You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by Patrick Hunt <ph...@apache.org> on 2019/10/01 00:00:26 UTC
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
I pushed patches for 3.5 and trunk and the tests passed on my mac. However
3.4 is using netty 3.10.6.Final and as such it's not a simple upgrade.
(there are no fixes against 3.10 for this CVE, at least not so far) Not
sure what we want to do about this... someone would need to backport the
netty 4.1 changes into 3.4 afaict.
Patrick
On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <ph...@apache.org> wrote:
> I'll work on it today.
>
> Patrick
>
> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <eo...@gmail.com>
> wrote:
>
>> Okay
>>
>> I am cancelling the release.
>>
>> I have a problem with my box, I can't work on netty upgrade.
>>
>> Any volounteer?
>>
>> Enrico
>>
>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha scritto:
>>
>> > The good news is: we need to release 3.4.15 too. :)
>> >
>> > Andor
>> >
>> >
>> >
>> > > On 2019. Sep 30., at 20:26, Patrick Hunt <ph...@apache.org> wrote:
>> > >
>> > > created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
>> > >
>> > > On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <ph...@apache.org>
>> wrote:
>> > >
>> > >> -1 - when I run dependency check on the release candidate artifact
>> it's
>> > >> failing with:
>> > >>
>> > >> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
>> > >>
>> > >> I ran this on trunk and it's passing, as such it must be an issue
>> with
>> > the
>> > >> the 3.5.6 netty version specifically. It's listed as a high, we
>> should
>> > >> patch this as well before releasing.
>> > >>
>> > >> Patrick
>> > >>
>> > >>
>> > >> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <eolivelli@gmail.com
>> >
>> > >> wrote:
>> > >>
>> > >>> This is a bugfix release candidate for 3.5.6.
>> > >>>
>> > >>> It fixes 28 issues, including upgrade of third party libraries,
>> > >>> TTL Node APIs for C API, support for PCKS12 Keystores, and better
>> > >>> procedure
>> > >>> for the upgrade of servers from 3.4 to 3.5.
>> > >>>
>> > >>> The full release notes is available at:
>> > >>>
>> > >>>
>> > >>>
>> >
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
>> > >>>
>> > >>> *** Please download, test and vote by October 2nd 2019, 23:59 UTC+0.
>> > ***
>> > >>>
>> > >>> Source files:
>> > >>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
>> > >>>
>> > >>> Maven staging repo:
>> > >>>
>> > >>>
>> >
>> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
>> > >>>
>> > >>> The release candidate tag in git to be voted upon: release-3.5.6-rc2
>> > >>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
>> > >>>
>> > >>> ZooKeeper's KEYS file containing PGP keys we use to sign the
>> release:
>> > >>> https://www.apache.org/dist/zookeeper/KEYS
>> > >>>
>> > >>> Should we release this candidate?
>> > >>> Enrico Olivelli
>> > >>>
>> > >>
>> >
>> >
>>
>
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Enrico Olivelli <eo...@gmail.com>.
This VOTE thread is cancelled.
I have sent a new RC3
Best regards
Enrico
Il giorno gio 3 ott 2019 alle ore 22:56 Andor Molnar <an...@apache.org> ha
scritto:
> Here it is:
>
> https://issues.apache.org/jira/browse/ZOOKEEPER-3568
>
> Andor
>
>
>
> -----Original Message-----
> From: Patrick Hunt <ph...@apache.org>
> Reply-To: dev@zookeeper.apache.org
> To: DevZooKeeper <de...@zookeeper.apache.org>
> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> Date: Thu, 3 Oct 2019 11:37:05 -0700
>
> If we do go that route we should create a jira and discuss on a
> dedicated
> thread on the dev and user lists so that folks know about it ahead of
> time....
>
> Patrick
>
> On Thu, Oct 3, 2019 at 11:35 AM Andor Molnar <an...@apache.org> wrote:
>
> > Looks like we only need some refactoring on the testing side:
> >
> > testRaceBetweenSyncFlushAndZKShutdown() uses SimpleZooKeeperServer
> > class which is based on Netty and needs to be refactored to use NIO
> > instead.
> >
> > Otherwise looks like a quite straightforward change.
> >
> > +1 for removing from the codebase and release 3.4.15 without Netty.
> >
> > Andor
> >
> >
> >
> > -----Original Message-----
> > From: Patrick Hunt <ph...@apache.org>
> > Reply-To: dev@zookeeper.apache.org
> > To: DevZooKeeper <de...@zookeeper.apache.org>
> > Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> > Date: Thu, 3 Oct 2019 07:36:24 -0700
> >
> > On Wed, Oct 2, 2019 at 9:59 PM Brian Nixon <
> > brian.nixon.cs@gmail.com
> > > wrote:
> > > NIO is still the default server factory so I'm guessing many users
> > > of
> > > 3.4
> > > simply aren't configuring Netty. And our recommendation for users
> > > who
> > > want
> > > Netty could be to upgrade to a 3.5 release as that should be better
> > > in
> > > every way for them.
> > >
> > > Is there a principle determining the difference between leaving the
> > > code
> > > available in 3.4 with a warning attached and removing the code
> > > entirely so
> > > that they would have to independently modify and package in order
> > > to
> > > use
> > > the feature?
> > >
> > >
> >
> > Primarily/historically what i mentioned - we don't introduce major
> > features/changes (esp non-b/w compat) in fix releases.
> >
> > Patrick
> >
> >
> > > On Wed, Oct 2, 2019 at 8:48 AM Patrick Hunt <
> > > phunt@apache.org
> > > > wrote:
> > > > On Wed, Oct 2, 2019 at 1:49 AM Andor Molnar <
> > > > andor@apache.org
> > > > > wrote:
> > > > > Hi Pat,
> > > > >
> > > > > Would you please clarify what do you mean “dropping netty
> > > > > support
> > > > > from
> > > > > 3.4”?
> > > > >
> > > > >
> > > >
> > > > My simplistic thought was just that. Ship new versions of 3.4
> > > > that
> > > > remove
> > > > support for netty. That could mean turning if off by default (not
> > > > sure
> > >
> > > how
> > > > much work that would be) or just purging the netty code from the
> > > > codebase
> > > > entirely. (3.4). It would be an exception to our "don't break b/w
> > > > compact
> > > > in fix releases" policy, but this is an extreme case imo. We have
> > > > no
> > > > intention of supporting netty in 3.4 going forward as evidenced
> > > > by
> > > > the
> > >
> > > fact
> > > > that the netty version is locked to netty 3 (long out of support
> > > > by
> > > > netty
> > > > as they are no longer backporting fixes) and we have no intention
> > > > of
> > > > updating to the new version of netty on 3.4. Maybe this CVE don't
> > > > affect
> > > > us, but at some point it will. Users have the option to move to a
> > > > stable,
> > > > b/w compat, 3.5. release. Not optimal I agree.
> > > >
> > > >
> > > > > Does that mean we won’t submit security patches from now on,
> > > > > but
> > > > > keep
> > >
> > > the
> > > > > Netty classes (NettyServerCnxnFactory and
> > > > > ClientCnxnSocketNetty)
> > > >
> > > > available
> > > > > OR remove these classes from the codebase?
> > > > >
> > > > > The latter means we’ll drop client SSL feature too.
