[CANCELLED] [VOTE] Apache ZooKeeper release 3.6.3 candidate 1

[Mohammad Arshad <ar...@apache.org>]

Thanks Mate and Norbert for your feedback on RC1.

When I created RC1, OWSP CI was successful (
https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.6.3/5/).
But yes, now that ci is falling.

I am cancelling this RC0 due to jetty cve CVE-2021-28165.
Will prepare RC2 soon.

Thanks & Regards
Arshad


On Wed, Apr 7, 2021 at 6:12 PM Norbert Kalmar <nk...@cloudera.com.invalid>
wrote:

> dependency check is green now with
> https://github.com/apache/zookeeper/pull/1675
> We do backport security fixes to 3.5 branch, correct? I will create a
> separate PR for that due to ant support.
>
> - Norbert
>
> On Wed, Apr 7, 2021 at 2:19 PM Norbert Kalmar <nk...@cloudera.com>
> wrote:
>
> > Please don't forget to update the license files also in zookeeper-server
> > resources folder!
> > But better yet I can create the jira and have a PR up soon.
> >
> > - Norbert
> >
> > On Wed, Apr 7, 2021 at 1:50 PM Andor Molnar <an...@apache.org> wrote:
> >
> >> Good catch Mate!
> >>
> >> Jetty has to be upgraded.
> >>
> >> Andor
> >>
> >>
> >>
> >>
> >> > On 2021. Apr 7., at 13:43, Szalay-Bekő Máté <
> szalay.beko.mate@gmail.com>
> >> wrote:
> >> >
> >> > -1 (non-binding)
> >> >
> >> > Hello Mohammad!
> >> >
> >> > Thanks for the great work! Sorry for torpedoing it :(
> >> >
> >> > I voted with -1, as the CVE check failed for me on the release
> >> candidate:
> >> >
> >> > mvn clean package -DskipTests dependency-check:check
> >> > (...)
> >> > [ERROR] Failed to execute goal
> >> org.owasp:dependency-check-maven:5.3.0:check
> >> > (default-cli) on project zookeeper:
> >> > [ERROR]
> >> > [ERROR] One or more dependencies were identified with vulnerabilities
> >> that
> >> > have a CVSS score greater than or equal to '0.0':
> >> > [ERROR]
> >> > [ERROR] jetty-server-9.4.38.v20210224.jar: CVE-2021-28165
> >> > [ERROR] jetty-http-9.4.38.v20210224.jar: CVE-2021-28165
> >> > [ERROR]
> >> > [ERROR] See the dependency-check report for more details.
> >> >
> >> >
> >> > It seems we have a relatively recent (about three weeks old) CVE error
> >> in
> >> > Jetty: https://nvd.nist.gov/vuln/detail/CVE-2021-28165
> >> > " In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
> >> > 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
> large
> >> > invalid TLS frame."
> >> >
> >> > Looks like we will have to upgrade to jetty-server-9.4.39.
> >> >
> >> > Kind regards,
> >> > Mate
> >> >
> >> > On Tue, Apr 6, 2021 at 10:17 AM Mohammad arshad <
> >> mohammad.arshad@huawei.com>
> >> > wrote:
> >> >
> >> >> +1 (non-binding)
> >> >>
> >> >> -Verified signature and checksum of release artifacts. all ok
> >> >> -Run Junit test cases with jdk1.8.0_232 on Ubuntu 20.04, total 3137
> >> test
> >> >> cases, 3 skipped, rest all passed
> >> >> -Done basic quality checks. run rat, checkstyle, spotbugs
> >> >> -Built tarball from source code, Verified it is same as the
> downloaded
> >> >> tarball
> >> >> -Installed 3 node cluster and verified basic functionalities from
> API,
> >> >> executed few cli commands. No issues observed
> >> >> -Connected HBase, HDFS and Yarn clusters (all using zk 3.5.6) to
> >> ZooKeeper
> >> >> 3.6.3 cluster, no issues observed.
> >> >>
> >> >> Though as a release manager my +1 vote is implicit, voting again to
> >> share
> >> >> few commands  I used to verify the release.
> >> >>
> >> >> Here are some of the commands I executed while verifying the release.
> >> >>
> >> >> Download all the required artifacts
> >> >> --------------------------------------------------------
> >> >> wget
