[CANCELLED] [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release)

[Mike Beckerle <mb...@apache.org>]

Changing my vote to -1 binding, which ends this VOTE under the
abbreviated consensus plan that's part of the vote.

Half the reason for this release was the Log4J dependency CVE.

I don't want to explain to people "which CVE" is fixed and which isn't
and why the DoS is less of a concern, etc.

I will create rc2 with newer Log4J and we'll start a new VOTE.

This VOTE thread:
https://lists.apache.org/thread/dxhyfnv67d1dk0ychqy15km3mcs6rov1

-MikeB

On Mon, Dec 20, 2021 at 10:40 AM Steve Lawrence <sl...@apache.org> wrote:
>
> I just downloaded the OWASP dependency check command line tool [1] (note
> that there is an sbt plugin, but I couldn't get it to work).
>
> I first ran it against the 3.2.0 release and it found only the expected,
> and now fixed, JDOM and Log4J CVEs.
>
> I then ran it against 3.2.1-rc1 and it found nothing. This was a bit
> surprising since I expected the latest Log4J CVE, but maybe this CVE is
> just too new. It did happen over the weekend, so maybe it isn't in the
> database where the tool downloads from yet?
>
> So I think there are no known CVE's aside from the newest Log4J one.
>
> As to if we are done with Log4j CVEs, I don't know. It wouldn't surprise
> me if more CVE's come out with the extra scrutiny it's getting, but we
> don't know of any more at the moment.
>
> If we did do an rc2, all the binaries should be exactly the same except
> for the Log4J jar, so the verification process should be pretty easy.
> Another compressed vote seems reasonable, especially since we already
> have 3 +1's for this release, maybe even extra compressed considering
> the very small change and no binary differences in Daffodil.
>
> [1] https://owasp.org/www-project-dependency-check/
>
> On 12/20/21 9:38 AM, Mike Beckerle wrote:
> > I could go either way on this.
> >
> > My questions, which are perhaps not ones we can easily get answers to...
> >
> > * Do we actually know there are no CVEs against other things we depend on?
> >
> > * Has this Log4J flurry now concluded, or is that software now "under
> > scrutiny" such that there are now going to be a bunch more CVEs and
> > fixes?
> >
> > On Mon, Dec 20, 2021 at 7:27 AM Steve Lawrence <sl...@apache.org> wrote:
> >>
> >> It looks like another CVE was found that affects Log4J 2.16.0. This seem
> >> less severe then he previous CVE's--it's only a DoS, and I think
> >> Daffodil CLI isn't effected. But I *think* API users of Daffodil could
> >> potentially be affected if they have custom Log4J configs with a special
> >> Pattern Layout.
> >>
> >> Dependabot already has a PR open for Log4J 2.17.0 with a fix. Do we want
> >> to cancel this rc1 vote, merge the patch, and create an rc2?
> >>
> >> (Dependabot also opened a PR to udpate jackson-core, which has a bug fix
> >> for json parsing of quotes which might be worth merging as well?)
> >>
> >> On 12/16/21 4:02 PM, Mike Beckerle wrote:
> >>> Hi all,
> >>>
> >>> I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so
> >>> with an abbreviated approval cycle (to be used only for urgent patch
> >>> releases).
> >>>
> >>> Your vote covers the release as usual, but also due to the urgency of
> >>> this patch release, you are also voting on these 4 deltas from our more
> >>> usual release process:
> >>>
> >>> * You agree the patch release is urgent and this abbreviated approval
> >>>     cycle is warranted and appropriate.
> >>>
> >>> * The DISCUSS email thread will be superceded by this VOTE thread.
> >>>
> >>> * Shortened 48 hours of work-day time for lazy consensus on the VOTE
> >>>
> >>> * A minimum of three +1 and zero -1 binding votes are needed
> >>>
> >>> For a summary of the changes in this release, see the release notes page:
> >>>
> >>> https://daffodil.apache.org/releases/3.2.1/
> >>>
> >>> All distribution packages, including signatures, digests, etc. can be found at:
> >>>
> >>> https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/
> >>>
> >>> Staging artifacts can be found at:
> >>>
> >>> https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
> >>>
> >>> This release has been signed with PGP key 274B8F1413A680AF, corresponding
> >>> to mbeckerle@apache.org, which is included in the KEYS file here:
> >>>
> >>> https://downloads.apache.org/daffodil/KEYS
> >>>
> >>> The release candidate has been tagged in git with v3.2.1-rc1.
> >>>
> >>> For reference, here is a list of all closed JIRAs tagged with 3.2.1:
> >>>
> >>> https://s.apache.org/daffodil-issues-3.2.1
> >>>
> >>> Please review and vote.
> >>>
> >>> Per the abbreviated process, the vote will be open for 48 hours.
> >>> (Until Monday 20 December 2021 17:00 EST.US).
> >>>
> >>> [ ] +1 approve the release, and this abbreviated release process
> >>> [ ] +0 no opinion
> >>> [ ] -1 disapprove of the release, or of this abbreviated release
> >>>          process (and reason why)
> >>>
> >>
>