> > > > >
> > > > >
> > > >
> > > > Say there is a new CVE on netty and it's not backported to
> > > > netty3,
> > > > what
> > > > would we do in that case. I guess we could wait/kick the can down
> > > > the
> > >
> > > road
> > > > till we really hit that. For the moment just say that it doesn't
> > > > affect
> > >
> > > us
> > > > as you researched and add to 3.4 exceptions.
> > > >
> > > > This is just my suggestion/option rather than a recommendation,
> > > > open to
> > > > other ideas. ;-)
> > > >
> > > > Patrick
> > > >
> > > >
> > > > > Andor
> > > > >
> > > > >
> > > > >
> > > > > > On 2019. Oct 2., at 2:27, Michael Han <
> > > > > > hanm@apache.org
> > > > > > > wrote:
> > > > > > > > How about officially dropping netty support from 3.4 and
> > > > > > > > asking
> > > >
> > > > people
> > > > > > to move to the new version
> > > > > > +1. This sounds a good opportunity to deprecate 3.4 branch.
> > > > > >
> > > > > > On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <
> > > > > > eolivelli@gmail.com
> > > > >
> > > > > wrote:
> > > > > > > Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <
> > > >
> > > > phunt@apache.org
> > > > > ha
> > > > > > > scritto:
> > > > > > >
> > > > > > > > Another option/solution: How about officially dropping
> > > > > > > > netty
> > >
> > > support
> > > > > from
> > > > > > > > 3.4 and asking people to move to the new version (3.5
> > > > > > > > stable or
> > > >
> > > > later)?
> > > > > > > Sounds good
> > > > > > >
> > > > > > > Enrico
> > > > > > >
> > > > > > >
> > > > > > > > Patrick
> > > > > > > >
> > > > > > > > On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <
> > > > > > > > andor@apache.org
> > > >
> > > > wrote:
> > > > > > > > > I agree with 3.4 should not be refactored in any way
> > > > > > > > > even
> > > > > > > > > for a
> > > > > > >
> > > > > > > security
> > > > > > > > > fix.
> > > > > > > > >
> > > > > > > > > What's wrong with the "alpha story"?
> > > > > > > > >
> > > > > > > > > I think releasing in an early stage with "-alpha", "-
> > > > > > > > > beta"
> > >
> > > modifiers
> > > > > is
> > > > > > > > > not a bad thing alone, as long as it doesn't take years
> > > > > > > > > to get to
> > > >
> > > > the
> > > > > > > > > stable release.
> > > > > > > > >
> > > > > > > > > Andor
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> > > > > > > > >
> > > > > > > > > > Date: Tue, 1 Oct 2019 10:54:24 +0200
> > > > > > > > > > From: Enrico Olivelli <
> > > > > > > > > > eolivelli@gmail.com
> > > > > > > > > > Reply-To:
> > > > > > > > > > dev@zookeeper.apache.org
> > > > > > > > > >
> > > > > > > > > > To:
> > > > > > > > > > dev@zookeeper.apache.org
> > > > > > > > > >
> > > > > > > > > > Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6
> > > > > > > > > > candidate 2
> > > > > > > > > >
> > > > > > > > > > Il mar 1 ott 2019, 10:38 Andor Molnar <
> > > > > > > > > > andor@apache.org
> > > > > > > > > > > ha
> > > >
> > > > scritto:
> > > > > > > > > > > Backporting Netty 4 would be a huge, cumbersome
> > > > > > > > > > > task,
> > > > > > > > > > > I hope we
> > > > > > >
> > > > > > > don’t
> > > > > > > > > have
> > > > > > > > > > > to do it.
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Yes, 3.4 is mature and stable and closed for
> > > > > > > > > > refactors.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > However I had a quick look at the details of this
> > > > > > > > > > > CVE
> > > > > > > > > > > and it
> > >
> > > seems
> > > > > > > to
> > > > > > > > me
> > > > > > > > > > > that it only affects the HTTP codec:
> > > > > > > > > > >
> > > > > > > > > > >
> >
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
> > > > > > > > > > > Can’t we just say 3.4.14 is not affected?
> > > > > > > > > > > We’re not running HTTP server inside ZooKeeper.
> > > > > > > > > > >
> > > > > > > > > > > Otherwise we might be able to release 3.6.0-alpha1
> > > > > > > > > > > now, put a
> > >
> > > date
> > > > > > > for
> > > > > > > > > 3.4
> > > > > > > > > > > EOL and highlight on the webpage that this
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Please do not start an 'alpha' story like for 3.5....
> > > > > > > > > >
> > > > > > > > > > CVE probably won’t be resolved on that branch, please
> > > > > > > > > > upgrade to
> > > >
> > > > 3.5.
> > > > > > > > > > +1
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Enrico
> > > > > > > > > >
> > > > > > > > > > > As a third option we could ask Norman to kindly fix
> > > > > > > > > > > 3.10.6.Final
> > > >
> > > > as
> > > > > > > > > well…
> > > > > > > > > > > or submit a PR ourselves, it doesn’t seem to me a
> > > > > > > > > > > big
> > > > > > > > > > > deal.
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Not so useful
> > > > > > > > > >
> > > > > > > > > > > What do you think?
> > > > > > > > > > >
> > > > > > > > > > > Andor
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > > On 2019. Oct 1., at 2:00, Patrick Hunt <
> > > > > > > > > > > > phunt@apache.org
> > >
> > > wrote:
> > > > > > > > > > > > I pushed patches for 3.5 and trunk and the tests
> > > > > > > > > > > > passed on my
> > > >
> > > > mac.
> > > > > > > > > > > However
> > > > > > > > > > > > 3.4 is using netty 3.10.6.Final and as such it's
> > > > > > > > > > > > not a simple
> > > > > > > >
> > > > > > > > upgrade.
> > > > > > > > > > > > (there are no fixes against 3.10 for this CVE, at
> > > > > > > > > > > > least not so
> > > >
> > > > far)
> > > > > > > > Not
> > > > > > > > > > > > sure what we want to do about this... someone
> > > > > > > > > > > > would
> > > > > > > > > > > > need to
> > > > > > >
> > > > > > > backport
> > > > > > > > > the
> > > > > > > > > > > > netty 4.1 changes into 3.4 afaict.
> > > > > > > > > > > >
> > > > > > > > > > > > Patrick
> > > > > > > > > > > >
> > > > > > > > > > > > On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <
> > > > > > > > > > > > phunt@apache.org
> > > > > > > > > > > >
> > > > > > > > wrote:
> > > > > > > > > > > > > I'll work on it today.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Patrick
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Mon, Sep 30, 2019 at 11:59 AM Enrico
> > > > > > > > > > > > > Olivelli
> > > > > > > > > > > > > <
> > > > > > > >
> > > > > > > > eolivelli@gmail.com
> > > > > > > >
> > > > > > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Okay
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I am cancelling the release.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I have a problem with my box, I can't work on
> > > > > > > > > > > > > > netty upgrade.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Any volounteer?
