >
> > > > Yes, we must name it 3.8.0 due to Lockback
> > > >
> > > > Enrico
> > > >
> > > > Il giorno lun 31 gen 2022 alle ore 11:24 Enrico Olivelli
> > > > <eo...@gmail.com> ha scritto:
> > > > >
> > > > > Il giorno lun 31 gen 2022 alle ore 10:49 Andor Molnar
> > > > > <an...@apache.org> ha scritto:
> > > > > >
> > > > > > What’s the reason for cutting a new minor release?
> > > > > > The logback migration?
> > > > > >
> > > > > > 3.7 only has a single patch release so far: 3.7.0
> > > > > >
> > > > > > Isn’t that too early?
> > > > >
> > > > > for 3.7.1 we have to merge the upgrades of the libraries with CVEs,
> > > like Netty
> > > > > and also we have the fix for the k8s users with
> NettyServerConnection
> > > > > factory, that is a blocker for people on k8s
> > > > >
> > > > > >
> > > > > > Andor
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > > On 2022. Jan 28., at 16:28, Enrico Olivelli <
> eolivelli@gmail.com
> > >
> > > wrote:
> > > > > > >
> > > > > > > Sure.
> > > > > > >
> > > > > > > Il giorno ven 28 gen 2022 alle ore 14:19 Szalay-Bekő Máté
> > > > > > > <sz...@gmail.com> ha scritto:
> > > > > > >>
> > > > > > >> Great news, thanks for the work, Enrico!!
> > > > > > >>
> > > > > > >> I think we should wait for
> > > https://github.com/apache/zookeeper/pull/1807 (
> > > > > > >> https://issues.apache.org/jira/browse/ZOOKEEPER-4461) so that
> > we
> > > can
> > > > > > >> eliminate all references for log4j1 from our pom.xml files.
> What
> > > do
> > > > > > >> you think?
> > > > > > >
> > > > > > > good catch
> > > > > > >
> > > > > > > the patch looks good, let's commit it as soon as CI passes
> > > > > > >
> > > > > > > Enrico
> > > > > > >
> > > > > > >>
> > > > > > >> Regards,
> > > > > > >> Máté
> > > > > > >>
> > > > > > >>
> > > > > > >> On Fri, Jan 28, 2022 at 5:24 AM Chris Nauroth <
> > cnauroth@gmail.com>
> > > wrote:
> > > > > > >>
> > > > > > >>> +1
> > > > > > >>>
> > > > > > >>> Thanks for driving this, Enrico!
> > > > > > >>>
> > > > > > >>> Chris Nauroth
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli <
> > > eolivelli@gmail.com>
> > > > > > >>> wrote:
> > > > > > >>>
> > > > > > >>>> Hello ZooKeepers,
> > > > > > >>>> I believe that the master branch is in good shape.
> > > > > > >>>>
> > > > > > >>>> I would like to start the release procedure for 3.8.0.
> > > > > > >>>>
> > > > > > >>>> This is the list of issues for 3.8.0
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>
> > >
> >
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0
> > > > > > >>>>
> > > > > > >>>> We recently addressed all of the CVEs by updating some key
> > > > > > >>>> dependencies, like Netty, and moving away from Log4j1 (we
> > > switched to
> > > > > > >>>> LogBack)
> > > > > > >>>>
> > > > > > >>>> If no one has objections I will start the release procedure
> on
> > > Monday
> > > > > > >>>>
> > > > > > >>>> Regards
> > > > > > >>>>
> > > > > > >>>> Enrico
> > > > > > >>>>
> > > > > > >>>
> > > > > >
> > >
> >
>
Re: Cutting 3.8.0 release
Posted by Enrico Olivelli <eo...@gmail.com>.
Il Ven 4 Feb 2022, 19:27 Patrick Hunt <ph...@apache.org> ha scritto:
> The branches, including 3.8.0, are still failing the owasp check due to
> netty-tcnative
>
> https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.8.0/3/console
> I see this jira was closed:
> https://issues.apache.org/jira/browse/ZOOKEEPER-4462
> and I can't find any other - what's the plan on addressing this? I'm not
> familiar with this dependency, has anyone dug into this?
