You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@zookeeper.apache.org by GitBox <gi...@apache.org> on 2022/12/09 13:11:26 UTC

[GitHub] [zookeeper] symat opened a new pull request, #1957: ZOOKEEPER-4644: update dependencies before release 3.6.4

symat opened a new pull request, #1957:
URL: https://github.com/apache/zookeeper/pull/1957

   dependency checks are failing currently on branch-3.6:
   
   ```
   mvn clean package -DskipTests dependency-check:check
   
   (...)
   
   [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project zookeeper: 
   [ERROR] 
   [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': 
   [ERROR] 
   [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), CVE-2022-42004(7.5)
   [ERROR] jetty-io-9.4.43.v20210629.jar: CVE-2022-2047(2.7), CVE-2022-2048(7.5)
   [ERROR] jetty-server-9.4.43.v20210629.jar: CVE-2022-2047(2.7), CVE-2022-2048(7.5)
   [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-24823(5.5)
   ```
   
   In this commit I updated several third party libraries and also updated / fixed license and notice files.
   
   Because of the bouncycastle upgrade, I also had to do a very minimal code change: the `setPasssword` method on a builder was deprecated as it had a typo in the method name, and it caused compile error after the upgrade.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] symat commented on pull request #1957: ZOOKEEPER-4644: update dependencies before release 3.6.4

Posted by GitBox <gi...@apache.org>.

symat commented on PR #1957:
URL: https://github.com/apache/zookeeper/pull/1957#issuecomment-1347965176

   @eolivelli , @cnauroth , thank you for the reviews!!
   I merged it to branch-3.6 and continue with the release process


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] eolivelli closed pull request #1957: ZOOKEEPER-4644: update dependencies before release 3.6.4

Posted by GitBox <gi...@apache.org>.

eolivelli closed pull request #1957: ZOOKEEPER-4644: update dependencies before release 3.6.4
URL: https://github.com/apache/zookeeper/pull/1957


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] cnauroth commented on a diff in pull request #1957: ZOOKEEPER-4644: update dependencies before release 3.6.4

Posted by GitBox <gi...@apache.org>.

cnauroth commented on code in PR #1957:
URL: https://github.com/apache/zookeeper/pull/1957#discussion_r1046120947


##########
zookeeper-server/src/main/resources/NOTICE.txt:
##########
@@ -32,29 +35,112 @@ Base64 Encoder and Decoder, which can be obtained at:
   * HOMEPAGE:
     * http://iharder.sourceforge.net/current/java/base64/
 
-This product contains a modified version of 'JZlib', a re-implementation of
-zlib in pure Java, which can be obtained at:
+This product contains a modified portion of 'Webbit', an event based
+WebSocket and HTTP server, which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.webbit.txt (BSD License)
+  * HOMEPAGE:
+    * https://github.com/joewalnes/webbit
+
+This product contains a modified portion of 'SLF4J', a simple logging
+facade for Java, which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.slf4j.txt (MIT License)
+  * HOMEPAGE:
+    * https://www.slf4j.org/
 
+This product contains a modified portion of 'Apache Harmony', an open source

Review Comment:
   Thanks for the information! The updates coming from Netty make sense to me now.
   
   I recall a conversation a few months ago concluding that this process is fine.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] symat commented on a diff in pull request #1957: ZOOKEEPER-4644: update dependencies before release 3.6.4

Posted by GitBox <gi...@apache.org>.

symat commented on code in PR #1957:
URL: https://github.com/apache/zookeeper/pull/1957#discussion_r1045078062


##########
pom.xml:
##########
@@ -347,26 +347,26 @@
     <surefire-forkcount>8</surefire-forkcount>
 
     <!-- dependency versions -->
-    <slf4j.version>1.7.35</slf4j.version>
-    <audience-annotations.version>0.5.0</audience-annotations.version>
+    <slf4j.version>1.7.36</slf4j.version>
+    <audience-annotations.version>0.12.0</audience-annotations.version>

Review Comment:
   Thanks, good idea. I tried, but 0.14.1 seems to work only with java11+
   (build error: `class file has wrong version 55.0, should be 52.0`)
   But I can upgrade to 0.13.0. I see (according to maven central) that 0.13.0 is a widely used version, I upgraded to it.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] cnauroth commented on a diff in pull request #1957: ZOOKEEPER-4644: update dependencies before release 3.6.4

Posted by GitBox <gi...@apache.org>.

cnauroth commented on code in PR #1957:
URL: https://github.com/apache/zookeeper/pull/1957#discussion_r1044759918


##########
zookeeper-server/src/main/resources/NOTICE.txt:
##########
@@ -10,11 +10,14 @@ licensed under the Apache 2.0 license. The licensing terms
 for Airlift code can be found at:
 https://github.com/airlift/airlift/blob/master/LICENSE
 
+

Review Comment:
   Unnecessary blank line?