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Enrico
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Il lun 30 set 2019, 20:32 Andor Molnar <
> > > > > > > > > > > > > > andor@apache.org
> > > > > > > > > > > > > > > ha
> > > > > > > > >
> > > > > > > > > scritto:
> > > > > > > > > > > > > > > The good news is: we need to release 3.4.15
> > > > > > > > > > > > > > > too. :)
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Andor
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > On 2019. Sep 30., at 20:26, Patrick Hunt
> > > > > > > > > > > > > > > > <
> > > > > > > > > > > > > > > > phunt@apache.org
> > > > > > > > > > > > > > > >
> > > > > > > > wrote:
> > > > > > > > > > > > > > > > created:
> > > >
> > > > https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> > > >
> > > > > > > > > > > > > > > > On Mon, Sep 30, 2019 at 11:20 AM Patrick
> > > > > > > > > > > > > > > > Hunt <
> > > > > > >
> > > > > > > phunt@apache.org
> > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > > > -1 - when I run dependency check on the
> > > > > > > > > > > > > > > > > release candidate
> > > > > > > >
> > > > > > > > artifact
> > > > > > > > > > > > > > it's
> > > > > > > > > > > > > > > > > failing with:
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > [ERROR] netty-transport-
> > > > > > > > > > > > > > > > > 4.1.29.Final.jar:
> > > > > > > > > > > > > > > > > CVE-2019-16869
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > I ran this on trunk and it's passing,
> > > > > > > > > > > > > > > > > as
> > > > > > > > > > > > > > > > > such it must be
> > >
> > > an
> > > > > > > > issue
> > > > > > > > > > > > > > with
> > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > > the 3.5.6 netty version specifically.
> > > > > > > > > > > > > > > > > It's listed as a
> > >
> > > high,
> > > > > > > we
> > > > > > > > > > > > > > should
> > > > > > > > > > > > > > > > > patch this as well before releasing.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > Patrick
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > On Sun, Sep 29, 2019 at 7:29 AM Enrico
> > > > > > > > > > > > > > > > > Olivelli <
> > > > > > > > > > >
> > > > > > > > > > > eolivelli@gmail.com
> > > > > > > > > > >
> > > > > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > This is a bugfix release candidate
> > > > > > > > > > > > > > > > > > for
> > > > > > > > > > > > > > > > > > 3.5.6.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > It fixes 28 issues, including upgrade
> > > > > > > > > > > > > > > > > > of third party
> > > > > > >
> > > > > > > libraries,
> > > > > > > > > > > > > > > > > > TTL Node APIs for C API, support for
> > > > > > > > > > > > > > > > > > PCKS12 Keystores,
> > >
> > > and
> > > > > > > > better
> > > > > > > > > > > > > > > > > > procedure
> > > > > > > > > > > > > > > > > > for the upgrade of servers from 3.4
> > > > > > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > > > > 3.5.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > The full release notes is available
> > > > > > > > > > > > > > > > > > at:
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> > > > > > > > > > > > > > > > > > *** Please download, test and vote by
> > > > > > > > > > > > > > > > > > October 2nd 2019,
> > > >
> > > > 23:59
> > > > > > > > > > > UTC+0.
> > > > > > > > > > > > > > > ***
> > > > > > > > > > > > > > > > > > Source files:
> > > > > > > > > > > > > > > > > >
> > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> > > > > > > > > > > > > > > > > > Maven staging repo:
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> > > > > > > > > > > > > > > > > > The release candidate tag in git to
> > > > > > > > > > > > > > > > > > be
> > > > > > > > > > > > > > > > > > voted upon:
> > > > > > > > > > >
> > > > > > > > > > > release-3.5.6-rc2
> > >
> > > https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> > >
> > > > > > > > > > > > > > > > > > ZooKeeper's KEYS file containing PGP
> > > > > > > > > > > > > > > > > > keys we use to sign
> > > >
> > > > the
> > > > > > > > > > > > > > release:
> > > > > > > > > > > > > > > > > >
> https://www.apache.org/dist/zookeeper/KEYS
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > Should we release this candidate?
> > > > > > > > > > > > > > > > > > Enrico Olivelli
> > > > > > > > > > > > > > > > > >
>
>
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Andor Molnar <an...@apache.org>.
Here it is:
https://issues.apache.org/jira/browse/ZOOKEEPER-3568
Andor
-----Original Message-----
From: Patrick Hunt <ph...@apache.org>
Reply-To: dev@zookeeper.apache.org
To: DevZooKeeper <de...@zookeeper.apache.org>
Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Date: Thu, 3 Oct 2019 11:37:05 -0700
If we do go that route we should create a jira and discuss on a
dedicated
thread on the dev and user lists so that folks know about it ahead of
time....
Patrick
On Thu, Oct 3, 2019 at 11:35 AM Andor Molnar <an...@apache.org> wrote:
> Looks like we only need some refactoring on the testing side:
>
> testRaceBetweenSyncFlushAndZKShutdown() uses SimpleZooKeeperServer
> class which is based on Netty and needs to be refactored to use NIO
> instead.
>
> Otherwise looks like a quite straightforward change.
>
> +1 for removing from the codebase and release 3.4.15 without Netty.
>
> Andor
>
>
>
> -----Original Message-----
> From: Patrick Hunt <ph...@apache.org>
> Reply-To: dev@zookeeper.apache.org
> To: DevZooKeeper <de...@zookeeper.apache.org>
> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> Date: Thu, 3 Oct 2019 07:36:24 -0700
>
> On Wed, Oct 2, 2019 at 9:59 PM Brian Nixon <
> brian.nixon.cs@gmail.com
> > wrote:
> > NIO is still the default server factory so I'm guessing many users
> > of
> > 3.4
> > simply aren't configuring Netty. And our recommendation for users
> > who
> > want
> > Netty could be to upgrade to a 3.5 release as that should be better
> > in
> > every way for them.
> >
> > Is there a principle determining the difference between leaving the
> > code
> > available in 3.4 with a warning attached and removing the code
> > entirely so
> > that they would have to independently modify and package in order
> > to
> > use
> > the feature?
> >
> >
>
> Primarily/historically what i mentioned - we don't introduce major
> features/changes (esp non-b/w compat) in fix releases.
>
> Patrick
>
>
> > On Wed, Oct 2, 2019 at 8:48 AM Patrick Hunt <
> > phunt@apache.org
> > > wrote:
> > > On Wed, Oct 2, 2019 at 1:49 AM Andor Molnar <
> > > andor@apache.org
> > > > wrote:
> > > > Hi Pat,
> > > >
> > > > Would you please clarify what do you mean “dropping netty
> > > > support
> > > > from
> > > > 3.4”?
> > > >
> > > >
> > >
> > > My simplistic thought was just that. Ship new versions of 3.4
> > > that
> > > remove
> > > support for netty. That could mean turning if off by default (not
> > > sure
> >
> > how
> > > much work that would be) or just purging the netty code from the
> > > codebase
> > > entirely. (3.4). It would be an exception to our "don't break b/w
> > > compact
> > > in fix releases" policy, but this is an extreme case imo. We have
> > > no
> > > intention of supporting netty in 3.4 going forward as evidenced
> > > by
> > > the
> >
> > fact
> > > that the netty version is locked to netty 3 (long out of support
> > > by
> > > netty
> > > as they are no longer backporting fixes) and we have no intention
> > > of
> > > updating to the new version of netty on 3.4. Maybe this CVE don't
> > > affect
> > > us, but at some point it will. Users have the option to move to a
> > > stable,
> > > b/w compat, 3.5. release. Not optimal I agree.
> > >
> > >
> > > > Does that mean we won’t submit security patches from now on,
> > > > but
> > > > keep
> >
> > the
> > > > Netty classes (NettyServerCnxnFactory and
> > > > ClientCnxnSocketNetty)
> > >
> > > available
> > > > OR remove these classes from the codebase?