>
I am sorry.
I saw the jenkins job and I did not report it to the list.
I closed the issue without adding the exclusion.
I checked some of those CVEs, and they seem to be not directly related to
that version in particular.
I have upgraded to the latest version that is available.
Also I think that we are not using that library directly as we are not
using Netty native TLS support. We should include the Netty Boring SSL
library and activate time.
We should add the exclusion.
I believe that the release candidate is safe
Thanks for reporting this
Enrico
>
> *23:07:49* One or more dependencies were identified with known
> vulnerabilities in Apache ZooKeeper - Server:*23:07:49* *23:07:49*
> netty-tcnative-2.0.48.Final.jar
> (pkg:maven/io.netty/netty-tcnative@2.0.48.Final,
> cpe:2.3:a:netty:netty:2.0.48:*:*:*:*:*:*:*) : CVE-2014-3488,
> CVE-2015-2156, CVE-2019-16869, CVE-2019-20444, CVE-2019-20445,
> CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136,
> CVE-2021-37137, CVE-2021-43797
>
>
>
> Patrick
>
> On Mon, Jan 31, 2022 at 4:22 AM Enrico Olivelli <eo...@gmail.com>
> wrote:
>
> > updates..
> > I am still waiting for CI on this Netty TCNative upgrade, that has a CVE
> > report
> > https://github.com/apache/zookeeper/pull/1810
> >
> > it also needs a reviewer please
> >
> > Enrico
> >
> > Il giorno lun 31 gen 2022 alle ore 11:33 Enrico Olivelli
> > <eo...@gmail.com> ha scritto:
> > >
> > > Andor,
> > > sorry, I misunderstood your question.
> > >
> > > Yes, we must name it 3.8.0 due to Lockback
> > >
> > > Enrico
> > >
> > > Il giorno lun 31 gen 2022 alle ore 11:24 Enrico Olivelli
> > > <eo...@gmail.com> ha scritto:
> > > >
> > > > Il giorno lun 31 gen 2022 alle ore 10:49 Andor Molnar
> > > > <an...@apache.org> ha scritto:
> > > > >
> > > > > What’s the reason for cutting a new minor release?
> > > > > The logback migration?
> > > > >
> > > > > 3.7 only has a single patch release so far: 3.7.0
> > > > >
> > > > > Isn’t that too early?
> > > >
> > > > for 3.7.1 we have to merge the upgrades of the libraries with CVEs,
> > like Netty
> > > > and also we have the fix for the k8s users with NettyServerConnection
> > > > factory, that is a blocker for people on k8s
> > > >
> > > > >
> > > > > Andor
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > > On 2022. Jan 28., at 16:28, Enrico Olivelli <eolivelli@gmail.com
> >
> > wrote:
> > > > > >
> > > > > > Sure.
> > > > > >
> > > > > > Il giorno ven 28 gen 2022 alle ore 14:19 Szalay-Bekő Máté
> > > > > > <sz...@gmail.com> ha scritto:
> > > > > >>
> > > > > >> Great news, thanks for the work, Enrico!!
> > > > > >>
> > > > > >> I think we should wait for
> > https://github.com/apache/zookeeper/pull/1807 (
> > > > > >> https://issues.apache.org/jira/browse/ZOOKEEPER-4461) so that
> we
> > can
> > > > > >> eliminate all references for log4j1 from our pom.xml files. What
> > do
> > > > > >> you think?
> > > > > >
> > > > > > good catch
> > > > > >
> > > > > > the patch looks good, let's commit it as soon as CI passes
> > > > > >
> > > > > > Enrico
> > > > > >
> > > > > >>
> > > > > >> Regards,
> > > > > >> Máté
> > > > > >>
> > > > > >>
> > > > > >> On Fri, Jan 28, 2022 at 5:24 AM Chris Nauroth <
> cnauroth@gmail.com>
> > wrote:
> > > > > >>
> > > > > >>> +1
> > > > > >>>
> > > > > >>> Thanks for driving this, Enrico!