##########
pom.xml:
##########
@@ -347,26 +347,26 @@
     <surefire-forkcount>8</surefire-forkcount>
 
     <!-- dependency versions -->
-    <slf4j.version>1.7.35</slf4j.version>
-    <audience-annotations.version>0.5.0</audience-annotations.version>
+    <slf4j.version>1.7.36</slf4j.version>
+    <audience-annotations.version>0.12.0</audience-annotations.version>

Review Comment:
   Can this go to the newest version: 0.14.1?



##########
zookeeper-server/src/main/resources/NOTICE.txt:
##########
@@ -32,29 +35,112 @@ Base64 Encoder and Decoder, which can be obtained at:
   * HOMEPAGE:
     * http://iharder.sourceforge.net/current/java/base64/
 
-This product contains a modified version of 'JZlib', a re-implementation of
-zlib in pure Java, which can be obtained at:
+This product contains a modified portion of 'Webbit', an event based
+WebSocket and HTTP server, which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.webbit.txt (BSD License)
+  * HOMEPAGE:
+    * https://github.com/joewalnes/webbit
+
+This product contains a modified portion of 'SLF4J', a simple logging
+facade for Java, which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.slf4j.txt (MIT License)
+  * HOMEPAGE:
+    * https://www.slf4j.org/
 
+This product contains a modified portion of 'Apache Harmony', an open source

Review Comment:
   Can you please describe how you reviewed and decided what to add in NOTICE.txt? From a quick look, I'm unclear on how to draw the connection to some of these.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] symat commented on a diff in pull request #1957: ZOOKEEPER-4644: update dependencies before release 3.6.4

Posted by GitBox <gi...@apache.org>.

symat commented on code in PR #1957:
URL: https://github.com/apache/zookeeper/pull/1957#discussion_r1045079471


##########
zookeeper-server/src/main/resources/NOTICE.txt:
##########
@@ -32,29 +35,112 @@ Base64 Encoder and Decoder, which can be obtained at:
   * HOMEPAGE:
     * http://iharder.sourceforge.net/current/java/base64/
 
-This product contains a modified version of 'JZlib', a re-implementation of
-zlib in pure Java, which can be obtained at:
+This product contains a modified portion of 'Webbit', an event based
+WebSocket and HTTP server, which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.webbit.txt (BSD License)
+  * HOMEPAGE:
+    * https://github.com/joewalnes/webbit
+
+This product contains a modified portion of 'SLF4J', a simple logging
+facade for Java, which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.slf4j.txt (MIT License)
+  * HOMEPAGE:
+    * https://www.slf4j.org/
 
+This product contains a modified portion of 'Apache Harmony', an open source

Review Comment:
   good question... honestly, I haven't dug deeply into this, I usually just update the content of the license / notice files we have before I cut a release. (updating the versions and double-checking the license types for updated third parties). 
   
   AFAIU, our practice is:
   - copy the license files of all directly included runtime 3pp libraries to `zookeeper-server/src/main/resources/lib`
   - update the  `zookeeper-server/src/main/resources/LICENSE.txt`, where we have the Apache 2.0 license, and we also mention all the third parties which has a different license (other than Apache 2)
   - update the NOTICE.txt file with all other contributions / sources (which are mainly come from the netty project, so we have the netty NOTICE file copy-pasted some time there... but I just updated that, as netty NOTICE file changed a lot during the years)
   
   After some googling, I also found this page: https://infra.apache.org/licensing-howto.html
   
   I never spent time on assessing if this practice we have in ZooKeeper is OK or not. I hope that someone with better knowledge checks this during the VOTE... But anyway, I don't think we need to change our approach in a bugfix release. But if we are afraid that we don't follow some Apache policy here precisely enough, then maybe someone can take the time and review this more deeply for the next minor (3.9) release.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org