> > > >
> > > > The latter means we’ll drop client SSL feature too.
> > > >
> > > >
> > >
> > > Say there is a new CVE on netty and it's not backported to
> > > netty3,
> > > what
> > > would we do in that case. I guess we could wait/kick the can down
> > > the
> >
> > road
> > > till we really hit that. For the moment just say that it doesn't
> > > affect
> >
> > us
> > > as you researched and add to 3.4 exceptions.
> > >
> > > This is just my suggestion/option rather than a recommendation,
> > > open to
> > > other ideas. ;-)
> > >
> > > Patrick
> > >
> > >
> > > > Andor
> > > >
> > > >
> > > >
> > > > > On 2019. Oct 2., at 2:27, Michael Han <
> > > > > hanm@apache.org
> > > > > > wrote:
> > > > > > > How about officially dropping netty support from 3.4 and
> > > > > > > asking
> > >
> > > people
> > > > > to move to the new version
> > > > > +1. This sounds a good opportunity to deprecate 3.4 branch.
> > > > >
> > > > > On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <
> > > > > eolivelli@gmail.com
> > > >
> > > > wrote:
> > > > > > Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <
> > >
> > > phunt@apache.org
> > > > ha
> > > > > > scritto:
> > > > > >
> > > > > > > Another option/solution: How about officially dropping
> > > > > > > netty
> >
> > support
> > > > from
> > > > > > > 3.4 and asking people to move to the new version (3.5
> > > > > > > stable or
> > >
> > > later)?
> > > > > > Sounds good
> > > > > >
> > > > > > Enrico
> > > > > >
> > > > > >
> > > > > > > Patrick
> > > > > > >
> > > > > > > On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <
> > > > > > > andor@apache.org
> > >
> > > wrote:
> > > > > > > > I agree with 3.4 should not be refactored in any way
> > > > > > > > even
> > > > > > > > for a
> > > > > >
> > > > > > security
> > > > > > > > fix.
> > > > > > > >
> > > > > > > > What's wrong with the "alpha story"?
> > > > > > > >
> > > > > > > > I think releasing in an early stage with "-alpha", "-
> > > > > > > > beta"
> >
> > modifiers
> > > > is
> > > > > > > > not a bad thing alone, as long as it doesn't take years
> > > > > > > > to get to
> > >
> > > the
> > > > > > > > stable release.
> > > > > > > >
> > > > > > > > Andor
> > > > > > > >
> > > > > > > >
> > > > > > > > On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> > > > > > > >
> > > > > > > > > Date: Tue, 1 Oct 2019 10:54:24 +0200
> > > > > > > > > From: Enrico Olivelli <
> > > > > > > > > eolivelli@gmail.com
> > > > > > > > > Reply-To:
> > > > > > > > > dev@zookeeper.apache.org
> > > > > > > > >
> > > > > > > > > To:
> > > > > > > > > dev@zookeeper.apache.org
> > > > > > > > >
> > > > > > > > > Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6
> > > > > > > > > candidate 2
> > > > > > > > >
> > > > > > > > > Il mar 1 ott 2019, 10:38 Andor Molnar <
> > > > > > > > > andor@apache.org
> > > > > > > > > > ha
> > >
> > > scritto:
> > > > > > > > > > Backporting Netty 4 would be a huge, cumbersome
> > > > > > > > > > task,
> > > > > > > > > > I hope we
> > > > > >
> > > > > > don’t
> > > > > > > > have
> > > > > > > > > > to do it.
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > Yes, 3.4 is mature and stable and closed for
> > > > > > > > > refactors.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > However I had a quick look at the details of this
> > > > > > > > > > CVE
> > > > > > > > > > and it
> >
> > seems
> > > > > > to
> > > > > > > me
> > > > > > > > > > that it only affects the HTTP codec:
> > > > > > > > > >
> > > > > > > > > >
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
> > > > > > > > > > Can’t we just say 3.4.14 is not affected?
> > > > > > > > > > We’re not running HTTP server inside ZooKeeper.
> > > > > > > > > >
> > > > > > > > > > Otherwise we might be able to release 3.6.0-alpha1
> > > > > > > > > > now, put a
> >
> > date
> > > > > > for
> > > > > > > > 3.4
> > > > > > > > > > EOL and highlight on the webpage that this
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > Please do not start an 'alpha' story like for 3.5....
> > > > > > > > >
> > > > > > > > > CVE probably won’t be resolved on that branch, please
> > > > > > > > > upgrade to
> > >
> > > 3.5.
> > > > > > > > > +1
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Enrico
> > > > > > > > >
> > > > > > > > > > As a third option we could ask Norman to kindly fix
> > > > > > > > > > 3.10.6.Final
> > >
> > > as
> > > > > > > > well…
> > > > > > > > > > or submit a PR ourselves, it doesn’t seem to me a
> > > > > > > > > > big
> > > > > > > > > > deal.
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > Not so useful
> > > > > > > > >
> > > > > > > > > > What do you think?
> > > > > > > > > >
> > > > > > > > > > Andor
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > On 2019. Oct 1., at 2:00, Patrick Hunt <
> > > > > > > > > > > phunt@apache.org
> >
> > wrote:
> > > > > > > > > > > I pushed patches for 3.5 and trunk and the tests
> > > > > > > > > > > passed on my
> > >
> > > mac.
> > > > > > > > > > However
> > > > > > > > > > > 3.4 is using netty 3.10.6.Final and as such it's
> > > > > > > > > > > not a simple
> > > > > > >
> > > > > > > upgrade.
> > > > > > > > > > > (there are no fixes against 3.10 for this CVE, at
> > > > > > > > > > > least not so
> > >
> > > far)
> > > > > > > Not
> > > > > > > > > > > sure what we want to do about this... someone
> > > > > > > > > > > would
> > > > > > > > > > > need to
> > > > > >
> > > > > > backport
> > > > > > > > the
> > > > > > > > > > > netty 4.1 changes into 3.4 afaict.
> > > > > > > > > > >
> > > > > > > > > > > Patrick
> > > > > > > > > > >
> > > > > > > > > > > On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <
> > > > > > > > > > > phunt@apache.org
> > > > > > > > > > >
> > > > > > > wrote:
> > > > > > > > > > > > I'll work on it today.
> > > > > > > > > > > >
> > > > > > > > > > > > Patrick
> > > > > > > > > > > >
> > > > > > > > > > > > On Mon, Sep 30, 2019 at 11:59 AM Enrico
> > > > > > > > > > > > Olivelli
> > > > > > > > > > > > <
> > > > > > >
> > > > > > > eolivelli@gmail.com
> > > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Okay
> > > > > > > > > > > > >
> > > > > > > > > > > > > I am cancelling the release.
> > > > > > > > > > > > >
> > > > > > > > > > > > > I have a problem with my box, I can't work on
> > > > > > > > > > > > > netty upgrade.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Any volounteer?