> > > > > >>>
> > > > > >>> Chris Nauroth
> > > > > >>>
> > > > > >>>
> > > > > >>> On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli <
> > eolivelli@gmail.com>
> > > > > >>> wrote:
> > > > > >>>
> > > > > >>>> Hello ZooKeepers,
> > > > > >>>> I believe that the master branch is in good shape.
> > > > > >>>>
> > > > > >>>> I would like to start the release procedure for 3.8.0.
> > > > > >>>>
> > > > > >>>> This is the list of issues for 3.8.0
> > > > > >>>>
> > > > > >>>>
> > > > > >>>
> >
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0
> > > > > >>>>
> > > > > >>>> We recently addressed all of the CVEs by updating some key
> > > > > >>>> dependencies, like Netty, and moving away from Log4j1 (we
> > switched to
> > > > > >>>> LogBack)
> > > > > >>>>
> > > > > >>>> If no one has objections I will start the release procedure on
> > Monday
> > > > > >>>>
> > > > > >>>> Regards
> > > > > >>>>
> > > > > >>>> Enrico
> > > > > >>>>
> > > > > >>>
> > > > >
> >
>
Re: Cutting 3.8.0 release
Posted by Patrick Hunt <ph...@apache.org>.
The branches, including 3.8.0, are still failing the owasp check due to
netty-tcnative
https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.8.0/3/console
I see this jira was closed:
https://issues.apache.org/jira/browse/ZOOKEEPER-4462
and I can't find any other - what's the plan on addressing this? I'm not
familiar with this dependency, has anyone dug into this?
*23:07:49* One or more dependencies were identified with known
vulnerabilities in Apache ZooKeeper - Server:*23:07:49* *23:07:49*
netty-tcnative-2.0.48.Final.jar
(pkg:maven/io.netty/netty-tcnative@2.0.48.Final,
cpe:2.3:a:netty:netty:2.0.48:*:*:*:*:*:*:*) : CVE-2014-3488,
CVE-2015-2156, CVE-2019-16869, CVE-2019-20444, CVE-2019-20445,
CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136,
CVE-2021-37137, CVE-2021-43797
Patrick
On Mon, Jan 31, 2022 at 4:22 AM Enrico Olivelli <eo...@gmail.com> wrote:
> updates..
> I am still waiting for CI on this Netty TCNative upgrade, that has a CVE
> report
> https://github.com/apache/zookeeper/pull/1810
>
> it also needs a reviewer please
>
> Enrico
>
> Il giorno lun 31 gen 2022 alle ore 11:33 Enrico Olivelli
> <eo...@gmail.com> ha scritto:
> >
> > Andor,
> > sorry, I misunderstood your question.
> >
> > Yes, we must name it 3.8.0 due to Lockback
> >
> > Enrico
> >
> > Il giorno lun 31 gen 2022 alle ore 11:24 Enrico Olivelli
> > <eo...@gmail.com> ha scritto:
> > >
> > > Il giorno lun 31 gen 2022 alle ore 10:49 Andor Molnar
> > > <an...@apache.org> ha scritto:
> > > >
> > > > What’s the reason for cutting a new minor release?
> > > > The logback migration?
> > > >
> > > > 3.7 only has a single patch release so far: 3.7.0
> > > >
> > > > Isn’t that too early?
> > >
> > > for 3.7.1 we have to merge the upgrades of the libraries with CVEs,
> like Netty
> > > and also we have the fix for the k8s users with NettyServerConnection
> > > factory, that is a blocker for people on k8s
> > >
> > > >
> > > > Andor
> > > >
> > > >
> > > >
> > > >
> > > > > On 2022. Jan 28., at 16:28, Enrico Olivelli <eo...@gmail.com>
> wrote:
> > > > >
> > > > > Sure.
> > > > >
> > > > > Il giorno ven 28 gen 2022 alle ore 14:19 Szalay-Bekő Máté
> > > > > <sz...@gmail.com> ha scritto:
> > > > >>
> > > > >> Great news, thanks for the work, Enrico!!
