discuss: do a nifi 1.15.1 release to eliminate log4shell concern

[Joe Witt <jo...@gmail.com>]

Team

We still dont think we are vulnerable but this now highly risky library is
present.  We have PRs to eliminate it/main is fixed.   I think we should do
a 24 hour 1.15.1 release/vote for it.   It will eliminate concerns for
users.   We are frankly pretty close to a 1.16 release at this point as
well it seems but can circle back.


Any different views on 1.15.1?

Thanks

Re: discuss: do a nifi 1.15.1 release to eliminate log4shell concern

[Joe Witt <jo...@gmail.com>]

Team

The support/nifi-1.15 branch has all we need to kick off a 1.15.3
release I believe with the exception of a hive/snappy thing we should
try to fix.  https://issues.apache.org/jira/projects/NIFI/versions/12351203

Might go on without that though tomorrow if necessary.

Thanks

On Mon, Jan 10, 2022 at 8:37 AM Joe Witt <jo...@gmail.com> wrote:
>
> Team,
>
> Still planning to do this but need a few more days on my end to have
> time for the RC generation pieces.
>
> Thanks
>
> On Tue, Jan 4, 2022 at 9:43 AM Joe Witt <jo...@gmail.com> wrote:
> >
> > Team,
> >
> > Looking like it would be helpful to kick out a 1.15.3 to ensure build
> > works when building optional nars due to logging updates, fixes SFTP
> > behavior, fixes regression with GCP, etc..
> >
> > I might kick this out but probably wont attempt to generate the RC
> > until this weekend.
> >
> > Thanks
> >
> > On Wed, Dec 22, 2021 at 5:21 PM Joe Witt <jo...@gmail.com> wrote:
> > >
> > > Team
> > >
> > > As you saw the vote for 1.15.2 has passed.  Thanks all.  However, I am
> > > holding off sending the announce thread and such because I can't get
> > > the website updated for some reason.  It appears to be not unique to
> > > us as reported in
> > > https://issues.apache.org/jira/projects/INFRA/issues/INFRA-22647?filter=allopenissues.
> > > I've also reported in ASF INFRA slack so we'll see.  Once sorted will
> > > wrap the final announce thread up.
> > >
> > > Thanks
> > >
> > > On Mon, Dec 20, 2021 at 10:19 AM Joe Witt <jo...@gmail.com> wrote:
> > > >
> > > > ...sooooo 1.15.1 was fun.  But there is another log4j 2.x
> > > > vulnerability reported.  While we remain minimally exposed we should
> > > > just get this over with totally.  There are changes on main now which
> > > > eliminate the usage of log4j 2.x core entirely and block usage of it
> > > > going forward.  Components can still use log4j as they always could
> > > > but they must bridge to slf4j using the proper dependencies as they
> > > > always should have anyway.  We have the latest logback.  All logs
> > > > should route to slf4j which we then actually write out using logback.
> > > >
> > > > So I'm going to go ahead and kick off a 1.15.2 to let us get this
> > > > resolved formally and help alleviate concerns folks tend to have now
> > > > around logging related vulnerabilities.
> > > >
> > > > Thanks
> > > >
> > > > On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <jo...@gmail.com> wrote:
> > > > >
> > > > > Here are the JIRAs I grabbed from the 1.16/main line to pull into
> > > > > 1.15.1 in addition.
> > > > >
> > > > > https://issues.apache.org/jira/browse/NIFI-9480?jql=project%20%3D%20NIFI%20AND%20fixVersion%20%3D%201.15.1
> > > > >
> > > > > Thanks
> > > > >
> > > > > On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <jo...@gmail.com> wrote:
> > > > > >
> > > > > > Goodness.  Two RC build release processes have failed a couple hours
> > > > > > into it due to apparent network/availability issues while sending
> > > > > > artifacts to repository.apache.org.  I can only assume they're getting
> > > > > > hit with a lot of projects trying to do a lot of uploads and such.
> > > > > > Will try again in a bit/first thing in AM.  Once we can get a
> > > > > > successful build up I might suggest we do what log4j has done and
> > > > > > simply open the vote long enough to get enough binding +1 votes and
> > > > > > get this out there.
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > > On Mon, Dec 13, 2021 at 10:04 AM Joe Witt <jo...@gmail.com> wrote:
> > > > > > >
> > > > > > > Thanks - will roll with that
> > > > > > >
> > > > > > > On Mon, Dec 13, 2021 at 10:03 AM David Handermann
> > > > > > > <ex...@apache.org> wrote:
> > > > > > > >
> > > > > > > > PR 5598 for NIFI-9474 is now merged into the main branch, which streamlines
> > > > > > > > version updates to Log4j 2 dependencies.  It also excludes log4j-core older
> > > > > > > > than 2.15.0 from build artifacts, so this should provide a good basis for a
> > > > > > > > patch release.
> > > > > > > >
> > > > > > > > https://github.com/apache/nifi/pull/5598
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > David Handermann
> > > > > > > >
> > > > > > > > On Mon, Dec 13, 2021 at 10:44 AM Chris Sampson
> > > > > > > > <ch...@naimuri.com.invalid> wrote:
> > > > > > > >
> > > > > > > > > I'd agree. The discussions in Slack and separate user mailing list thread
> > > > > > > > > are a reassurance for users (who read them), but a patch for the current
> > > > > > > > > 1.15 branch would seem sensible for people to pick up and assuage any
> > > > > > > > > remaining security concerns they may have around the library.
> > > > > > > > >
> > > > > > > > > That leaves 1.16 a little longer to get more good stuff merged in for the
> > > > > > > > > next feature release.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Cheers,
> > > > > > > > >
> > > > > > > > > Chris Sampson
> > > > > > > > >
> > > > > > > > > On Mon, 13 Dec 2021, 14:19 David Handermann, <ex...@apache.org>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Joe,
> > > > > > > > > >
> > > > > > > > > > Thanks for starting this discussion. Moving forward with a 1.15.1 patch
> > > > > > > > > > release sounds like the best path forward.
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > > David Handermann
> > > > > > > > > >
> > > > > > > > > > On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <jo...@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > > Team
> > > > > > > > > > >
> > > > > > > > > > > We still dont think we are vulnerable but this now highly risky library
> > > > > > > > > > is
> > > > > > > > > > > present.  We have PRs to eliminate it/main is fixed.   I think we
> > > > > > > > > should
> > > > > > > > > > do
> > > > > > > > > > > a 24 hour 1.15.1 release/vote for it.   It will eliminate concerns for
> > > > > > > > > > > users.   We are frankly pretty close to a 1.16 release at this point as
> > > > > > > > > > > well it seems but can circle back.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Any different views on 1.15.1?
> > > > > > > > > > >
> > > > > > > > > > > Thanks
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >

Re: discuss: do a nifi 1.15.1 release to eliminate log4shell concern

[Joe Witt <jo...@gmail.com>]

Team,

Still planning to do this but need a few more days on my end to have
time for the RC generation pieces.

Thanks

On Tue, Jan 4, 2022 at 9:43 AM Joe Witt <jo...@gmail.com> wrote:
>
> Team,
>
> Looking like it would be helpful to kick out a 1.15.3 to ensure build
> works when building optional nars due to logging updates, fixes SFTP
> behavior, fixes regression with GCP, etc..
>
> I might kick this out but probably wont attempt to generate the RC
> until this weekend.
>
> Thanks
>
> On Wed, Dec 22, 2021 at 5:21 PM Joe Witt <jo...@gmail.com> wrote:
> >
> > Team
> >
> > As you saw the vote for 1.15.2 has passed.  Thanks all.  However, I am
> > holding off sending the announce thread and such because I can't get
> > the website updated for some reason.  It appears to be not unique to
> > us as reported in
> > https://issues.apache.org/jira/projects/INFRA/issues/INFRA-22647?filter=allopenissues.
> > I've also reported in ASF INFRA slack so we'll see.  Once sorted will
> > wrap the final announce thread up.
> >
> > Thanks
> >
> > On Mon, Dec 20, 2021 at 10:19 AM Joe Witt <jo...@gmail.com> wrote:
> > >
> > > ...sooooo 1.15.1 was fun.  But there is another log4j 2.x
> > > vulnerability reported.  While we remain minimally exposed we should
> > > just get this over with totally.  There are changes on main now which
> > > eliminate the usage of log4j 2.x core entirely and block usage of it
> > > going forward.  Components can still use log4j as they always could
> > > but they must bridge to slf4j using the proper dependencies as they
> > > always should have anyway.  We have the latest logback.  All logs
> > > should route to slf4j which we then actually write out using logback.
> > >
> > > So I'm going to go ahead and kick off a 1.15.2 to let us get this
> > > resolved formally and help alleviate concerns folks tend to have now
> > > around logging related vulnerabilities.
> > >
> > > Thanks
> > >
> > > On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <jo...@gmail.com> wrote:
> > > >
> > > > Here are the JIRAs I grabbed from the 1.16/main line to pull into
> > > > 1.15.1 in addition.
> > > >
> > > > https://issues.apache.org/jira/browse/NIFI-9480?jql=project%20%3D%20NIFI%20AND%20fixVersion%20%3D%201.15.1
> > > >
> > > > Thanks
> > > >
> > > > On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <jo...@gmail.com> wrote:
> > > > >
> > > > > Goodness.  Two RC build release processes have failed a couple hours
> > > > > into it due to apparent network/availability issues while sending
> > > > > artifacts to repository.apache.org.  I can only assume they're getting
> > > > > hit with a lot of projects trying to do a lot of uploads and such.
> > > > > Will try again in a bit/first thing in AM.  Once we can get a
> > > > > successful build up I might suggest we do what log4j has done and
> > > > > simply open the vote long enough to get enough binding +1 votes and
> > > > > get this out there.
> > > > >
> > > > > Thanks
> > > > >
> > > > > On Mon, Dec 13, 2021 at 10:04 AM Joe Witt <jo...@gmail.com> wrote:
> > > > > >
> > > > > > Thanks - will roll with that
> > > > > >
> > > > > > On Mon, Dec 13, 2021 at 10:03 AM David Handermann
> > > > > > <ex...@apache.org> wrote:
> > > > > > >
> > > > > > > PR 5598 for NIFI-9474 is now merged into the main branch, which streamlines
> > > > > > > version updates to Log4j 2 dependencies.  It also excludes log4j-core older
> > > > > > > than 2.15.0 from build artifacts, so this should provide a good basis for a
> > > > > > > patch release.
> > > > > > >
> > > > > > > https://github.com/apache/nifi/pull/5598
> > > > > > >
> > > > > > > Regards,
> > > > > > > David Handermann
> > > > > > >
> > > > > > > On Mon, Dec 13, 2021 at 10:44 AM Chris Sampson
> > > > > > > <ch...@naimuri.com.invalid> wrote:
> > > > > > >
> > > > > > > > I'd agree. The discussions in Slack and separate user mailing list thread
> > > > > > > > are a reassurance for users (who read them), but a patch for the current
> > > > > > > > 1.15 branch would seem sensible for people to pick up and assuage any
> > > > > > > > remaining security concerns they may have around the library.
> > > > > > > >
> > > > > > > > That leaves 1.16 a little longer to get more good stuff merged in for the
> > > > > > > > next feature release.
> > > > > > > >
> > > > > > > >
> > > > > > > > Cheers,
> > > > > > > >
> > > > > > > > Chris Sampson
> > > > > > > >
> > > > > > > > On Mon, 13 Dec 2021, 14:19 David Handermann, <ex...@apache.org>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Joe,
> > > > > > > > >
> > > > > > > > > Thanks for starting this discussion. Moving forward with a 1.15.1 patch
> > > > > > > > > release sounds like the best path forward.
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > > David Handermann
> > > > > > > > >
> > > > > > > > > On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <jo...@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > > Team
> > > > > > > > > >
> > > > > > > > > > We still dont think we are vulnerable but this now highly risky library
> > > > > > > > > is
> > > > > > > > > > present.  We have PRs to eliminate it/main is fixed.   I think we
> > > > > > > > should
> > > > > > > > > do
> > > > > > > > > > a 24 hour 1.15.1 release/vote for it.   It will eliminate concerns for
> > > > > > > > > > users.   We are frankly pretty close to a 1.16 release at this point as
> > > > > > > > > > well it seems but can circle back.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Any different views on 1.15.1?
> > > > > > > > > >
> > > > > > > > > > Thanks
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >

Re: discuss: do a nifi 1.15.1 release to eliminate log4shell concern

[Joe Witt <jo...@gmail.com>]

Team,

Looking like it would be helpful to kick out a 1.15.3 to ensure build
works when building optional nars due to logging updates, fixes SFTP
behavior, fixes regression with GCP, etc..

I might kick this out but probably wont attempt to generate the RC
until this weekend.

