You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@daffodil.apache.org by Mike Beckerle <mb...@apache.org> on 2021/12/16 21:02:30 UTC
[VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release)
Hi all,
I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so
with an abbreviated approval cycle (to be used only for urgent patch
releases).
Your vote covers the release as usual, but also due to the urgency of
this patch release, you are also voting on these 4 deltas from our more
usual release process:
* You agree the patch release is urgent and this abbreviated approval
cycle is warranted and appropriate.
* The DISCUSS email thread will be superceded by this VOTE thread.
* Shortened 48 hours of work-day time for lazy consensus on the VOTE
* A minimum of three +1 and zero -1 binding votes are needed
For a summary of the changes in this release, see the release notes page:
https://daffodil.apache.org/releases/3.2.1/
All distribution packages, including signatures, digests, etc. can be found at:
https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/
Staging artifacts can be found at:
https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
This release has been signed with PGP key 274B8F1413A680AF, corresponding
to mbeckerle@apache.org, which is included in the KEYS file here:
https://downloads.apache.org/daffodil/KEYS
The release candidate has been tagged in git with v3.2.1-rc1.
For reference, here is a list of all closed JIRAs tagged with 3.2.1:
https://s.apache.org/daffodil-issues-3.2.1
Please review and vote.
Per the abbreviated process, the vote will be open for 48 hours.
(Until Monday 20 December 2021 17:00 EST.US).
[ ] +1 approve the release, and this abbreviated release process
[ ] +0 no opinion
[ ] -1 disapprove of the release, or of this abbreviated release
process (and reason why)
[RESULT] [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release) (RC2)
Posted by Mike Beckerle <mb...@apache.org>.
The vote passes with 4 +1 votes and no -1 votes.
Vote thread: https://lists.apache.org/thread/dclp867j38ttqtbtmtvmwokoyslnh59j
Thanks to all who evaluated the release candidate and voted.
I will now continue to finalize the release.
On Tue, Dec 21, 2021 at 10:21 AM Thompson, Dave
<dt...@owlcyberdefense.com> wrote:
>
> +1
>
> - Verified v3.2.1 JIRA tickets have been verified/closed.
> - Executed all daffodil sub-project SBT test suites on supported Java versions 8 and 17 without error.
> - Executed compile/save each nightly run schema on supported Java versions 8 and 17 without error.
> - Executed the nightly performance test suite on supported Java versions 8 and 17 without error.
> - Executed dfdl-schema repo sub-module SBT test suite on supported Java versions 8 and 17 without errors .
>
> -----Original Message-----
> From: Mike Beckerle
> Sent: Monday, December 20, 2021 1:23 PM
> To: dev@daffodil.apache.org
> Subject: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release) (RC2)
>
> (This is the re-vote for 3.2.1-rc2, as rc1 vote was cancelled.)
>
> Hi all,
>
> I'd like to call a vote to release Apache Daffodil 3.2.1 (RC2) and to do so with an abbreviated approval cycle (to be used only for urgent patch releases).
>
> Your vote covers the release as usual, but also due to the urgency of this patch release, you are also voting on these 4 deltas from our more usual release process:
>
> * You agree the patch release is urgent and this abbreviated approval
> cycle is warranted and appropriate.
>
> * The DISCUSS email thread will be superseded by this (and prior) VOTE thread.
>
> * Shortened 48 hours of work-day time for lazy consensus on the VOTE
>
> * A minimum of three +1 and zero -1 binding votes are needed
>
> For a summary of the changes in this release, see the release notes page:
>
> https://daffodil.apache.org/releases/3.2.1/
>
> All distribution packages, including signatures, digests, etc. can be found at:
>
> https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc2/
>
> Staging artifacts can be found at:
>
> https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
>
> This release has been signed with PGP key 274B8F1413A680AF, corresponding to mbeckerle@apache.org, which is included in the KEYS file here:
>
> https://downloads.apache.org/daffodil/KEYS
>
> The release candidate has been tagged in git with v3.2.1-rc2.
>
> For reference, here is a list of all closed JIRAs tagged with 3.2.1:
>
> https://s.apache.org/daffodil-issues-3.2.1
>
> Please review and vote.
>
> Per the abbreviated process, the vote will be open for 48 hours.
> (Until Wednesday 22 December 2021 13:30 EST.US).
>
> [ ] +1 approve the release, and this abbreviated release process [ ] +0 no opinion [ ] -1 disapprove of the release, or of this abbreviated release
> process (and reason why)
RE: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release) (RC2)
Posted by "Thompson, Dave" <dt...@owlcyberdefense.com>.
+1
- Verified v3.2.1 JIRA tickets have been verified/closed.
- Executed all daffodil sub-project SBT test suites on supported Java versions 8 and 17 without error.