> > > > > > > > > > > > >
> > > > > > > > > > > > > Enrico
> > > > > > > > > > > > >
> > > > > > > > > > > > > Il lun 30 set 2019, 20:32 Andor Molnar <
> > > > > > > > > > > > > andor@apache.org
> > > > > > > > > > > > > > ha
> > > > > > > >
> > > > > > > > scritto:
> > > > > > > > > > > > > > The good news is: we need to release 3.4.15
> > > > > > > > > > > > > > too. :)
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Andor
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > On 2019. Sep 30., at 20:26, Patrick Hunt
> > > > > > > > > > > > > > > <
> > > > > > > > > > > > > > > phunt@apache.org
> > > > > > > > > > > > > > >
> > > > > > > wrote:
> > > > > > > > > > > > > > > created:
> > >
> > > https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> > >
> > > > > > > > > > > > > > > On Mon, Sep 30, 2019 at 11:20 AM Patrick
> > > > > > > > > > > > > > > Hunt <
> > > > > >
> > > > > > phunt@apache.org
> > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > > -1 - when I run dependency check on the
> > > > > > > > > > > > > > > > release candidate
> > > > > > >
> > > > > > > artifact
> > > > > > > > > > > > > it's
> > > > > > > > > > > > > > > > failing with:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > [ERROR] netty-transport-
> > > > > > > > > > > > > > > > 4.1.29.Final.jar:
> > > > > > > > > > > > > > > > CVE-2019-16869
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > I ran this on trunk and it's passing,
> > > > > > > > > > > > > > > > as
> > > > > > > > > > > > > > > > such it must be
> >
> > an
> > > > > > > issue
> > > > > > > > > > > > > with
> > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > the 3.5.6 netty version specifically.
> > > > > > > > > > > > > > > > It's listed as a
> >
> > high,
> > > > > > we
> > > > > > > > > > > > > should
> > > > > > > > > > > > > > > > patch this as well before releasing.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Patrick
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > On Sun, Sep 29, 2019 at 7:29 AM Enrico
> > > > > > > > > > > > > > > > Olivelli <
> > > > > > > > > >
> > > > > > > > > > eolivelli@gmail.com
> > > > > > > > > >
> > > > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > This is a bugfix release candidate
> > > > > > > > > > > > > > > > > for
> > > > > > > > > > > > > > > > > 3.5.6.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > It fixes 28 issues, including upgrade
> > > > > > > > > > > > > > > > > of third party
> > > > > >
> > > > > > libraries,
> > > > > > > > > > > > > > > > > TTL Node APIs for C API, support for
> > > > > > > > > > > > > > > > > PCKS12 Keystores,
> >
> > and
> > > > > > > better
> > > > > > > > > > > > > > > > > procedure
> > > > > > > > > > > > > > > > > for the upgrade of servers from 3.4
> > > > > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > > > 3.5.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > The full release notes is available
> > > > > > > > > > > > > > > > > at:
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> > > > > > > > > > > > > > > > > *** Please download, test and vote by
> > > > > > > > > > > > > > > > > October 2nd 2019,
> > >
> > > 23:59
> > > > > > > > > > UTC+0.
> > > > > > > > > > > > > > ***
> > > > > > > > > > > > > > > > > Source files:
> > > > > > > > > > > > > > > > >
> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> > > > > > > > > > > > > > > > > Maven staging repo:
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> > > > > > > > > > > > > > > > > The release candidate tag in git to
> > > > > > > > > > > > > > > > > be
> > > > > > > > > > > > > > > > > voted upon:
> > > > > > > > > >
> > > > > > > > > > release-3.5.6-rc2
> >
> > https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> >
> > > > > > > > > > > > > > > > > ZooKeeper's KEYS file containing PGP
> > > > > > > > > > > > > > > > > keys we use to sign
> > >
> > > the
> > > > > > > > > > > > > release:
> > > > > > > > > > > > > > > > > https://www.apache.org/dist/zookeeper/KEYS
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > Should we release this candidate?
> > > > > > > > > > > > > > > > > Enrico Olivelli
> > > > > > > > > > > > > > > > >
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Patrick Hunt <ph...@apache.org>.
If we do go that route we should create a jira and discuss on a dedicated
thread on the dev and user lists so that folks know about it ahead of
time....
Patrick
On Thu, Oct 3, 2019 at 11:35 AM Andor Molnar <an...@apache.org> wrote:
> Looks like we only need some refactoring on the testing side:
>
> testRaceBetweenSyncFlushAndZKShutdown() uses SimpleZooKeeperServer
> class which is based on Netty and needs to be refactored to use NIO
> instead.
>
> Otherwise looks like a quite straightforward change.
>
> +1 for removing from the codebase and release 3.4.15 without Netty.
>
> Andor
>
>
>
> -----Original Message-----
> From: Patrick Hunt <ph...@apache.org>
> Reply-To: dev@zookeeper.apache.org
> To: DevZooKeeper <de...@zookeeper.apache.org>
> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> Date: Thu, 3 Oct 2019 07:36:24 -0700
>
> On Wed, Oct 2, 2019 at 9:59 PM Brian Nixon <
> brian.nixon.cs@gmail.com
> > wrote:
>
> > NIO is still the default server factory so I'm guessing many users of
> > 3.4
> > simply aren't configuring Netty. And our recommendation for users who
> > want
> > Netty could be to upgrade to a 3.5 release as that should be better
> > in
> > every way for them.
> >
> > Is there a principle determining the difference between leaving the
> > code
> > available in 3.4 with a warning attached and removing the code
> > entirely so
> > that they would have to independently modify and package in order to
> > use
> > the feature?
> >
> >
>
> Primarily/historically what i mentioned - we don't introduce major
> features/changes (esp non-b/w compat) in fix releases.
>
> Patrick
>
>
> > On Wed, Oct 2, 2019 at 8:48 AM Patrick Hunt <
> > phunt@apache.org
> > > wrote:
> >
> > > On Wed, Oct 2, 2019 at 1:49 AM Andor Molnar <
> > > andor@apache.org
> > > > wrote:
> > >
> > > > Hi Pat,
> > > >
> > > > Would you please clarify what do you mean “dropping netty support
> > > > from
> > > > 3.4”?
> > > >
> > > >
> > >
> > > My simplistic thought was just that. Ship new versions of 3.4 that
> > > remove
> > > support for netty. That could mean turning if off by default (not
> > > sure
> >
> > how
> > > much work that would be) or just purging the netty code from the
> > > codebase
> > > entirely. (3.4). It would be an exception to our "don't break b/w
> > > compact
> > > in fix releases" policy, but this is an extreme case imo. We have
> > > no
> > > intention of supporting netty in 3.4 going forward as evidenced by
> > > the
> >
> > fact
> > > that the netty version is locked to netty 3 (long out of support by
> > > netty
> > > as they are no longer backporting fixes) and we have no intention
> > > of
> > > updating to the new version of netty on 3.4. Maybe this CVE don't
> > > affect
> > > us, but at some point it will. Users have the option to move to a
> > > stable,
> > > b/w compat, 3.5. release. Not optimal I agree.
> > >
> > >
> > > > Does that mean we won’t submit security patches from now on, but
> > > > keep
> >
> > the
> > > > Netty classes (NettyServerCnxnFactory and ClientCnxnSocketNetty)
> > >
> > > available
> > > > OR remove these classes from the codebase?
> > > >
> > > > The latter means we’ll drop client SSL feature too.
> > > >
> > > >
> > >
> > > Say there is a new CVE on netty and it's not backported to netty3,
> > > what
> > > would we do in that case. I guess we could wait/kick the can down
> > > the
> >
> > road
> > > till we really hit that. For the moment just say that it doesn't
> > > affect
> >
> > us
> > > as you researched and add to 3.4 exceptions.