Thanks

On Wed, Dec 22, 2021 at 5:21 PM Joe Witt <jo...@gmail.com> wrote:
>
> Team
>
> As you saw the vote for 1.15.2 has passed.  Thanks all.  However, I am
> holding off sending the announce thread and such because I can't get
> the website updated for some reason.  It appears to be not unique to
> us as reported in
> https://issues.apache.org/jira/projects/INFRA/issues/INFRA-22647?filter=allopenissues.
> I've also reported in ASF INFRA slack so we'll see.  Once sorted will
> wrap the final announce thread up.
>
> Thanks
>
> On Mon, Dec 20, 2021 at 10:19 AM Joe Witt <jo...@gmail.com> wrote:
> >
> > ...sooooo 1.15.1 was fun.  But there is another log4j 2.x
> > vulnerability reported.  While we remain minimally exposed we should
> > just get this over with totally.  There are changes on main now which
> > eliminate the usage of log4j 2.x core entirely and block usage of it
> > going forward.  Components can still use log4j as they always could
> > but they must bridge to slf4j using the proper dependencies as they
> > always should have anyway.  We have the latest logback.  All logs
> > should route to slf4j which we then actually write out using logback.
> >
> > So I'm going to go ahead and kick off a 1.15.2 to let us get this
> > resolved formally and help alleviate concerns folks tend to have now
> > around logging related vulnerabilities.
> >
> > Thanks
> >
> > On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <jo...@gmail.com> wrote:
> > >
> > > Here are the JIRAs I grabbed from the 1.16/main line to pull into
> > > 1.15.1 in addition.
> > >
> > > https://issues.apache.org/jira/browse/NIFI-9480?jql=project%20%3D%20NIFI%20AND%20fixVersion%20%3D%201.15.1
> > >
> > > Thanks
> > >
> > > On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <jo...@gmail.com> wrote:
> > > >
> > > > Goodness.  Two RC build release processes have failed a couple hours
> > > > into it due to apparent network/availability issues while sending
> > > > artifacts to repository.apache.org.  I can only assume they're getting
> > > > hit with a lot of projects trying to do a lot of uploads and such.
> > > > Will try again in a bit/first thing in AM.  Once we can get a
> > > > successful build up I might suggest we do what log4j has done and
> > > > simply open the vote long enough to get enough binding +1 votes and
> > > > get this out there.
> > > >
> > > > Thanks
> > > >
> > > > On Mon, Dec 13, 2021 at 10:04 AM Joe Witt <jo...@gmail.com> wrote:
> > > > >
> > > > > Thanks - will roll with that
> > > > >
> > > > > On Mon, Dec 13, 2021 at 10:03 AM David Handermann
> > > > > <ex...@apache.org> wrote:
> > > > > >
> > > > > > PR 5598 for NIFI-9474 is now merged into the main branch, which streamlines
> > > > > > version updates to Log4j 2 dependencies.  It also excludes log4j-core older
> > > > > > than 2.15.0 from build artifacts, so this should provide a good basis for a
> > > > > > patch release.
> > > > > >
> > > > > > https://github.com/apache/nifi/pull/5598
> > > > > >
> > > > > > Regards,
> > > > > > David Handermann
> > > > > >
> > > > > > On Mon, Dec 13, 2021 at 10:44 AM Chris Sampson
> > > > > > <ch...@naimuri.com.invalid> wrote:
> > > > > >
> > > > > > > I'd agree. The discussions in Slack and separate user mailing list thread
> > > > > > > are a reassurance for users (who read them), but a patch for the current
> > > > > > > 1.15 branch would seem sensible for people to pick up and assuage any
> > > > > > > remaining security concerns they may have around the library.
> > > > > > >
> > > > > > > That leaves 1.16 a little longer to get more good stuff merged in for the
> > > > > > > next feature release.
> > > > > > >
> > > > > > >
> > > > > > > Cheers,
> > > > > > >
> > > > > > > Chris Sampson
> > > > > > >
> > > > > > > On Mon, 13 Dec 2021, 14:19 David Handermann, <ex...@apache.org>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Joe,
> > > > > > > >
> > > > > > > > Thanks for starting this discussion. Moving forward with a 1.15.1 patch
> > > > > > > > release sounds like the best path forward.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > David Handermann
> > > > > > > >
> > > > > > > > On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <jo...@gmail.com> wrote:
> > > > > > > >
> > > > > > > > > Team
> > > > > > > > >
> > > > > > > > > We still dont think we are vulnerable but this now highly risky library
> > > > > > > > is
> > > > > > > > > present.  We have PRs to eliminate it/main is fixed.   I think we
> > > > > > > should
> > > > > > > > do
> > > > > > > > > a 24 hour 1.15.1 release/vote for it.   It will eliminate concerns for
> > > > > > > > > users.   We are frankly pretty close to a 1.16 release at this point as
> > > > > > > > > well it seems but can circle back.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Any different views on 1.15.1?
> > > > > > > > >
> > > > > > > > > Thanks
> > > > > > > > >
> > > > > > > >
> > > > > > >

Re: discuss: do a nifi 1.15.1 release to eliminate log4shell concern

[Joe Witt <jo...@gmail.com>]

Team

As you saw the vote for 1.15.2 has passed.  Thanks all.  However, I am
holding off sending the announce thread and such because I can't get
the website updated for some reason.  It appears to be not unique to
us as reported in
https://issues.apache.org/jira/projects/INFRA/issues/INFRA-22647?filter=allopenissues.
I've also reported in ASF INFRA slack so we'll see.  Once sorted will
wrap the final announce thread up.