- Executed compile/save each nightly run schema on supported Java versions 8 and 17 without error.
- Executed the nightly performance test suite on supported Java versions 8 and 17 without error.
- Executed dfdl-schema repo sub-module SBT test suite on supported Java versions 8 and 17 without errors .
-----Original Message-----
From: Mike Beckerle
Sent: Monday, December 20, 2021 1:23 PM
To: dev@daffodil.apache.org
Subject: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release) (RC2)
(This is the re-vote for 3.2.1-rc2, as rc1 vote was cancelled.)
Hi all,
I'd like to call a vote to release Apache Daffodil 3.2.1 (RC2) and to do so with an abbreviated approval cycle (to be used only for urgent patch releases).
Your vote covers the release as usual, but also due to the urgency of this patch release, you are also voting on these 4 deltas from our more usual release process:
* You agree the patch release is urgent and this abbreviated approval
cycle is warranted and appropriate.
* The DISCUSS email thread will be superseded by this (and prior) VOTE thread.
* Shortened 48 hours of work-day time for lazy consensus on the VOTE
* A minimum of three +1 and zero -1 binding votes are needed
For a summary of the changes in this release, see the release notes page:
https://daffodil.apache.org/releases/3.2.1/
All distribution packages, including signatures, digests, etc. can be found at:
https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc2/
Staging artifacts can be found at:
https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
This release has been signed with PGP key 274B8F1413A680AF, corresponding to mbeckerle@apache.org, which is included in the KEYS file here:
https://downloads.apache.org/daffodil/KEYS
The release candidate has been tagged in git with v3.2.1-rc2.
For reference, here is a list of all closed JIRAs tagged with 3.2.1:
https://s.apache.org/daffodil-issues-3.2.1
Please review and vote.
Per the abbreviated process, the vote will be open for 48 hours.
(Until Wednesday 22 December 2021 13:30 EST.US).
[ ] +1 approve the release, and this abbreviated release process [ ] +0 no opinion [ ] -1 disapprove of the release, or of this abbreviated release
process (and reason why)
Re: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release) (RC2)
Posted by Mike Beckerle <mb...@apache.org>.
+1
I repeated all the same tests I did for rc1.
I ran a script that downloads all the artifacts and checks the hashes.
I verified that 61 DFDL schemas still pass all their tests, which
includes PCAP and EthernetIP which compute IPv4 packet checksums.
I verified that 13 DFDL schemas still run on IBM DFDL, which verifies
that 3.2.1-rc2 works properly with the IBM cross-test rig, and the
schemas remain portable DFDL.
On Mon, Dec 20, 2021 at 1:22 PM Mike Beckerle <mb...@apache.org> wrote:
>
> (This is the re-vote for 3.2.1-rc2, as rc1 vote was cancelled.)
>
> Hi all,
>
> I'd like to call a vote to release Apache Daffodil 3.2.1 (RC2) and to do so
> with an abbreviated approval cycle (to be used only for urgent patch
> releases).
>
> Your vote covers the release as usual, but also due to the urgency of
> this patch release, you are also voting on these 4 deltas from our more
> usual release process:
>
> * You agree the patch release is urgent and this abbreviated approval
> cycle is warranted and appropriate.
>
> * The DISCUSS email thread will be superseded by this (and prior) VOTE thread.
>
> * Shortened 48 hours of work-day time for lazy consensus on the VOTE
>
> * A minimum of three +1 and zero -1 binding votes are needed
>
> For a summary of the changes in this release, see the release notes page:
>
> https://daffodil.apache.org/releases/3.2.1/
>
> All distribution packages, including signatures, digests, etc. can be found at:
>
> https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc2/
>
> Staging artifacts can be found at:
>
> https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
>
> This release has been signed with PGP key 274B8F1413A680AF, corresponding
> to mbeckerle@apache.org, which is included in the KEYS file here:
>
> https://downloads.apache.org/daffodil/KEYS
>
> The release candidate has been tagged in git with v3.2.1-rc2.
>
> For reference, here is a list of all closed JIRAs tagged with 3.2.1:
>
> https://s.apache.org/daffodil-issues-3.2.1
>
> Please review and vote.
>
> Per the abbreviated process, the vote will be open for 48 hours.
> (Until Wednesday 22 December 2021 13:30 EST.US).
>
> [ ] +1 approve the release, and this abbreviated release process
> [ ] +0 no opinion
> [ ] -1 disapprove of the release, or of this abbreviated release
> process (and reason why)
Re: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release) (RC2)
Posted by Steve Lawrence <sl...@apache.org>.