> > >
> > > This is just my suggestion/option rather than a recommendation,
> > > open to
> > > other ideas. ;-)
> > >
> > > Patrick
> > >
> > >
> > > > Andor
> > > >
> > > >
> > > >
> > > > > On 2019. Oct 2., at 2:27, Michael Han <
> > > > > hanm@apache.org
> > > > > > wrote:
> > > > >
> > > > > > > How about officially dropping netty support from 3.4 and
> > > > > > > asking
> > >
> > > people
> > > > > to move to the new version
> > > > > +1. This sounds a good opportunity to deprecate 3.4 branch.
> > > > >
> > > > > On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <
> > > > > eolivelli@gmail.com
> > > > > >
> > > >
> > > > wrote:
> > > > > > Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <
> > >
> > > phunt@apache.org
> > > >
> > > > ha
> > > > > > scritto:
> > > > > >
> > > > > > > Another option/solution: How about officially dropping
> > > > > > > netty
> >
> > support
> > > > from
> > > > > > > 3.4 and asking people to move to the new version (3.5
> > > > > > > stable or
> > >
> > > later)?
> > > > > >
> > > > > > Sounds good
> > > > > >
> > > > > > Enrico
> > > > > >
> > > > > >
> > > > > > > Patrick
> > > > > > >
> > > > > > > On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <
> > > > > > > andor@apache.org
> > > > > > > >
> > >
> > > wrote:
> > > > > > > > I agree with 3.4 should not be refactored in any way even
> > > > > > > > for a
> > > > > >
> > > > > > security
> > > > > > > > fix.
> > > > > > > >
> > > > > > > > What's wrong with the "alpha story"?
> > > > > > > >
> > > > > > > > I think releasing in an early stage with "-alpha", "-
> > > > > > > > beta"
> >
> > modifiers
> > > > is
> > > > > > > > not a bad thing alone, as long as it doesn't take years
> > > > > > > > to get to
> > >
> > > the
> > > > > > > > stable release.
> > > > > > > >
> > > > > > > > Andor
> > > > > > > >
> > > > > > > >
> > > > > > > > On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> > > > > > > >
> > > > > > > > > Date: Tue, 1 Oct 2019 10:54:24 +0200
> > > > > > > > > From: Enrico Olivelli <
> > > > > > > > > eolivelli@gmail.com
> > > > > > > > > >
> > > > > > > > > Reply-To:
> > > > > > > > > dev@zookeeper.apache.org
> > > > > > > > >
> > > > > > > > > To:
> > > > > > > > > dev@zookeeper.apache.org
> > > > > > > > >
> > > > > > > > > Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6
> > > > > > > > > candidate 2
> > > > > > > > >
> > > > > > > > > Il mar 1 ott 2019, 10:38 Andor Molnar <
> > > > > > > > > andor@apache.org
> > > > > > > > > > ha
> > >
> > > scritto:
> > > > > > > > > > Backporting Netty 4 would be a huge, cumbersome task,
> > > > > > > > > > I hope we
> > > > > >
> > > > > > don’t
> > > > > > > > have
> > > > > > > > > > to do it.
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > Yes, 3.4 is mature and stable and closed for refactors.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > However I had a quick look at the details of this CVE
> > > > > > > > > > and it
> >
> > seems
> > > > > > to
> > > > > > > me
> > > > > > > > > > that it only affects the HTTP codec:
> > > > > > > > > >
> > > > > > > > > >
> >
> >
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
> >
> > > > > > > > > > Can’t we just say 3.4.14 is not affected?
> > > > > > > > > > We’re not running HTTP server inside ZooKeeper.
> > > > > > > > > >
> > > > > > > > > > Otherwise we might be able to release 3.6.0-alpha1
> > > > > > > > > > now, put a
> >
> > date
> > > > > > for
> > > > > > > > 3.4
> > > > > > > > > > EOL and highlight on the webpage that this
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > Please do not start an 'alpha' story like for 3.5....
> > > > > > > > >
> > > > > > > > > CVE probably won’t be resolved on that branch, please
> > > > > > > > > upgrade to
> > >
> > > 3.5.
> > > > > > > > >
> > > > > > > > > +1
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Enrico
> > > > > > > > >
> > > > > > > > > > As a third option we could ask Norman to kindly fix
> > > > > > > > > > 3.10.6.Final
> > >
> > > as
> > > > > > > > well…
> > > > > > > > > > or submit a PR ourselves, it doesn’t seem to me a big
> > > > > > > > > > deal.
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > Not so useful
> > > > > > > > >
> > > > > > > > > > What do you think?
> > > > > > > > > >
> > > > > > > > > > Andor
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > On 2019. Oct 1., at 2:00, Patrick Hunt <
> > > > > > > > > > > phunt@apache.org
> > > > > > > > > > > >
> >
> > wrote:
> > > > > > > > > > > I pushed patches for 3.5 and trunk and the tests
> > > > > > > > > > > passed on my
> > >
> > > mac.
> > > > > > > > > > However
> > > > > > > > > > > 3.4 is using netty 3.10.6.Final and as such it's
> > > > > > > > > > > not a simple
> > > > > > >
> > > > > > > upgrade.
> > > > > > > > > > > (there are no fixes against 3.10 for this CVE, at
> > > > > > > > > > > least not so
> > >
> > > far)
> > > > > > > Not
> > > > > > > > > > > sure what we want to do about this... someone would
> > > > > > > > > > > need to
> > > > > >
> > > > > > backport
> > > > > > > > the
> > > > > > > > > > > netty 4.1 changes into 3.4 afaict.
> > > > > > > > > > >
> > > > > > > > > > > Patrick
> > > > > > > > > > >
> > > > > > > > > > > On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <
> > > > > > > > > > > phunt@apache.org
> > > > > > > > > > >
> > > > > > > wrote:
> > > > > > > > > > > > I'll work on it today.
> > > > > > > > > > > >
> > > > > > > > > > > > Patrick
> > > > > > > > > > > >
> > > > > > > > > > > > On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli
> > > > > > > > > > > > <
> > > > > > >
> > > > > > > eolivelli@gmail.com
> > > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Okay
> > > > > > > > > > > > >
> > > > > > > > > > > > > I am cancelling the release.
> > > > > > > > > > > > >
> > > > > > > > > > > > > I have a problem with my box, I can't work on
> > > > > > > > > > > > > netty upgrade.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Any volounteer?
> > > > > > > > > > > > >
> > > > > > > > > > > > > Enrico
> > > > > > > > > > > > >
> > > > > > > > > > > > > Il lun 30 set 2019, 20:32 Andor Molnar <
> > > > > > > > > > > > > andor@apache.org
> > > > > > > > > > > > > > ha
> > > > > > > >
> > > > > > > > scritto:
> > > > > > > > > > > > > > The good news is: we need to release 3.4.15
> > > > > > > > > > > > > > too. :)
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Andor
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > On 2019. Sep 30., at 20:26, Patrick Hunt <
> > > > > > > > > > > > > > > phunt@apache.org
> > > > > > > > > > > > > > >
> > > > > > > wrote:
> > > > > > > > > > > > > > > created:
> > >
> > > https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> > >
> > > > > > > > > > > > > > > On Mon, Sep 30, 2019 at 11:20 AM Patrick
> > > > > > > > > > > > > > > Hunt <
> > > > > >
> > > > > > phunt@apache.org
> > > > > > >
> > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > > -1 - when I run dependency check on the
> > > > > > > > > > > > > > > > release candidate
> > > > > > >
> > > > > > > artifact
> > > > > > > > > > > > > it's
> > > > > > > > > > > > > > > > failing with:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > [ERROR] netty-transport-4.1.29.Final.jar:
> > > > > > > > > > > > > > > > CVE-2019-16869
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > I ran this on trunk and it's passing, as
> > > > > > > > > > > > > > > > such it must be
> >
> > an
> > > > > > > issue
> > > > > > > > > > > > > with
> > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > the 3.5.6 netty version specifically.