> > > > >>
> > > > >> I think we should wait for
> https://github.com/apache/zookeeper/pull/1807 (
> > > > >> https://issues.apache.org/jira/browse/ZOOKEEPER-4461) so that we
> can
> > > > >> eliminate all references for log4j1 from our pom.xml files. What
> do
> > > > >> you think?
> > > > >
> > > > > good catch
> > > > >
> > > > > the patch looks good, let's commit it as soon as CI passes
> > > > >
> > > > > Enrico
> > > > >
> > > > >>
> > > > >> Regards,
> > > > >> Máté
> > > > >>
> > > > >>
> > > > >> On Fri, Jan 28, 2022 at 5:24 AM Chris Nauroth <cn...@gmail.com>
> wrote:
> > > > >>
> > > > >>> +1
> > > > >>>
> > > > >>> Thanks for driving this, Enrico!
> > > > >>>
> > > > >>> Chris Nauroth
> > > > >>>
> > > > >>>
> > > > >>> On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli <
> eolivelli@gmail.com>
> > > > >>> wrote:
> > > > >>>
> > > > >>>> Hello ZooKeepers,
> > > > >>>> I believe that the master branch is in good shape.
> > > > >>>>
> > > > >>>> I would like to start the release procedure for 3.8.0.
> > > > >>>>
> > > > >>>> This is the list of issues for 3.8.0
> > > > >>>>
> > > > >>>>
> > > > >>>
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0
> > > > >>>>
> > > > >>>> We recently addressed all of the CVEs by updating some key
> > > > >>>> dependencies, like Netty, and moving away from Log4j1 (we
> switched to
> > > > >>>> LogBack)
> > > > >>>>
> > > > >>>> If no one has objections I will start the release procedure on
> Monday
> > > > >>>>
> > > > >>>> Regards
> > > > >>>>
> > > > >>>> Enrico
> > > > >>>>
> > > > >>>
> > > >
>
Re: Cutting 3.8.0 release
Posted by Enrico Olivelli <eo...@gmail.com>.
updates..
I am still waiting for CI on this Netty TCNative upgrade, that has a CVE report
https://github.com/apache/zookeeper/pull/1810
it also needs a reviewer please
Enrico
Il giorno lun 31 gen 2022 alle ore 11:33 Enrico Olivelli
<eo...@gmail.com> ha scritto:
>
> Andor,
> sorry, I misunderstood your question.
>
> Yes, we must name it 3.8.0 due to Lockback
>
> Enrico
>
> Il giorno lun 31 gen 2022 alle ore 11:24 Enrico Olivelli
> <eo...@gmail.com> ha scritto:
> >
> > Il giorno lun 31 gen 2022 alle ore 10:49 Andor Molnar
> > <an...@apache.org> ha scritto:
> > >
> > > What’s the reason for cutting a new minor release?
> > > The logback migration?
> > >
> > > 3.7 only has a single patch release so far: 3.7.0
> > >
> > > Isn’t that too early?
> >
> > for 3.7.1 we have to merge the upgrades of the libraries with CVEs, like Netty
> > and also we have the fix for the k8s users with NettyServerConnection
> > factory, that is a blocker for people on k8s
> >
> > >
> > > Andor
> > >
> > >
> > >
> > >
> > > > On 2022. Jan 28., at 16:28, Enrico Olivelli <eo...@gmail.com> wrote:
> > > >
> > > > Sure.
> > > >
> > > > Il giorno ven 28 gen 2022 alle ore 14:19 Szalay-Bekő Máté
> > > > <sz...@gmail.com> ha scritto:
> > > >>
> > > >> Great news, thanks for the work, Enrico!!
> > > >>
> > > >> I think we should wait for https://github.com/apache/zookeeper/pull/1807 (
> > > >> https://issues.apache.org/jira/browse/ZOOKEEPER-4461) so that we can
> > > >> eliminate all references for log4j1 from our pom.xml files. What do
> > > >> you think?