+1 (binding)
I did slightly different verification than I normally do due to the very
minor differences with rc2. I checked:
[OK] hashes and signatures of source and helper binaries are correct
[OK] signature of git tag is correct
[OK] source release matches git tag (minus KEYS file)
[OK] source release is exactly the same as rc1, except for log4j dep
[OK] helper binaries are exactly the same as rc1, except for log4j jar
[OK] source compiles and all tests pass
[OK] rpm and msi install and run with basic usage
[OK] ~60 public and private DFDL schema projects pass tests
[OK] no open CVE's found using sbt-dependency-check plugin
On 12/20/21 1:22 PM, Mike Beckerle wrote:
> (This is the re-vote for 3.2.1-rc2, as rc1 vote was cancelled.)
>
> Hi all,
>
> I'd like to call a vote to release Apache Daffodil 3.2.1 (RC2) and to do so
> with an abbreviated approval cycle (to be used only for urgent patch
> releases).
>
> Your vote covers the release as usual, but also due to the urgency of
> this patch release, you are also voting on these 4 deltas from our more
> usual release process:
>
> * You agree the patch release is urgent and this abbreviated approval
> cycle is warranted and appropriate.
>
> * The DISCUSS email thread will be superseded by this (and prior) VOTE thread.
>
> * Shortened 48 hours of work-day time for lazy consensus on the VOTE
>
> * A minimum of three +1 and zero -1 binding votes are needed
>
> For a summary of the changes in this release, see the release notes page:
>
> https://daffodil.apache.org/releases/3.2.1/
>
> All distribution packages, including signatures, digests, etc. can be found at:
>
> https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc2/
>
> Staging artifacts can be found at:
>
> https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
>
> This release has been signed with PGP key 274B8F1413A680AF, corresponding
> to mbeckerle@apache.org, which is included in the KEYS file here:
>
> https://downloads.apache.org/daffodil/KEYS
>
> The release candidate has been tagged in git with v3.2.1-rc2.
>
> For reference, here is a list of all closed JIRAs tagged with 3.2.1:
>
> https://s.apache.org/daffodil-issues-3.2.1
>
> Please review and vote.
>
> Per the abbreviated process, the vote will be open for 48 hours.
> (Until Wednesday 22 December 2021 13:30 EST.US).
>
> [ ] +1 approve the release, and this abbreviated release process
> [ ] +0 no opinion
> [ ] -1 disapprove of the release, or of this abbreviated release
> process (and reason why)
>
RE: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release) (RC2)
Posted by "Interrante, John A (GE Research, US)" <Jo...@ge.com>.
I'm on vacation, so I'm unable to check rc2 at this time. However, here's my +1 if no one else offers a third +1 since the only difference in rc2 should be a newer log4j jar than all the jars that were in rc1.
John
-----Original Message-----
From: Mike Beckerle <mb...@apache.org>
Sent: Monday, December 20, 2021 10:23 AM
To: dev@daffodil.apache.org
Subject: EXT: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release) (RC2)
WARNING: This email originated from outside of GE. Please validate the sender's email address before clicking on links or attachments as they may not be safe.
(This is the re-vote for 3.2.1-rc2, as rc1 vote was cancelled.)
Hi all,
I'd like to call a vote to release Apache Daffodil 3.2.1 (RC2) and to do so with an abbreviated approval cycle (to be used only for urgent patch releases).
Your vote covers the release as usual, but also due to the urgency of this patch release, you are also voting on these 4 deltas from our more usual release process:
* You agree the patch release is urgent and this abbreviated approval
cycle is warranted and appropriate.
* The DISCUSS email thread will be superseded by this (and prior) VOTE thread.
* Shortened 48 hours of work-day time for lazy consensus on the VOTE
* A minimum of three +1 and zero -1 binding votes are needed
For a summary of the changes in this release, see the release notes page:
https://daffodil.apache.org/releases/3.2.1/
All distribution packages, including signatures, digests, etc. can be found at:
https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc2/
Staging artifacts can be found at:
https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
This release has been signed with PGP key 274B8F1413A680AF, corresponding to mbeckerle@apache.org, which is included in the KEYS file here:
https://downloads.apache.org/daffodil/KEYS
The release candidate has been tagged in git with v3.2.1-rc2.
For reference, here is a list of all closed JIRAs tagged with 3.2.1:
https://s.apache.org/daffodil-issues-3.2.1
Please review and vote.
Per the abbreviated process, the vote will be open for 48 hours.
(Until Wednesday 22 December 2021 13:30 EST.US).
[ ] +1 approve the release, and this abbreviated release process [ ] +0 no opinion [ ] -1 disapprove of the release, or of this abbreviated release
process (and reason why)
[VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release) (RC2)
Posted by Mike Beckerle <mb...@apache.org>.
(This is the re-vote for 3.2.1-rc2, as rc1 vote was cancelled.)
Hi all,
I'd like to call a vote to release Apache Daffodil 3.2.1 (RC2) and to do so
with an abbreviated approval cycle (to be used only for urgent patch
releases).