Thanks

On Mon, Dec 20, 2021 at 10:19 AM Joe Witt <jo...@gmail.com> wrote:
>
> ...sooooo 1.15.1 was fun.  But there is another log4j 2.x
> vulnerability reported.  While we remain minimally exposed we should
> just get this over with totally.  There are changes on main now which
> eliminate the usage of log4j 2.x core entirely and block usage of it
> going forward.  Components can still use log4j as they always could
> but they must bridge to slf4j using the proper dependencies as they
> always should have anyway.  We have the latest logback.  All logs
> should route to slf4j which we then actually write out using logback.
>
> So I'm going to go ahead and kick off a 1.15.2 to let us get this
> resolved formally and help alleviate concerns folks tend to have now
> around logging related vulnerabilities.
>
> Thanks
>
> On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <jo...@gmail.com> wrote:
> >
> > Here are the JIRAs I grabbed from the 1.16/main line to pull into
> > 1.15.1 in addition.
> >
> > https://issues.apache.org/jira/browse/NIFI-9480?jql=project%20%3D%20NIFI%20AND%20fixVersion%20%3D%201.15.1
> >
> > Thanks
> >
> > On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <jo...@gmail.com> wrote:
> > >
> > > Goodness.  Two RC build release processes have failed a couple hours
> > > into it due to apparent network/availability issues while sending
> > > artifacts to repository.apache.org.  I can only assume they're getting
> > > hit with a lot of projects trying to do a lot of uploads and such.
> > > Will try again in a bit/first thing in AM.  Once we can get a
> > > successful build up I might suggest we do what log4j has done and
> > > simply open the vote long enough to get enough binding +1 votes and
> > > get this out there.
> > >
> > > Thanks
> > >
> > > On Mon, Dec 13, 2021 at 10:04 AM Joe Witt <jo...@gmail.com> wrote:
> > > >
> > > > Thanks - will roll with that
> > > >
> > > > On Mon, Dec 13, 2021 at 10:03 AM David Handermann
> > > > <ex...@apache.org> wrote:
> > > > >
> > > > > PR 5598 for NIFI-9474 is now merged into the main branch, which streamlines
> > > > > version updates to Log4j 2 dependencies.  It also excludes log4j-core older
> > > > > than 2.15.0 from build artifacts, so this should provide a good basis for a
> > > > > patch release.
> > > > >
> > > > > https://github.com/apache/nifi/pull/5598
> > > > >
> > > > > Regards,
> > > > > David Handermann
> > > > >
> > > > > On Mon, Dec 13, 2021 at 10:44 AM Chris Sampson
> > > > > <ch...@naimuri.com.invalid> wrote:
> > > > >
> > > > > > I'd agree. The discussions in Slack and separate user mailing list thread
> > > > > > are a reassurance for users (who read them), but a patch for the current
> > > > > > 1.15 branch would seem sensible for people to pick up and assuage any
> > > > > > remaining security concerns they may have around the library.
> > > > > >
> > > > > > That leaves 1.16 a little longer to get more good stuff merged in for the
> > > > > > next feature release.
> > > > > >
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > > Chris Sampson
> > > > > >
> > > > > > On Mon, 13 Dec 2021, 14:19 David Handermann, <ex...@apache.org>
> > > > > > wrote:
> > > > > >
> > > > > > > Joe,
> > > > > > >
> > > > > > > Thanks for starting this discussion. Moving forward with a 1.15.1 patch
> > > > > > > release sounds like the best path forward.
> > > > > > >
> > > > > > > Regards,
> > > > > > > David Handermann
> > > > > > >
> > > > > > > On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <jo...@gmail.com> wrote:
> > > > > > >
> > > > > > > > Team
> > > > > > > >
> > > > > > > > We still dont think we are vulnerable but this now highly risky library
> > > > > > > is
> > > > > > > > present.  We have PRs to eliminate it/main is fixed.   I think we
> > > > > > should
> > > > > > > do
> > > > > > > > a 24 hour 1.15.1 release/vote for it.   It will eliminate concerns for
> > > > > > > > users.   We are frankly pretty close to a 1.16 release at this point as
> > > > > > > > well it seems but can circle back.
> > > > > > > >
> > > > > > > >
> > > > > > > > Any different views on 1.15.1?
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > >
> > > > > > >
> > > > > >

Re: discuss: do a nifi 1.15.1 release to eliminate log4shell concern

[Joe Witt <jo...@gmail.com>]

...sooooo 1.15.1 was fun.  But there is another log4j 2.x
vulnerability reported.  While we remain minimally exposed we should
just get this over with totally.  There are changes on main now which
eliminate the usage of log4j 2.x core entirely and block usage of it
going forward.  Components can still use log4j as they always could
but they must bridge to slf4j using the proper dependencies as they
always should have anyway.  We have the latest logback.  All logs
should route to slf4j which we then actually write out using logback.

So I'm going to go ahead and kick off a 1.15.2 to let us get this
resolved formally and help alleviate concerns folks tend to have now
around logging related vulnerabilities.