> > > >
> > > > good catch
> > > >
> > > > the patch looks good, let's commit it as soon as CI passes
> > > >
> > > > Enrico
> > > >
> > > >>
> > > >> Regards,
> > > >> Máté
> > > >>
> > > >>
> > > >> On Fri, Jan 28, 2022 at 5:24 AM Chris Nauroth <cn...@gmail.com> wrote:
> > > >>
> > > >>> +1
> > > >>>
> > > >>> Thanks for driving this, Enrico!
> > > >>>
> > > >>> Chris Nauroth
> > > >>>
> > > >>>
> > > >>> On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli <eo...@gmail.com>
> > > >>> wrote:
> > > >>>
> > > >>>> Hello ZooKeepers,
> > > >>>> I believe that the master branch is in good shape.
> > > >>>>
> > > >>>> I would like to start the release procedure for 3.8.0.
> > > >>>>
> > > >>>> This is the list of issues for 3.8.0
> > > >>>>
> > > >>>>
> > > >>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0
> > > >>>>
> > > >>>> We recently addressed all of the CVEs by updating some key
> > > >>>> dependencies, like Netty, and moving away from Log4j1 (we switched to
> > > >>>> LogBack)
> > > >>>>
> > > >>>> If no one has objections I will start the release procedure on Monday
> > > >>>>
> > > >>>> Regards
> > > >>>>
> > > >>>> Enrico
> > > >>>>
> > > >>>
> > >
Re: Cutting 3.8.0 release
Posted by Enrico Olivelli <eo...@gmail.com>.
Andor,
sorry, I misunderstood your question.
Yes, we must name it 3.8.0 due to Lockback
Enrico
Il giorno lun 31 gen 2022 alle ore 11:24 Enrico Olivelli
<eo...@gmail.com> ha scritto:
>
> Il giorno lun 31 gen 2022 alle ore 10:49 Andor Molnar
> <an...@apache.org> ha scritto:
> >
> > What’s the reason for cutting a new minor release?
> > The logback migration?
> >
> > 3.7 only has a single patch release so far: 3.7.0
> >
> > Isn’t that too early?
>
> for 3.7.1 we have to merge the upgrades of the libraries with CVEs, like Netty
> and also we have the fix for the k8s users with NettyServerConnection
> factory, that is a blocker for people on k8s
>
> >
> > Andor
> >
> >
> >
> >
> > > On 2022. Jan 28., at 16:28, Enrico Olivelli <eo...@gmail.com> wrote:
> > >
> > > Sure.
> > >
> > > Il giorno ven 28 gen 2022 alle ore 14:19 Szalay-Bekő Máté
> > > <sz...@gmail.com> ha scritto:
> > >>
> > >> Great news, thanks for the work, Enrico!!
> > >>
> > >> I think we should wait for https://github.com/apache/zookeeper/pull/1807 (
> > >> https://issues.apache.org/jira/browse/ZOOKEEPER-4461) so that we can
> > >> eliminate all references for log4j1 from our pom.xml files. What do
> > >> you think?
> > >
> > > good catch
> > >
> > > the patch looks good, let's commit it as soon as CI passes
> > >
> > > Enrico
> > >
> > >>
> > >> Regards,
> > >> Máté
> > >>
> > >>
> > >> On Fri, Jan 28, 2022 at 5:24 AM Chris Nauroth <cn...@gmail.com> wrote:
> > >>
> > >>> +1
> > >>>
> > >>> Thanks for driving this, Enrico!
> > >>>
> > >>> Chris Nauroth
> > >>>
> > >>>
> > >>> On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli <eo...@gmail.com>
> > >>> wrote:
> > >>>
> > >>>> Hello ZooKeepers,
> > >>>> I believe that the master branch is in good shape.
> > >>>>
> > >>>> I would like to start the release procedure for 3.8.0.