Your vote covers the release as usual, but also due to the urgency of
this patch release, you are also voting on these 4 deltas from our more
usual release process:
* You agree the patch release is urgent and this abbreviated approval
cycle is warranted and appropriate.
* The DISCUSS email thread will be superseded by this (and prior) VOTE thread.
* Shortened 48 hours of work-day time for lazy consensus on the VOTE
* A minimum of three +1 and zero -1 binding votes are needed
For a summary of the changes in this release, see the release notes page:
https://daffodil.apache.org/releases/3.2.1/
All distribution packages, including signatures, digests, etc. can be found at:
https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc2/
Staging artifacts can be found at:
https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
This release has been signed with PGP key 274B8F1413A680AF, corresponding
to mbeckerle@apache.org, which is included in the KEYS file here:
https://downloads.apache.org/daffodil/KEYS
The release candidate has been tagged in git with v3.2.1-rc2.
For reference, here is a list of all closed JIRAs tagged with 3.2.1:
https://s.apache.org/daffodil-issues-3.2.1
Please review and vote.
Per the abbreviated process, the vote will be open for 48 hours.
(Until Wednesday 22 December 2021 13:30 EST.US).
[ ] +1 approve the release, and this abbreviated release process
[ ] +0 no opinion
[ ] -1 disapprove of the release, or of this abbreviated release
process (and reason why)
[CANCELLED] [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release)
Posted by Mike Beckerle <mb...@apache.org>.
Changing my vote to -1 binding, which ends this VOTE under the
abbreviated consensus plan that's part of the vote.
Half the reason for this release was the Log4J dependency CVE.
I don't want to explain to people "which CVE" is fixed and which isn't
and why the DoS is less of a concern, etc.
I will create rc2 with newer Log4J and we'll start a new VOTE.
This VOTE thread:
https://lists.apache.org/thread/dxhyfnv67d1dk0ychqy15km3mcs6rov1
-MikeB
On Mon, Dec 20, 2021 at 10:40 AM Steve Lawrence <sl...@apache.org> wrote:
>
> I just downloaded the OWASP dependency check command line tool [1] (note
> that there is an sbt plugin, but I couldn't get it to work).
>
> I first ran it against the 3.2.0 release and it found only the expected,
> and now fixed, JDOM and Log4J CVEs.
>
> I then ran it against 3.2.1-rc1 and it found nothing. This was a bit
> surprising since I expected the latest Log4J CVE, but maybe this CVE is
> just too new. It did happen over the weekend, so maybe it isn't in the
> database where the tool downloads from yet?
>
> So I think there are no known CVE's aside from the newest Log4J one.
>
> As to if we are done with Log4j CVEs, I don't know. It wouldn't surprise
> me if more CVE's come out with the extra scrutiny it's getting, but we
> don't know of any more at the moment.
>
> If we did do an rc2, all the binaries should be exactly the same except
> for the Log4J jar, so the verification process should be pretty easy.
> Another compressed vote seems reasonable, especially since we already
> have 3 +1's for this release, maybe even extra compressed considering
> the very small change and no binary differences in Daffodil.
>
> [1] https://owasp.org/www-project-dependency-check/
>
> On 12/20/21 9:38 AM, Mike Beckerle wrote:
> > I could go either way on this.
> >
> > My questions, which are perhaps not ones we can easily get answers to...
> >
> > * Do we actually know there are no CVEs against other things we depend on?
> >
> > * Has this Log4J flurry now concluded, or is that software now "under
> > scrutiny" such that there are now going to be a bunch more CVEs and
> > fixes?
> >
> > On Mon, Dec 20, 2021 at 7:27 AM Steve Lawrence <sl...@apache.org> wrote:
> >>
> >> It looks like another CVE was found that affects Log4J 2.16.0. This seem
> >> less severe then he previous CVE's--it's only a DoS, and I think
> >> Daffodil CLI isn't effected. But I *think* API users of Daffodil could
> >> potentially be affected if they have custom Log4J configs with a special
> >> Pattern Layout.
> >>
> >> Dependabot already has a PR open for Log4J 2.17.0 with a fix. Do we want
> >> to cancel this rc1 vote, merge the patch, and create an rc2?
> >>
> >> (Dependabot also opened a PR to udpate jackson-core, which has a bug fix
> >> for json parsing of quotes which might be worth merging as well?)
> >>
> >> On 12/16/21 4:02 PM, Mike Beckerle wrote:
> >>> Hi all,
> >>>
> >>> I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so
> >>> with an abbreviated approval cycle (to be used only for urgent patch
> >>> releases).
> >>>
> >>> Your vote covers the release as usual, but also due to the urgency of
> >>> this patch release, you are also voting on these 4 deltas from our more
> >>> usual release process:
> >>>
> >>> * You agree the patch release is urgent and this abbreviated approval
> >>> cycle is warranted and appropriate.