> >> >>
> >>
> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz
> >> >> wget
> >> >>
> >>
> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz.asc
> >> >> wget
> >> >>
> >>
> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz.sha512
> >> >>
> >> >> wget
> >> >>
> >>
> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz
> >> >> wget
> >> >>
> >>
> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz.asc
> >> >> wget
> >> >>
> >>
> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz.sha512
> >> >>
> >> >> wget https://www.apache.org/dist/zookeeper/KEYS
> >> >>
> >> >> Verify Signature
> >> >> --------------------------------------------------------
> >> >> gpg --import KEYS
> >> >> gpg --verify apache-zookeeper-3.6.3-bin.tar.gz.asc
> >> >> apache-zookeeper-3.6.3-bin.tar.gz
> >> >> gpg --verify apache-zookeeper-3.6.3.tar.gz.asc
> >> >> apache-zookeeper-3.6.3.tar.gz
> >> >> gpg --fingerprint 68E327C1
> >> >>
> >> >> Verify Checksum
> >> >> --------------------------------------------------------
> >> >> sha512sum --check apache-zookeeper-3.6.3-bin.tar.gz.sha512
> >> >> sha512sum --check apache-zookeeper-3.6.3-bin.tar.gz.sha512
> >> >>
> >> >>
> >> >> Verify license header by executing Apache RAT
> >> >> --------------------------------------------------------
> >> >> tar -xvf apache-zookeeper-3.6.3.tar.gz
> >> >> cd apache-zookeeper-3.6.3
> >> >> mvn clean apache-rat:check -DskipTests
> >> >>
> >> >> Perform quality checks, run checkstyle, spotbugs and unit tests
> >> >> --------------------------------------------------------
> >> >> mvn clean install checkstyle:check spotbugs:check -DskipTests
> >> >> mvn clean test -Dsurefire.rerunFailingTestsCount=2
> >> >> -DtestFailureIgnore=true -Dmaven.test.failure.ignore=true
> >> >> -Dmaven.test.error.ignore=true
> >> >> NOTE: use -Pfull-build to include ci tests as well
> >> >>
> >> >> Build and Cluster Install
> >> >> --------------------------------------------------------
> >> >> Built the tarball from source code and compare that it is same as the
> >> >> downloaded tarball. Apart from timestamp changes, no other changes
> are
> >> >> observed
> >> >> mvn clean install -DskipTests
> >> >> Installed the downloaded bin tarball and do some feature sanity tests
> >> >>
> >> >> Thanks & Regards
> >> >> Arshad
> >> >>
> >> >> -----Original Message-----
> >> >> From: Mohammad Arshad [mailto:arshad@apache.org]
> >> >> Sent: Sunday, April 4, 2021 4:48 PM
> >> >> To: dev@zookeeper.apache.org
> >> >> Subject: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1
> >> >>
> >> >> This is a bug fix release candidate for 3.6.3. It contains 50 fixes.
> >> >>
> >> >> The full release notes is available at:
> >> >>
> >> >>
> >> >>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12348703
> >> >>
> >> >> *** Please download, test and vote by Wednesday, April 7th 2021,
> 23:59
> >> >> UTC+0. ***
> >> >>
> >> >> Source and binary files:
> >> >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/
> >> >>
> >> >> Maven staging repo:
> >> >>
> >>
> https://repository.apache.org/content/repositories/orgapachezookeeper-1070
> >> >>
> >> >> The release candidate tag in git to be voted upon: release-3.6.3-1
> >> >> https://github.com/apache/zookeeper/tree/release-3.6.3-1
> >> >>
> >> >> ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> >> >> https://www.apache.org/dist/zookeeper/KEYS
> >> >>
> >> >> The staging version of the website is:
> >> >>
> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/website/
> >> >>
> >> >> *Should we release this candidate?*
> >> >>
> >> >> Thanks & Regards
> >> >> Arshad
> >> >>
> >>
> >>
>