Thanks

On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <jo...@gmail.com> wrote:
>
> Here are the JIRAs I grabbed from the 1.16/main line to pull into
> 1.15.1 in addition.
>
> https://issues.apache.org/jira/browse/NIFI-9480?jql=project%20%3D%20NIFI%20AND%20fixVersion%20%3D%201.15.1
>
> Thanks
>
> On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <jo...@gmail.com> wrote:
> >
> > Goodness.  Two RC build release processes have failed a couple hours
> > into it due to apparent network/availability issues while sending
> > artifacts to repository.apache.org.  I can only assume they're getting
> > hit with a lot of projects trying to do a lot of uploads and such.
> > Will try again in a bit/first thing in AM.  Once we can get a
> > successful build up I might suggest we do what log4j has done and
> > simply open the vote long enough to get enough binding +1 votes and
> > get this out there.
> >
> > Thanks
> >
> > On Mon, Dec 13, 2021 at 10:04 AM Joe Witt <jo...@gmail.com> wrote:
> > >
> > > Thanks - will roll with that
> > >
> > > On Mon, Dec 13, 2021 at 10:03 AM David Handermann
> > > <ex...@apache.org> wrote:
> > > >
> > > > PR 5598 for NIFI-9474 is now merged into the main branch, which streamlines
> > > > version updates to Log4j 2 dependencies.  It also excludes log4j-core older
> > > > than 2.15.0 from build artifacts, so this should provide a good basis for a
> > > > patch release.
> > > >
> > > > https://github.com/apache/nifi/pull/5598
> > > >
> > > > Regards,
> > > > David Handermann
> > > >
> > > > On Mon, Dec 13, 2021 at 10:44 AM Chris Sampson
> > > > <ch...@naimuri.com.invalid> wrote:
> > > >
> > > > > I'd agree. The discussions in Slack and separate user mailing list thread
> > > > > are a reassurance for users (who read them), but a patch for the current
> > > > > 1.15 branch would seem sensible for people to pick up and assuage any
> > > > > remaining security concerns they may have around the library.
> > > > >
> > > > > That leaves 1.16 a little longer to get more good stuff merged in for the
> > > > > next feature release.
> > > > >
> > > > >
> > > > > Cheers,
> > > > >
> > > > > Chris Sampson
> > > > >
> > > > > On Mon, 13 Dec 2021, 14:19 David Handermann, <ex...@apache.org>
> > > > > wrote:
> > > > >
> > > > > > Joe,
> > > > > >
> > > > > > Thanks for starting this discussion. Moving forward with a 1.15.1 patch
> > > > > > release sounds like the best path forward.
> > > > > >
> > > > > > Regards,
> > > > > > David Handermann
> > > > > >
> > > > > > On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <jo...@gmail.com> wrote:
> > > > > >
> > > > > > > Team
> > > > > > >
> > > > > > > We still dont think we are vulnerable but this now highly risky library
> > > > > > is
> > > > > > > present.  We have PRs to eliminate it/main is fixed.   I think we
> > > > > should
> > > > > > do
> > > > > > > a 24 hour 1.15.1 release/vote for it.   It will eliminate concerns for
> > > > > > > users.   We are frankly pretty close to a 1.16 release at this point as
> > > > > > > well it seems but can circle back.
> > > > > > >
> > > > > > >
> > > > > > > Any different views on 1.15.1?
> > > > > > >
> > > > > > > Thanks
> > > > > > >
> > > > > >
> > > > >

Re: discuss: do a nifi 1.15.1 release to eliminate log4shell concern

[Joe Witt <jo...@gmail.com>]

Here are the JIRAs I grabbed from the 1.16/main line to pull into
1.15.1 in addition.

https://issues.apache.org/jira/browse/NIFI-9480?jql=project%20%3D%20NIFI%20AND%20fixVersion%20%3D%201.15.1

Thanks

On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <jo...@gmail.com> wrote:
>
> Goodness.  Two RC build release processes have failed a couple hours
> into it due to apparent network/availability issues while sending
> artifacts to repository.apache.org.  I can only assume they're getting
> hit with a lot of projects trying to do a lot of uploads and such.
> Will try again in a bit/first thing in AM.  Once we can get a
> successful build up I might suggest we do what log4j has done and
> simply open the vote long enough to get enough binding +1 votes and
> get this out there.
>
> Thanks
>
> On Mon, Dec 13, 2021 at 10:04 AM Joe Witt <jo...@gmail.com> wrote:
> >
> > Thanks - will roll with that
> >
> > On Mon, Dec 13, 2021 at 10:03 AM David Handermann
> > <ex...@apache.org> wrote:
> > >
> > > PR 5598 for NIFI-9474 is now merged into the main branch, which streamlines
> > > version updates to Log4j 2 dependencies.  It also excludes log4j-core older
> > > than 2.15.0 from build artifacts, so this should provide a good basis for a
> > > patch release.
> > >
> > > https://github.com/apache/nifi/pull/5598
> > >
> > > Regards,
> > > David Handermann
> > >
> > > On Mon, Dec 13, 2021 at 10:44 AM Chris Sampson
> > > <ch...@naimuri.com.invalid> wrote:
> > >
> > > > I'd agree. The discussions in Slack and separate user mailing list thread
> > > > are a reassurance for users (who read them), but a patch for the current
> > > > 1.15 branch would seem sensible for people to pick up and assuage any
> > > > remaining security concerns they may have around the library.
> > > >
> > > > That leaves 1.16 a little longer to get more good stuff merged in for the
> > > > next feature release.
> > > >
> > > >
> > > > Cheers,
> > > >
> > > > Chris Sampson
> > > >
> > > > On Mon, 13 Dec 2021, 14:19 David Handermann, <ex...@apache.org>
> > > > wrote:
> > > >
> > > > > Joe,
> > > > >
> > > > > Thanks for starting this discussion. Moving forward with a 1.15.1 patch
> > > > > release sounds like the best path forward.
> > > > >
> > > > > Regards,
> > > > > David Handermann
> > > > >
> > > > > On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <jo...@gmail.com> wrote:
> > > > >
> > > > > > Team
> > > > > >
> > > > > > We still dont think we are vulnerable but this now highly risky library
> > > > > is
> > > > > > present.  We have PRs to eliminate it/main is fixed.   I think we
> > > > should
> > > > > do
> > > > > > a 24 hour 1.15.1 release/vote for it.   It will eliminate concerns for
> > > > > > users.   We are frankly pretty close to a 1.16 release at this point as
> > > > > > well it seems but can circle back.
> > > > > >
> > > > > >
> > > > > > Any different views on 1.15.1?
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > >
> > > >

