You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hadoop.apache.org by Brent <br...@gmail.com> on 2022/03/01 18:43:08 UTC
Quick check on Log4j/Reload4j plan
Hey all,
I've been trying to go through Jira issues and mailing list archives to
understand ongoing plans for Log4j 1.x upgrades. I know technically Hadoop
is not listed as vulnerable, but some more cautious organizations are
looking to upgrade anyway.
It seems like 3.4.x and beyond releases are talking about moving to Log4j2
or Logback (per https://issues.apache.org/jira/browse/HADOOP-12956 and
https://issues.apache.org/jira/browse/HADOOP-16206).
It seems like 3.2.x and 3.3.x are talking about moving to Reload4j (per
https://issues.apache.org/jira/browse/HADOOP-18088 and
https://github.com/apache/hadoop/pull/3906).
Two questions:
- Does that sound accurate?
- Are there any plans to patch Reload4j back into 2.x releases as well?
Thank you for your time and help and all your hard work on this project!
~Brent
Re: Quick check on Log4j/Reload4j plan
Posted by Masatake Iwasaki <iw...@oss.nttdata.co.jp>.
> That would be great! Would you like to start another thread to kick off the 2.10.x release plan?
Sure. I sent a mail to dev MLs for starting discussion.
On 2022/03/04 17:38, Wei-Chiu Chuang wrote:
> That would be great! Would you like to start another thread to kick off the 2.10.x release plan?
>
> On Thu, Mar 3, 2022 at 9:39 PM Masatake Iwasaki <iwasakims@oss.nttdata.co.jp <ma...@oss.nttdata.co.jp>> wrote:
>
> Hi Wei-Chiu Chuang,
>
> > I think a bigger question is whether or not we have someone who would like to volunteer to be a release manager for the 2.10.2 release.
> > The last 2.x release was over a year ago.
>
> I can take a RM role if there are needs.
>
> Thanks,
> Masatake Iwasaki
>
> On 2022/03/02 5:54, Wei-Chiu Chuang wrote:
> >
> >
> > On Wed, Mar 2, 2022 at 2:43 AM Brent <brentwritescode@gmail.com <ma...@gmail.com> <mailto:brentwritescode@gmail.com <ma...@gmail.com>>> wrote:
> >
> > Hey all,
> >
> > I've been trying to go through Jira issues and mailing list archives to understand ongoing plans for Log4j 1.x upgrades. I know technically Hadoop is not listed as vulnerable, but some more cautious organizations are looking to upgrade anyway.
> >
> > It seems like 3.4.x and beyond releases are talking about moving to Log4j2 or Logback (per https://issues.apache.org/jira/browse/HADOOP-12956 <https://issues.apache.org/jira/browse/HADOOP-12956> <https://issues.apache.org/jira/browse/HADOOP-12956 <https://issues.apache.org/jira/browse/HADOOP-12956>> and https://issues.apache.org/jira/browse/HADOOP-16206 <https://issues.apache.org/jira/browse/HADOOP-16206> <https://issues.apache.org/jira/browse/HADOOP-16206 <https://issues.apache.org/jira/browse/HADOOP-16206>>).
> >
> > It seems like 3.2.x and 3.3.x are talking about moving to Reload4j (per https://issues.apache.org/jira/browse/HADOOP-18088 <https://issues.apache.org/jira/browse/HADOOP-18088> <https://issues.apache.org/jira/browse/HADOOP-18088 <https://issues.apache.org/jira/browse/HADOOP-18088>> and https://github.com/apache/hadoop/pull/3906 <https://github.com/apache/hadoop/pull/3906> <https://github.com/apache/hadoop/pull/3906 <https://github.com/apache/hadoop/pull/3906>>).
> >
> > Two questions:
> > - Does that sound accurate?
> >
> > That sounds about right.
> >
> > - Are there any plans to patch Reload4j back into 2.x releases as well?
> >
> >
> > I think a bigger question is whether or not we have someone who would like to volunteer to be a release manager for the 2.10.2 release.
> > The last 2.x release was over a year ago.
> >
> >
> > Thank you for your time and help and all your hard work on this project!
> >
> > ~Brent
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org <ma...@hadoop.apache.org>
> For additional commands, e-mail: user-help@hadoop.apache.org <ma...@hadoop.apache.org>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
For additional commands, e-mail: user-help@hadoop.apache.org
Re: Quick check on Log4j/Reload4j plan
Posted by Wei-Chiu Chuang <we...@apache.org>.
That would be great! Would you like to start another thread to kick off the
2.10.x release plan?
On Thu, Mar 3, 2022 at 9:39 PM Masatake Iwasaki <iw...@oss.nttdata.co.jp>
wrote:
> Hi Wei-Chiu Chuang,
>
> > I think a bigger question is whether or not we have someone who would
> like to volunteer to be a release manager for the 2.10.2 release.
> > The last 2.x release was over a year ago.
>
> I can take a RM role if there are needs.