> >>>
> >>> * The DISCUSS email thread will be superceded by this VOTE thread.
> >>>
> >>> * Shortened 48 hours of work-day time for lazy consensus on the VOTE
> >>>
> >>> * A minimum of three +1 and zero -1 binding votes are needed
> >>>
> >>> For a summary of the changes in this release, see the release notes page:
> >>>
> >>> https://daffodil.apache.org/releases/3.2.1/
> >>>
> >>> All distribution packages, including signatures, digests, etc. can be found at:
> >>>
> >>> https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/
> >>>
> >>> Staging artifacts can be found at:
> >>>
> >>> https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
> >>>
> >>> This release has been signed with PGP key 274B8F1413A680AF, corresponding
> >>> to mbeckerle@apache.org, which is included in the KEYS file here:
> >>>
> >>> https://downloads.apache.org/daffodil/KEYS
> >>>
> >>> The release candidate has been tagged in git with v3.2.1-rc1.
> >>>
> >>> For reference, here is a list of all closed JIRAs tagged with 3.2.1:
> >>>
> >>> https://s.apache.org/daffodil-issues-3.2.1
> >>>
> >>> Please review and vote.
> >>>
> >>> Per the abbreviated process, the vote will be open for 48 hours.
> >>> (Until Monday 20 December 2021 17:00 EST.US).
> >>>
> >>> [ ] +1 approve the release, and this abbreviated release process
> >>> [ ] +0 no opinion
> >>> [ ] -1 disapprove of the release, or of this abbreviated release
> >>> process (and reason why)
> >>>
> >>
>
Re: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release)
Posted by Steve Lawrence <sl...@apache.org>.
I just downloaded the OWASP dependency check command line tool [1] (note
that there is an sbt plugin, but I couldn't get it to work).
I first ran it against the 3.2.0 release and it found only the expected,
and now fixed, JDOM and Log4J CVEs.
I then ran it against 3.2.1-rc1 and it found nothing. This was a bit
surprising since I expected the latest Log4J CVE, but maybe this CVE is
just too new. It did happen over the weekend, so maybe it isn't in the
database where the tool downloads from yet?
So I think there are no known CVE's aside from the newest Log4J one.
As to if we are done with Log4j CVEs, I don't know. It wouldn't surprise
me if more CVE's come out with the extra scrutiny it's getting, but we
don't know of any more at the moment.
If we did do an rc2, all the binaries should be exactly the same except
for the Log4J jar, so the verification process should be pretty easy.
Another compressed vote seems reasonable, especially since we already
have 3 +1's for this release, maybe even extra compressed considering
the very small change and no binary differences in Daffodil.
[1] https://owasp.org/www-project-dependency-check/
On 12/20/21 9:38 AM, Mike Beckerle wrote:
> I could go either way on this.
>
> My questions, which are perhaps not ones we can easily get answers to...
>
> * Do we actually know there are no CVEs against other things we depend on?
>
> * Has this Log4J flurry now concluded, or is that software now "under
> scrutiny" such that there are now going to be a bunch more CVEs and
> fixes?
>
> On Mon, Dec 20, 2021 at 7:27 AM Steve Lawrence <sl...@apache.org> wrote:
>>
>> It looks like another CVE was found that affects Log4J 2.16.0. This seem
>> less severe then he previous CVE's--it's only a DoS, and I think
>> Daffodil CLI isn't effected. But I *think* API users of Daffodil could
>> potentially be affected if they have custom Log4J configs with a special
>> Pattern Layout.
>>
>> Dependabot already has a PR open for Log4J 2.17.0 with a fix. Do we want
>> to cancel this rc1 vote, merge the patch, and create an rc2?
>>
>> (Dependabot also opened a PR to udpate jackson-core, which has a bug fix
>> for json parsing of quotes which might be worth merging as well?)
>>
>> On 12/16/21 4:02 PM, Mike Beckerle wrote:
>>> Hi all,
>>>
>>> I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so
>>> with an abbreviated approval cycle (to be used only for urgent patch
>>> releases).
>>>
>>> Your vote covers the release as usual, but also due to the urgency of
>>> this patch release, you are also voting on these 4 deltas from our more
>>> usual release process:
>>>
>>> * You agree the patch release is urgent and this abbreviated approval
>>> cycle is warranted and appropriate.
>>>
>>> * The DISCUSS email thread will be superceded by this VOTE thread.