> > > > > > > > > > > > > > > > It's listed as a
> >
> > high,
> > > > > > we
> > > > > > > > > > > > > should
> > > > > > > > > > > > > > > > patch this as well before releasing.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Patrick
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > On Sun, Sep 29, 2019 at 7:29 AM Enrico
> > > > > > > > > > > > > > > > Olivelli <
> > > > > > > > > >
> > > > > > > > > > eolivelli@gmail.com
> > > > > > > > > >
> > > > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > This is a bugfix release candidate for
> > > > > > > > > > > > > > > > > 3.5.6.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > It fixes 28 issues, including upgrade
> > > > > > > > > > > > > > > > > of third party
> > > > > >
> > > > > > libraries,
> > > > > > > > > > > > > > > > > TTL Node APIs for C API, support for
> > > > > > > > > > > > > > > > > PCKS12 Keystores,
> >
> > and
> > > > > > > better
> > > > > > > > > > > > > > > > > procedure
> > > > > > > > > > > > > > > > > for the upgrade of servers from 3.4 to
> > > > > > > > > > > > > > > > > 3.5.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > The full release notes is available at:
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> >
> > > > > > > > > > > > > > > > > *** Please download, test and vote by
> > > > > > > > > > > > > > > > > October 2nd 2019,
> > >
> > > 23:59
> > > > > > > > > > UTC+0.
> > > > > > > > > > > > > > ***
> > > > > > > > > > > > > > > > > Source files:
> > > > > > > > > > > > > > > > >
> > > > > > >
> > > > > > >
> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> > > > > > >
> > > > > > > > > > > > > > > > > Maven staging repo:
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> >
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> >
> > > > > > > > > > > > > > > > > The release candidate tag in git to be
> > > > > > > > > > > > > > > > > voted upon:
> > > > > > > > > >
> > > > > > > > > > release-3.5.6-rc2
> >
> > https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> >
> > > > > > > > > > > > > > > > > ZooKeeper's KEYS file containing PGP
> > > > > > > > > > > > > > > > > keys we use to sign
> > >
> > > the
> > > > > > > > > > > > > release:
> > > > > > > > > > > > > > > > > https://www.apache.org/dist/zookeeper/KEYS
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > Should we release this candidate?
> > > > > > > > > > > > > > > > > Enrico Olivelli
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > >
> > > >
>
>
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Andor Molnar <an...@apache.org>.
Looks like we only need some refactoring on the testing side:
testRaceBetweenSyncFlushAndZKShutdown() uses SimpleZooKeeperServer
class which is based on Netty and needs to be refactored to use NIO
instead.
Otherwise looks like a quite straightforward change.
+1 for removing from the codebase and release 3.4.15 without Netty.
Andor
-----Original Message-----
From: Patrick Hunt <ph...@apache.org>
Reply-To: dev@zookeeper.apache.org
To: DevZooKeeper <de...@zookeeper.apache.org>
Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Date: Thu, 3 Oct 2019 07:36:24 -0700
On Wed, Oct 2, 2019 at 9:59 PM Brian Nixon <
brian.nixon.cs@gmail.com
> wrote:
> NIO is still the default server factory so I'm guessing many users of
> 3.4
> simply aren't configuring Netty. And our recommendation for users who
> want
> Netty could be to upgrade to a 3.5 release as that should be better
> in
> every way for them.
>
> Is there a principle determining the difference between leaving the
> code
> available in 3.4 with a warning attached and removing the code
> entirely so
> that they would have to independently modify and package in order to
> use
> the feature?
>
>
Primarily/historically what i mentioned - we don't introduce major
features/changes (esp non-b/w compat) in fix releases.
Patrick
> On Wed, Oct 2, 2019 at 8:48 AM Patrick Hunt <
> phunt@apache.org
> > wrote:
>
> > On Wed, Oct 2, 2019 at 1:49 AM Andor Molnar <
> > andor@apache.org
> > > wrote:
> >
> > > Hi Pat,
> > >
> > > Would you please clarify what do you mean “dropping netty support
> > > from
> > > 3.4”?
> > >
> > >
> >
> > My simplistic thought was just that. Ship new versions of 3.4 that
> > remove
> > support for netty. That could mean turning if off by default (not
> > sure
>
> how
> > much work that would be) or just purging the netty code from the
> > codebase
> > entirely. (3.4). It would be an exception to our "don't break b/w
> > compact
> > in fix releases" policy, but this is an extreme case imo. We have
> > no
> > intention of supporting netty in 3.4 going forward as evidenced by
> > the
>
> fact
> > that the netty version is locked to netty 3 (long out of support by
> > netty
> > as they are no longer backporting fixes) and we have no intention
> > of
> > updating to the new version of netty on 3.4. Maybe this CVE don't
> > affect
> > us, but at some point it will. Users have the option to move to a
> > stable,
> > b/w compat, 3.5. release. Not optimal I agree.
> >
> >
> > > Does that mean we won’t submit security patches from now on, but
> > > keep
>
> the
> > > Netty classes (NettyServerCnxnFactory and ClientCnxnSocketNetty)
> >
> > available
> > > OR remove these classes from the codebase?
> > >
> > > The latter means we’ll drop client SSL feature too.
> > >
> > >
> >
> > Say there is a new CVE on netty and it's not backported to netty3,
> > what
> > would we do in that case. I guess we could wait/kick the can down
> > the
>
> road
> > till we really hit that. For the moment just say that it doesn't
> > affect
>
> us
> > as you researched and add to 3.4 exceptions.
> >
> > This is just my suggestion/option rather than a recommendation,
> > open to
> > other ideas. ;-)
> >
> > Patrick
> >
> >
> > > Andor
> > >
> > >
> > >
> > > > On 2019. Oct 2., at 2:27, Michael Han <
> > > > hanm@apache.org
> > > > > wrote:
> > > >
> > > > > > How about officially dropping netty support from 3.4 and
> > > > > > asking
> >
> > people
> > > > to move to the new version
> > > > +1. This sounds a good opportunity to deprecate 3.4 branch.
> > > >
> > > > On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <
> > > > eolivelli@gmail.com
> > > > >
> > >
> > > wrote:
> > > > > Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <
> >
> > phunt@apache.org
> > >
> > > ha
> > > > > scritto:
> > > > >
> > > > > > Another option/solution: How about officially dropping
> > > > > > netty
>
> support
> > > from
> > > > > > 3.4 and asking people to move to the new version (3.5
> > > > > > stable or
> >
> > later)?
> > > > >
> > > > > Sounds good
> > > > >
> > > > > Enrico
> > > > >
> > > > >
> > > > > > Patrick
> > > > > >
> > > > > > On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <
> > > > > > andor@apache.org
> > > > > > >
> >
> > wrote:
> > > > > > > I agree with 3.4 should not be refactored in any way even
> > > > > > > for a
> > > > >
> > > > > security
> > > > > > > fix.