Re: discuss: do a nifi 1.15.1 release to eliminate log4shell concern

[Joe Witt <jo...@gmail.com>]

Goodness.  Two RC build release processes have failed a couple hours
into it due to apparent network/availability issues while sending
artifacts to repository.apache.org.  I can only assume they're getting
hit with a lot of projects trying to do a lot of uploads and such.
Will try again in a bit/first thing in AM.  Once we can get a
successful build up I might suggest we do what log4j has done and
simply open the vote long enough to get enough binding +1 votes and
get this out there.

Thanks

On Mon, Dec 13, 2021 at 10:04 AM Joe Witt <jo...@gmail.com> wrote:
>
> Thanks - will roll with that
>
> On Mon, Dec 13, 2021 at 10:03 AM David Handermann
> <ex...@apache.org> wrote:
> >
> > PR 5598 for NIFI-9474 is now merged into the main branch, which streamlines
> > version updates to Log4j 2 dependencies.  It also excludes log4j-core older
> > than 2.15.0 from build artifacts, so this should provide a good basis for a
> > patch release.
> >
> > https://github.com/apache/nifi/pull/5598
> >
> > Regards,
> > David Handermann
> >
> > On Mon, Dec 13, 2021 at 10:44 AM Chris Sampson
> > <ch...@naimuri.com.invalid> wrote:
> >
> > > I'd agree. The discussions in Slack and separate user mailing list thread
> > > are a reassurance for users (who read them), but a patch for the current
> > > 1.15 branch would seem sensible for people to pick up and assuage any
> > > remaining security concerns they may have around the library.
> > >
> > > That leaves 1.16 a little longer to get more good stuff merged in for the
> > > next feature release.
> > >
> > >
> > > Cheers,
> > >
> > > Chris Sampson
> > >
> > > On Mon, 13 Dec 2021, 14:19 David Handermann, <ex...@apache.org>
> > > wrote:
> > >
> > > > Joe,
> > > >
> > > > Thanks for starting this discussion. Moving forward with a 1.15.1 patch
> > > > release sounds like the best path forward.
> > > >
> > > > Regards,
> > > > David Handermann
> > > >
> > > > On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <jo...@gmail.com> wrote:
> > > >
> > > > > Team
> > > > >
> > > > > We still dont think we are vulnerable but this now highly risky library
> > > > is
> > > > > present.  We have PRs to eliminate it/main is fixed.   I think we
> > > should
> > > > do
> > > > > a 24 hour 1.15.1 release/vote for it.   It will eliminate concerns for
> > > > > users.   We are frankly pretty close to a 1.16 release at this point as
> > > > > well it seems but can circle back.
> > > > >
> > > > >
> > > > > Any different views on 1.15.1?
> > > > >
> > > > > Thanks
> > > > >
> > > >
> > >

Re: discuss: do a nifi 1.15.1 release to eliminate log4shell concern

[Joe Witt <jo...@gmail.com>]