>>>
>>> * Shortened 48 hours of work-day time for lazy consensus on the VOTE
>>>
>>> * A minimum of three +1 and zero -1 binding votes are needed
>>>
>>> For a summary of the changes in this release, see the release notes page:
>>>
>>> https://daffodil.apache.org/releases/3.2.1/
>>>
>>> All distribution packages, including signatures, digests, etc. can be found at:
>>>
>>> https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/
>>>
>>> Staging artifacts can be found at:
>>>
>>> https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
>>>
>>> This release has been signed with PGP key 274B8F1413A680AF, corresponding
>>> to mbeckerle@apache.org, which is included in the KEYS file here:
>>>
>>> https://downloads.apache.org/daffodil/KEYS
>>>
>>> The release candidate has been tagged in git with v3.2.1-rc1.
>>>
>>> For reference, here is a list of all closed JIRAs tagged with 3.2.1:
>>>
>>> https://s.apache.org/daffodil-issues-3.2.1
>>>
>>> Please review and vote.
>>>
>>> Per the abbreviated process, the vote will be open for 48 hours.
>>> (Until Monday 20 December 2021 17:00 EST.US).
>>>
>>> [ ] +1 approve the release, and this abbreviated release process
>>> [ ] +0 no opinion
>>> [ ] -1 disapprove of the release, or of this abbreviated release
>>> process (and reason why)
>>>
>>
Re: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release)
Posted by Mike Beckerle <mb...@apache.org>.
I could go either way on this.
My questions, which are perhaps not ones we can easily get answers to...
* Do we actually know there are no CVEs against other things we depend on?
* Has this Log4J flurry now concluded, or is that software now "under
scrutiny" such that there are now going to be a bunch more CVEs and
fixes?
On Mon, Dec 20, 2021 at 7:27 AM Steve Lawrence <sl...@apache.org> wrote:
>
> It looks like another CVE was found that affects Log4J 2.16.0. This seem
> less severe then he previous CVE's--it's only a DoS, and I think
> Daffodil CLI isn't effected. But I *think* API users of Daffodil could
> potentially be affected if they have custom Log4J configs with a special
> Pattern Layout.
>
> Dependabot already has a PR open for Log4J 2.17.0 with a fix. Do we want
> to cancel this rc1 vote, merge the patch, and create an rc2?
>
> (Dependabot also opened a PR to udpate jackson-core, which has a bug fix
> for json parsing of quotes which might be worth merging as well?)
>
> On 12/16/21 4:02 PM, Mike Beckerle wrote:
> > Hi all,
> >
> > I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so
> > with an abbreviated approval cycle (to be used only for urgent patch
> > releases).
> >
> > Your vote covers the release as usual, but also due to the urgency of
> > this patch release, you are also voting on these 4 deltas from our more
> > usual release process:
> >
> > * You agree the patch release is urgent and this abbreviated approval
> > cycle is warranted and appropriate.
> >
> > * The DISCUSS email thread will be superceded by this VOTE thread.
> >
> > * Shortened 48 hours of work-day time for lazy consensus on the VOTE
> >
> > * A minimum of three +1 and zero -1 binding votes are needed
> >
> > For a summary of the changes in this release, see the release notes page:
> >
> > https://daffodil.apache.org/releases/3.2.1/
> >
> > All distribution packages, including signatures, digests, etc. can be found at:
> >
> > https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/
> >
> > Staging artifacts can be found at:
> >
> > https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
> >
> > This release has been signed with PGP key 274B8F1413A680AF, corresponding
> > to mbeckerle@apache.org, which is included in the KEYS file here:
> >
> > https://downloads.apache.org/daffodil/KEYS
> >
> > The release candidate has been tagged in git with v3.2.1-rc1.
> >
> > For reference, here is a list of all closed JIRAs tagged with 3.2.1:
> >
> > https://s.apache.org/daffodil-issues-3.2.1
> >
> > Please review and vote.
> >
> > Per the abbreviated process, the vote will be open for 48 hours.
> > (Until Monday 20 December 2021 17:00 EST.US).
> >
> > [ ] +1 approve the release, and this abbreviated release process
> > [ ] +0 no opinion
> > [ ] -1 disapprove of the release, or of this abbreviated release
> > process (and reason why)
> >
>
Re: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release)
Posted by Steve Lawrence <sl...@apache.org>.
It looks like another CVE was found that affects Log4J 2.16.0. This seem
less severe then he previous CVE's--it's only a DoS, and I think
Daffodil CLI isn't effected. But I *think* API users of Daffodil could
potentially be affected if they have custom Log4J configs with a special
Pattern Layout.
Dependabot already has a PR open for Log4J 2.17.0 with a fix. Do we want
to cancel this rc1 vote, merge the patch, and create an rc2?
(Dependabot also opened a PR to udpate jackson-core, which has a bug fix
for json parsing of quotes which might be worth merging as well?)
On 12/16/21 4:02 PM, Mike Beckerle wrote:
> Hi all,
>
> I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so
> with an abbreviated approval cycle (to be used only for urgent patch
> releases).