> > >>>>
> > >>>> This is the list of issues for 3.8.0
> > >>>>
> > >>>>
> > >>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0
> > >>>>
> > >>>> We recently addressed all of the CVEs by updating some key
> > >>>> dependencies, like Netty, and moving away from Log4j1 (we switched to
> > >>>> LogBack)
> > >>>>
> > >>>> If no one has objections I will start the release procedure on Monday
> > >>>>
> > >>>> Regards
> > >>>>
> > >>>> Enrico
> > >>>>
> > >>>
> >
Re: Cutting 3.8.0 release
Posted by Enrico Olivelli <eo...@gmail.com>.
Il giorno lun 31 gen 2022 alle ore 10:49 Andor Molnar
<an...@apache.org> ha scritto:
>
> What’s the reason for cutting a new minor release?
> The logback migration?
>
> 3.7 only has a single patch release so far: 3.7.0
>
> Isn’t that too early?
for 3.7.1 we have to merge the upgrades of the libraries with CVEs, like Netty
and also we have the fix for the k8s users with NettyServerConnection
factory, that is a blocker for people on k8s
>
> Andor
>
>
>
>
> > On 2022. Jan 28., at 16:28, Enrico Olivelli <eo...@gmail.com> wrote:
> >
> > Sure.
> >
> > Il giorno ven 28 gen 2022 alle ore 14:19 Szalay-Bekő Máté
> > <sz...@gmail.com> ha scritto:
> >>
> >> Great news, thanks for the work, Enrico!!
> >>
> >> I think we should wait for https://github.com/apache/zookeeper/pull/1807 (
> >> https://issues.apache.org/jira/browse/ZOOKEEPER-4461) so that we can
> >> eliminate all references for log4j1 from our pom.xml files. What do
> >> you think?
> >
> > good catch
> >
> > the patch looks good, let's commit it as soon as CI passes
> >
> > Enrico
> >
> >>
> >> Regards,
> >> Máté
> >>
> >>
> >> On Fri, Jan 28, 2022 at 5:24 AM Chris Nauroth <cn...@gmail.com> wrote:
> >>
> >>> +1
> >>>
> >>> Thanks for driving this, Enrico!
> >>>
> >>> Chris Nauroth
> >>>
> >>>
> >>> On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli <eo...@gmail.com>
> >>> wrote:
> >>>
> >>>> Hello ZooKeepers,
> >>>> I believe that the master branch is in good shape.
> >>>>
> >>>> I would like to start the release procedure for 3.8.0.
> >>>>
> >>>> This is the list of issues for 3.8.0
> >>>>
> >>>>
> >>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0
> >>>>
> >>>> We recently addressed all of the CVEs by updating some key
> >>>> dependencies, like Netty, and moving away from Log4j1 (we switched to
> >>>> LogBack)
> >>>>
> >>>> If no one has objections I will start the release procedure on Monday
> >>>>
> >>>> Regards
> >>>>
> >>>> Enrico
> >>>>
> >>>
>
Re: Cutting 3.8.0 release
Posted by Andor Molnar <an...@apache.org>.
What’s the reason for cutting a new minor release?
The logback migration?
3.7 only has a single patch release so far: 3.7.0
Isn’t that too early?
Andor
> On 2022. Jan 28., at 16:28, Enrico Olivelli <eo...@gmail.com> wrote:
>
> Sure.
>
> Il giorno ven 28 gen 2022 alle ore 14:19 Szalay-Bekő Máté
> <sz...@gmail.com> ha scritto:
>>
>> Great news, thanks for the work, Enrico!!
>>
>> I think we should wait for https://github.com/apache/zookeeper/pull/1807 (
>> https://issues.apache.org/jira/browse/ZOOKEEPER-4461) so that we can
>> eliminate all references for log4j1 from our pom.xml files. What do
>> you think?
>
> good catch
>
> the patch looks good, let's commit it as soon as CI passes
>
> Enrico
>
>>
>> Regards,
>> Máté
>>
>>
>> On Fri, Jan 28, 2022 at 5:24 AM Chris Nauroth <cn...@gmail.com> wrote:
>>
>>> +1
>>>
>>> Thanks for driving this, Enrico!