>
> Thanks,
> Masatake Iwasaki
>
> On 2022/03/02 5:54, Wei-Chiu Chuang wrote:
> >
> >
> > On Wed, Mar 2, 2022 at 2:43 AM Brent <brentwritescode@gmail.com <mailto:
> brentwritescode@gmail.com>> wrote:
> >
> > Hey all,
> >
> > I've been trying to go through Jira issues and mailing list archives
> to understand ongoing plans for Log4j 1.x upgrades. I know technically
> Hadoop is not listed as vulnerable, but some more cautious organizations
> are looking to upgrade anyway.
> >
> > It seems like 3.4.x and beyond releases are talking about moving to
> Log4j2 or Logback (per https://issues.apache.org/jira/browse/HADOOP-12956
> <https://issues.apache.org/jira/browse/HADOOP-12956> and
> https://issues.apache.org/jira/browse/HADOOP-16206 <
> https://issues.apache.org/jira/browse/HADOOP-16206>).
> >
> > It seems like 3.2.x and 3.3.x are talking about moving to
> Reload4j (per https://issues.apache.org/jira/browse/HADOOP-18088 <
> https://issues.apache.org/jira/browse/HADOOP-18088> and
> https://github.com/apache/hadoop/pull/3906 <
> https://github.com/apache/hadoop/pull/3906>).
> >
> > Two questions:
> > - Does that sound accurate?
> >
> > That sounds about right.
> >
> > - Are there any plans to patch Reload4j back into 2.x releases as
> well?
> >
> >
> > I think a bigger question is whether or not we have someone who would
> like to volunteer to be a release manager for the 2.10.2 release.
> > The last 2.x release was over a year ago.
> >
> >
> > Thank you for your time and help and all your hard work on this
> project!
> >
> > ~Brent
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
> For additional commands, e-mail: user-help@hadoop.apache.org
>
>
Re: Quick check on Log4j/Reload4j plan
Posted by Masatake Iwasaki <iw...@oss.nttdata.co.jp>.
Hi Wei-Chiu Chuang,
> I think a bigger question is whether or not we have someone who would like to volunteer to be a release manager for the 2.10.2 release.
> The last 2.x release was over a year ago.
I can take a RM role if there are needs.
Thanks,
Masatake Iwasaki
On 2022/03/02 5:54, Wei-Chiu Chuang wrote:
>
>
> On Wed, Mar 2, 2022 at 2:43 AM Brent <brentwritescode@gmail.com <ma...@gmail.com>> wrote:
>
> Hey all,
>
> I've been trying to go through Jira issues and mailing list archives to understand ongoing plans for Log4j 1.x upgrades. I know technically Hadoop is not listed as vulnerable, but some more cautious organizations are looking to upgrade anyway.
>
> It seems like 3.4.x and beyond releases are talking about moving to Log4j2 or Logback (per https://issues.apache.org/jira/browse/HADOOP-12956 <https://issues.apache.org/jira/browse/HADOOP-12956> and https://issues.apache.org/jira/browse/HADOOP-16206 <https://issues.apache.org/jira/browse/HADOOP-16206>).
>
> It seems like 3.2.x and 3.3.x are talking about moving to Reload4j (per https://issues.apache.org/jira/browse/HADOOP-18088 <https://issues.apache.org/jira/browse/HADOOP-18088> and https://github.com/apache/hadoop/pull/3906 <https://github.com/apache/hadoop/pull/3906>).
>
> Two questions:
> - Does that sound accurate?
>
> That sounds about right.
>
> - Are there any plans to patch Reload4j back into 2.x releases as well?
>
>
> I think a bigger question is whether or not we have someone who would like to volunteer to be a release manager for the 2.10.2 release.
> The last 2.x release was over a year ago.
>
>
> Thank you for your time and help and all your hard work on this project!
>
> ~Brent
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
For additional commands, e-mail: user-help@hadoop.apache.org
Re: Quick check on Log4j/Reload4j plan
Posted by Wei-Chiu Chuang <we...@apache.org>.
On Wed, Mar 2, 2022 at 2:43 AM Brent <br...@gmail.com> wrote:
> Hey all,
>
> I've been trying to go through Jira issues and mailing list archives to
> understand ongoing plans for Log4j 1.x upgrades. I know technically Hadoop
> is not listed as vulnerable, but some more cautious organizations are
> looking to upgrade anyway.
>
> It seems like 3.4.x and beyond releases are talking about moving to Log4j2
> or Logback (per https://issues.apache.org/jira/browse/HADOOP-12956 and
> https://issues.apache.org/jira/browse/HADOOP-16206).
>
> It seems like 3.2.x and 3.3.x are talking about moving to Reload4j (per
> https://issues.apache.org/jira/browse/HADOOP-18088 and
> https://github.com/apache/hadoop/pull/3906).
>
> Two questions:
> - Does that sound accurate?
>
That sounds about right.
> - Are there any plans to patch Reload4j back into 2.x releases as well?
>
I think a bigger question is whether or not we have someone who would like
to volunteer to be a release manager for the 2.10.2 release.
The last 2.x release was over a year ago.
>
> Thank you for your time and help and all your hard work on this project!
>
> ~Brent
>