>
> Your vote covers the release as usual, but also due to the urgency of
> this patch release, you are also voting on these 4 deltas from our more
> usual release process:
>
> * You agree the patch release is urgent and this abbreviated approval
> cycle is warranted and appropriate.
>
> * The DISCUSS email thread will be superceded by this VOTE thread.
>
> * Shortened 48 hours of work-day time for lazy consensus on the VOTE
>
> * A minimum of three +1 and zero -1 binding votes are needed
>
> For a summary of the changes in this release, see the release notes page:
>
> https://daffodil.apache.org/releases/3.2.1/
>
> All distribution packages, including signatures, digests, etc. can be found at:
>
> https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/
>
> Staging artifacts can be found at:
>
> https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
>
> This release has been signed with PGP key 274B8F1413A680AF, corresponding
> to mbeckerle@apache.org, which is included in the KEYS file here:
>
> https://downloads.apache.org/daffodil/KEYS
>
> The release candidate has been tagged in git with v3.2.1-rc1.
>
> For reference, here is a list of all closed JIRAs tagged with 3.2.1:
>
> https://s.apache.org/daffodil-issues-3.2.1
>
> Please review and vote.
>
> Per the abbreviated process, the vote will be open for 48 hours.
> (Until Monday 20 December 2021 17:00 EST.US).
>
> [ ] +1 approve the release, and this abbreviated release process
> [ ] +0 no opinion
> [ ] -1 disapprove of the release, or of this abbreviated release
> process (and reason why)
>
Re: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release)
Posted by Steve Lawrence <sl...@apache.org>.
+1 (binding)
I checked:
[OK] hashes and signatures of source and helper binaries are correct
[OK] signature of git tag is correct
[OK] source release matches git tag (minus KEYS file)
[OK] source compiles and all tests pass (both en_US and de_DE) (minor
exception with DAFFODIL-2612 and -2599)
[OK] helper tgz/zip/msi/rpm all contain the same content except where
expected
[OK] jars in helper binaries and the repository are exactly the same
[OK] jars built from source are exactly the same as helper binary jars
[OK] distributed dependencies in helper binaries are same as from maven
[OK] src, binaries, and jars include correct LICENSE/NOTICE
[OK] RAT check passes
[OK] no unexpected binaries in source
[OK] rpm and msi install and run with basic usage
[OK] ~60 public and private DFDL schema projects pass tests
[OK] No issues found in JavaDoc and ScalaDoc
[OK] Verified Log4j and JDOM2 jars are correct versions without CVE's
On 12/16/21 4:02 PM, Mike Beckerle wrote:
> Hi all,
>
> I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so
> with an abbreviated approval cycle (to be used only for urgent patch
> releases).
>
> Your vote covers the release as usual, but also due to the urgency of
> this patch release, you are also voting on these 4 deltas from our more
> usual release process:
>
> * You agree the patch release is urgent and this abbreviated approval
> cycle is warranted and appropriate.
>
> * The DISCUSS email thread will be superceded by this VOTE thread.
>
> * Shortened 48 hours of work-day time for lazy consensus on the VOTE
>
> * A minimum of three +1 and zero -1 binding votes are needed
>
> For a summary of the changes in this release, see the release notes page:
>
> https://daffodil.apache.org/releases/3.2.1/
>
> All distribution packages, including signatures, digests, etc. can be found at:
>
> https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/
>
> Staging artifacts can be found at:
>
> https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
>
> This release has been signed with PGP key 274B8F1413A680AF, corresponding
> to mbeckerle@apache.org, which is included in the KEYS file here:
>
> https://downloads.apache.org/daffodil/KEYS
>
> The release candidate has been tagged in git with v3.2.1-rc1.
>
> For reference, here is a list of all closed JIRAs tagged with 3.2.1:
>
> https://s.apache.org/daffodil-issues-3.2.1
>
> Please review and vote.
>
> Per the abbreviated process, the vote will be open for 48 hours.
> (Until Monday 20 December 2021 17:00 EST.US).
>
> [ ] +1 approve the release, and this abbreviated release process
> [ ] +0 no opinion
> [ ] -1 disapprove of the release, or of this abbreviated release
> process (and reason why)
>
Re: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release)
Posted by Mike Beckerle <mb...@apache.org>.
My vote +1 binding
I bulk fetched all the files from the repository.apache.org server,
then verified all GPG signatures, and all MD5 and SHA1 checksums.
(output in checks.out.txt which is attached)
I ran built-in-self-tests of 61 DFDL schemas, including one that uses
a UDF (user defined function).
This also includes the latest PCAP schema which depends on the
EthernetIP schema which uses the new layering feature where IPv4
checksums can be computed on parse, and recomputed on unparse.
I had to update all build.sbt files to specify scalaVersion :=
"2.12.15", as I was testing using Java 17.