Thanks - will roll with that

On Mon, Dec 13, 2021 at 10:03 AM David Handermann
<ex...@apache.org> wrote:
>
> PR 5598 for NIFI-9474 is now merged into the main branch, which streamlines
> version updates to Log4j 2 dependencies.  It also excludes log4j-core older
> than 2.15.0 from build artifacts, so this should provide a good basis for a
> patch release.
>
> https://github.com/apache/nifi/pull/5598
>
> Regards,
> David Handermann
>
> On Mon, Dec 13, 2021 at 10:44 AM Chris Sampson
> <ch...@naimuri.com.invalid> wrote:
>
> > I'd agree. The discussions in Slack and separate user mailing list thread
> > are a reassurance for users (who read them), but a patch for the current
> > 1.15 branch would seem sensible for people to pick up and assuage any
> > remaining security concerns they may have around the library.
> >
> > That leaves 1.16 a little longer to get more good stuff merged in for the
> > next feature release.
> >
> >
> > Cheers,
> >
> > Chris Sampson
> >
> > On Mon, 13 Dec 2021, 14:19 David Handermann, <ex...@apache.org>
> > wrote:
> >
> > > Joe,
> > >
> > > Thanks for starting this discussion. Moving forward with a 1.15.1 patch
> > > release sounds like the best path forward.
> > >
> > > Regards,
> > > David Handermann
> > >
> > > On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <jo...@gmail.com> wrote:
> > >
> > > > Team
> > > >
> > > > We still dont think we are vulnerable but this now highly risky library
> > > is
> > > > present.  We have PRs to eliminate it/main is fixed.   I think we
> > should
> > > do
> > > > a 24 hour 1.15.1 release/vote for it.   It will eliminate concerns for
> > > > users.   We are frankly pretty close to a 1.16 release at this point as
> > > > well it seems but can circle back.
> > > >
> > > >
> > > > Any different views on 1.15.1?
> > > >
> > > > Thanks
> > > >
> > >
> >

Re: discuss: do a nifi 1.15.1 release to eliminate log4shell concern

[David Handermann <ex...@apache.org>]

PR 5598 for NIFI-9474 is now merged into the main branch, which streamlines
version updates to Log4j 2 dependencies.  It also excludes log4j-core older
than 2.15.0 from build artifacts, so this should provide a good basis for a
patch release.

https://github.com/apache/nifi/pull/5598

Regards,
David Handermann

On Mon, Dec 13, 2021 at 10:44 AM Chris Sampson
<ch...@naimuri.com.invalid> wrote:

> I'd agree. The discussions in Slack and separate user mailing list thread
> are a reassurance for users (who read them), but a patch for the current
> 1.15 branch would seem sensible for people to pick up and assuage any
> remaining security concerns they may have around the library.
>
> That leaves 1.16 a little longer to get more good stuff merged in for the
> next feature release.
>
>
> Cheers,
>
> Chris Sampson
>
> On Mon, 13 Dec 2021, 14:19 David Handermann, <ex...@apache.org>
> wrote:
>
> > Joe,
> >
> > Thanks for starting this discussion. Moving forward with a 1.15.1 patch
> > release sounds like the best path forward.
> >
> > Regards,
> > David Handermann
> >
> > On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <jo...@gmail.com> wrote:
> >
> > > Team
> > >
> > > We still dont think we are vulnerable but this now highly risky library
> > is
> > > present.  We have PRs to eliminate it/main is fixed.   I think we
> should
> > do
> > > a 24 hour 1.15.1 release/vote for it.   It will eliminate concerns for
> > > users.   We are frankly pretty close to a 1.16 release at this point as
> > > well it seems but can circle back.
> > >
> > >
> > > Any different views on 1.15.1?
> > >
> > > Thanks
> > >
> >
>

Re: discuss: do a nifi 1.15.1 release to eliminate log4shell concern

[Chris Sampson <ch...@naimuri.com.INVALID>]

I'd agree. The discussions in Slack and separate user mailing list thread
are a reassurance for users (who read them), but a patch for the current
1.15 branch would seem sensible for people to pick up and assuage any
remaining security concerns they may have around the library.

That leaves 1.16 a little longer to get more good stuff merged in for the
next feature release.


Cheers,

Chris Sampson

On Mon, 13 Dec 2021, 14:19 David Handermann, <ex...@apache.org>
wrote:

> Joe,
>
> Thanks for starting this discussion. Moving forward with a 1.15.1 patch
> release sounds like the best path forward.
>
> Regards,
> David Handermann
>
> On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <jo...@gmail.com> wrote:
>
> > Team
> >
> > We still dont think we are vulnerable but this now highly risky library
> is
> > present.  We have PRs to eliminate it/main is fixed.   I think we should
> do
> > a 24 hour 1.15.1 release/vote for it.   It will eliminate concerns for
> > users.   We are frankly pretty close to a 1.16 release at this point as
> > well it seems but can circle back.
> >
> >
> > Any different views on 1.15.1?
> >
> > Thanks
> >
>

Re: discuss: do a nifi 1.15.1 release to eliminate log4shell concern

[David Handermann <ex...@apache.org>]

Joe,

Thanks for starting this discussion. Moving forward with a 1.15.1 patch
release sounds like the best path forward.

Regards,
David Handermann

On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <jo...@gmail.com> wrote:

> Team
>
> We still dont think we are vulnerable but this now highly risky library is
> present.  We have PRs to eliminate it/main is fixed.   I think we should do
> a 24 hour 1.15.1 release/vote for it.   It will eliminate concerns for
> users.   We are frankly pretty close to a 1.16 release at this point as
> well it seems but can circle back.
>
>
> Any different views on 1.15.1?
>
> Thanks
>