>>>
>>> Chris Nauroth
>>>
>>>
>>> On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli <eo...@gmail.com>
>>> wrote:
>>>
>>>> Hello ZooKeepers,
>>>> I believe that the master branch is in good shape.
>>>>
>>>> I would like to start the release procedure for 3.8.0.
>>>>
>>>> This is the list of issues for 3.8.0
>>>>
>>>>
>>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0
>>>>
>>>> We recently addressed all of the CVEs by updating some key
>>>> dependencies, like Netty, and moving away from Log4j1 (we switched to
>>>> LogBack)
>>>>
>>>> If no one has objections I will start the release procedure on Monday
>>>>
>>>> Regards
>>>>
>>>> Enrico
>>>>
>>>
Re: Cutting 3.8.0 release
Posted by Enrico Olivelli <eo...@gmail.com>.
Sure.
Il giorno ven 28 gen 2022 alle ore 14:19 Szalay-Bekő Máté
<sz...@gmail.com> ha scritto:
>
> Great news, thanks for the work, Enrico!!
>
> I think we should wait for https://github.com/apache/zookeeper/pull/1807 (
> https://issues.apache.org/jira/browse/ZOOKEEPER-4461) so that we can
> eliminate all references for log4j1 from our pom.xml files. What do
> you think?
good catch
the patch looks good, let's commit it as soon as CI passes
Enrico
>
> Regards,
> Máté
>
>
> On Fri, Jan 28, 2022 at 5:24 AM Chris Nauroth <cn...@gmail.com> wrote:
>
> > +1
> >
> > Thanks for driving this, Enrico!
> >
> > Chris Nauroth
> >
> >
> > On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli <eo...@gmail.com>
> > wrote:
> >
> > > Hello ZooKeepers,
> > > I believe that the master branch is in good shape.
> > >
> > > I would like to start the release procedure for 3.8.0.
> > >
> > > This is the list of issues for 3.8.0
> > >
> > >
> > https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0
> > >
> > > We recently addressed all of the CVEs by updating some key
> > > dependencies, like Netty, and moving away from Log4j1 (we switched to
> > > LogBack)
> > >
> > > If no one has objections I will start the release procedure on Monday
> > >
> > > Regards
> > >
> > > Enrico
> > >
> >
Re: Cutting 3.8.0 release
Posted by Szalay-Bekő Máté <sz...@gmail.com>.
Great news, thanks for the work, Enrico!!
I think we should wait for https://github.com/apache/zookeeper/pull/1807 (
https://issues.apache.org/jira/browse/ZOOKEEPER-4461) so that we can
eliminate all references for log4j1 from our pom.xml files. What do
you think?
Regards,
Máté
On Fri, Jan 28, 2022 at 5:24 AM Chris Nauroth <cn...@gmail.com> wrote:
> +1
>
> Thanks for driving this, Enrico!
>
> Chris Nauroth
>
>
> On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli <eo...@gmail.com>
> wrote:
>
> > Hello ZooKeepers,
> > I believe that the master branch is in good shape.
> >
> > I would like to start the release procedure for 3.8.0.
> >
> > This is the list of issues for 3.8.0
> >
> >
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0
> >
> > We recently addressed all of the CVEs by updating some key
> > dependencies, like Netty, and moving away from Log4j1 (we switched to
> > LogBack)
> >
> > If no one has objections I will start the release procedure on Monday
> >
> > Regards
> >
> > Enrico
> >
>
Re: Cutting 3.8.0 release
Posted by Chris Nauroth <cn...@gmail.com>.
+1
Thanks for driving this, Enrico!
Chris Nauroth
On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli <eo...@gmail.com> wrote:
> Hello ZooKeepers,
> I believe that the master branch is in good shape.
>
> I would like to start the release procedure for 3.8.0.
>
> This is the list of issues for 3.8.0
>
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0
>
> We recently addressed all of the CVEs by updating some key
> dependencies, like Netty, and moving away from Log4j1 (we switched to
> LogBack)
>
> If no one has objections I will start the release procedure on Monday
>
> Regards
>
> Enrico
>