I ran built-in-self-tests of 13 Portable DFDL schemas against IBM DFDL
(to insure cross-testing rig works with Daffodil 3.2.1)
On Thu, Dec 16, 2021 at 4:02 PM Mike Beckerle <mb...@apache.org> wrote:
>
> Hi all,
>
> I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so
> with an abbreviated approval cycle (to be used only for urgent patch
> releases).
>
> Your vote covers the release as usual, but also due to the urgency of
> this patch release, you are also voting on these 4 deltas from our more
> usual release process:
>
> * You agree the patch release is urgent and this abbreviated approval
> cycle is warranted and appropriate.
>
> * The DISCUSS email thread will be superceded by this VOTE thread.
>
> * Shortened 48 hours of work-day time for lazy consensus on the VOTE
>
> * A minimum of three +1 and zero -1 binding votes are needed
>
> For a summary of the changes in this release, see the release notes page:
>
> https://daffodil.apache.org/releases/3.2.1/
>
> All distribution packages, including signatures, digests, etc. can be found at:
>
> https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/
>
> Staging artifacts can be found at:
>
> https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
>
> This release has been signed with PGP key 274B8F1413A680AF, corresponding
> to mbeckerle@apache.org, which is included in the KEYS file here:
>
> https://downloads.apache.org/daffodil/KEYS
>
> The release candidate has been tagged in git with v3.2.1-rc1.
>
> For reference, here is a list of all closed JIRAs tagged with 3.2.1:
>
> https://s.apache.org/daffodil-issues-3.2.1
>
> Please review and vote.
>
> Per the abbreviated process, the vote will be open for 48 hours.
> (Until Monday 20 December 2021 17:00 EST.US).
>
> [ ] +1 approve the release, and this abbreviated release process
> [ ] +0 no opinion
> [ ] -1 disapprove of the release, or of this abbreviated release
> process (and reason why)
RE: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release)
Posted by "Interrante, John A (GE Research, US)" <Jo...@ge.com>.
+1 (binding)
Tested on Ubuntu 20.04.3 with OpenJDK 11.0.13+8, SBT 1.5.7, gcc 9.3.0, libmxml-dev 3.1
John
[OK] Downloaded both apache-daffodil-3.2.0-bin.zip and apache-daffodil-3.2.1-bin.zip
[OK] Verified signatures against KEYS and signatures have Apache email addresses
[OK] Unpacked and diff'ed both apache-daffodil-3.2.0-bin apache-daffodil-3.2.1-bin
[OK] Verified only differences are newer versions of daffodil jars and some library jars
[OK] Verified geny, os-lib, log4j-api, log4j-core, jdom2 jars bumped to most recently released versions
[OK] Downloaded apache-daffodil-3.2.1-src.zip
[OK] Verified signature against KEYS and signature has Apache email address
[OK] Unpacked and built apache-daffodil-3.2.1-src (sbt compile test IntegrationTest/test daffodil-cli/stage ratCheck)
[OK] Verified all files compile and all tests pass
[OK] Verified daffodil-cli/universal/stage is nearly identical to apache-daffodil-3.2.1-bin (only 4 classes were not identical bit-for-bit)
-----Original Message-----
From: Mike Beckerle <mb...@apache.org>
Sent: Thursday, December 16, 2021 4:03 PM
To: dev@daffodil.apache.org
Subject: EXT: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release)
WARNING: This email originated from outside of GE. Please validate the sender's email address before clicking on links or attachments as they may not be safe.
Hi all,
I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so with an abbreviated approval cycle (to be used only for urgent patch releases).
Your vote covers the release as usual, but also due to the urgency of this patch release, you are also voting on these 4 deltas from our more usual release process:
* You agree the patch release is urgent and this abbreviated approval
cycle is warranted and appropriate.
* The DISCUSS email thread will be superceded by this VOTE thread.
* Shortened 48 hours of work-day time for lazy consensus on the VOTE
* A minimum of three +1 and zero -1 binding votes are needed
For a summary of the changes in this release, see the release notes page:
https://daffodil.apache.org/releases/3.2.1/
All distribution packages, including signatures, digests, etc. can be found at:
https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/
Staging artifacts can be found at:
https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
This release has been signed with PGP key 274B8F1413A680AF, corresponding to mbeckerle@apache.org, which is included in the KEYS file here:
https://downloads.apache.org/daffodil/KEYS
The release candidate has been tagged in git with v3.2.1-rc1.
For reference, here is a list of all closed JIRAs tagged with 3.2.1:
https://s.apache.org/daffodil-issues-3.2.1
Please review and vote.
Per the abbreviated process, the vote will be open for 48 hours.
(Until Monday 20 December 2021 17:00 EST.US).
[ ] +1 approve the release, and this abbreviated release process [ ] +0 no opinion [ ] -1 disapprove of the release, or of this abbreviated release
process (and reason why)