> > > > > > >
> > > > > > > What's wrong with the "alpha story"?
> > > > > > >
> > > > > > > I think releasing in an early stage with "-alpha", "-
> > > > > > > beta"
>
> modifiers
> > > is
> > > > > > > not a bad thing alone, as long as it doesn't take years
> > > > > > > to get to
> >
> > the
> > > > > > > stable release.
> > > > > > >
> > > > > > > Andor
> > > > > > >
> > > > > > >
> > > > > > > On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> > > > > > >
> > > > > > > > Date: Tue, 1 Oct 2019 10:54:24 +0200
> > > > > > > > From: Enrico Olivelli <
> > > > > > > > eolivelli@gmail.com
> > > > > > > > >
> > > > > > > > Reply-To:
> > > > > > > > dev@zookeeper.apache.org
> > > > > > > >
> > > > > > > > To:
> > > > > > > > dev@zookeeper.apache.org
> > > > > > > >
> > > > > > > > Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6
> > > > > > > > candidate 2
> > > > > > > >
> > > > > > > > Il mar 1 ott 2019, 10:38 Andor Molnar <
> > > > > > > > andor@apache.org
> > > > > > > > > ha
> >
> > scritto:
> > > > > > > > > Backporting Netty 4 would be a huge, cumbersome task,
> > > > > > > > > I hope we
> > > > >
> > > > > don’t
> > > > > > > have
> > > > > > > > > to do it.
> > > > > > > > >
> > > > > > > >
> > > > > > > > Yes, 3.4 is mature and stable and closed for refactors.
> > > > > > > >
> > > > > > > >
> > > > > > > > > However I had a quick look at the details of this CVE
> > > > > > > > > and it
>
> seems
> > > > > to
> > > > > > me
> > > > > > > > > that it only affects the HTTP codec:
> > > > > > > > >
> > > > > > > > >
>
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
>
> > > > > > > > > Can’t we just say 3.4.14 is not affected?
> > > > > > > > > We’re not running HTTP server inside ZooKeeper.
> > > > > > > > >
> > > > > > > > > Otherwise we might be able to release 3.6.0-alpha1
> > > > > > > > > now, put a
>
> date
> > > > > for
> > > > > > > 3.4
> > > > > > > > > EOL and highlight on the webpage that this
> > > > > > > > >
> > > > > > > >
> > > > > > > > Please do not start an 'alpha' story like for 3.5....
> > > > > > > >
> > > > > > > > CVE probably won’t be resolved on that branch, please
> > > > > > > > upgrade to
> >
> > 3.5.
> > > > > > > >
> > > > > > > > +1
> > > > > > > >
> > > > > > > >
> > > > > > > > Enrico
> > > > > > > >
> > > > > > > > > As a third option we could ask Norman to kindly fix
> > > > > > > > > 3.10.6.Final
> >
> > as
> > > > > > > well…
> > > > > > > > > or submit a PR ourselves, it doesn’t seem to me a big
> > > > > > > > > deal.
> > > > > > > > >
> > > > > > > >
> > > > > > > > Not so useful
> > > > > > > >
> > > > > > > > > What do you think?
> > > > > > > > >
> > > > > > > > > Andor
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > On 2019. Oct 1., at 2:00, Patrick Hunt <
> > > > > > > > > > phunt@apache.org
> > > > > > > > > > >
>
> wrote:
> > > > > > > > > > I pushed patches for 3.5 and trunk and the tests
> > > > > > > > > > passed on my
> >
> > mac.
> > > > > > > > > However
> > > > > > > > > > 3.4 is using netty 3.10.6.Final and as such it's
> > > > > > > > > > not a simple
> > > > > >
> > > > > > upgrade.
> > > > > > > > > > (there are no fixes against 3.10 for this CVE, at
> > > > > > > > > > least not so
> >
> > far)
> > > > > > Not
> > > > > > > > > > sure what we want to do about this... someone would
> > > > > > > > > > need to
> > > > >
> > > > > backport
> > > > > > > the
> > > > > > > > > > netty 4.1 changes into 3.4 afaict.
> > > > > > > > > >
> > > > > > > > > > Patrick
> > > > > > > > > >
> > > > > > > > > > On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <
> > > > > > > > > > phunt@apache.org
> > > > > > > > > >
> > > > > > wrote:
> > > > > > > > > > > I'll work on it today.
> > > > > > > > > > >
> > > > > > > > > > > Patrick
> > > > > > > > > > >
> > > > > > > > > > > On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli
> > > > > > > > > > > <
> > > > > >
> > > > > > eolivelli@gmail.com
> > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Okay
> > > > > > > > > > > >
> > > > > > > > > > > > I am cancelling the release.
> > > > > > > > > > > >
> > > > > > > > > > > > I have a problem with my box, I can't work on
> > > > > > > > > > > > netty upgrade.
> > > > > > > > > > > >
> > > > > > > > > > > > Any volounteer?
> > > > > > > > > > > >
> > > > > > > > > > > > Enrico
> > > > > > > > > > > >
> > > > > > > > > > > > Il lun 30 set 2019, 20:32 Andor Molnar <
> > > > > > > > > > > > andor@apache.org
> > > > > > > > > > > > > ha
> > > > > > >
> > > > > > > scritto:
> > > > > > > > > > > > > The good news is: we need to release 3.4.15
> > > > > > > > > > > > > too. :)
> > > > > > > > > > > > >
> > > > > > > > > > > > > Andor
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > > On 2019. Sep 30., at 20:26, Patrick Hunt <
> > > > > > > > > > > > > > phunt@apache.org
> > > > > > > > > > > > > >
> > > > > > wrote:
> > > > > > > > > > > > > > created:
> >
> > https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> >
> > > > > > > > > > > > > > On Mon, Sep 30, 2019 at 11:20 AM Patrick
> > > > > > > > > > > > > > Hunt <
> > > > >
> > > > > phunt@apache.org
> > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > -1 - when I run dependency check on the
> > > > > > > > > > > > > > > release candidate
> > > > > >
> > > > > > artifact
> > > > > > > > > > > > it's
> > > > > > > > > > > > > > > failing with:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > [ERROR] netty-transport-4.1.29.Final.jar:
> > > > > > > > > > > > > > > CVE-2019-16869
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > I ran this on trunk and it's passing, as
> > > > > > > > > > > > > > > such it must be
>
> an
> > > > > > issue
> > > > > > > > > > > > with
> > > > > > > > > > > > > the
> > > > > > > > > > > > > > > the 3.5.6 netty version specifically.
> > > > > > > > > > > > > > > It's listed as a
>
> high,
> > > > > we
> > > > > > > > > > > > should
> > > > > > > > > > > > > > > patch this as well before releasing.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Patrick
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > On Sun, Sep 29, 2019 at 7:29 AM Enrico
> > > > > > > > > > > > > > > Olivelli <
> > > > > > > > >
> > > > > > > > > eolivelli@gmail.com
> > > > > > > > >
> > > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > This is a bugfix release candidate for
> > > > > > > > > > > > > > > > 3.5.6.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > It fixes 28 issues, including upgrade
> > > > > > > > > > > > > > > > of third party
> > > > >
> > > > > libraries,
> > > > > > > > > > > > > > > > TTL Node APIs for C API, support for
> > > > > > > > > > > > > > > > PCKS12 Keystores,
>
> and
> > > > > > better
> > > > > > > > > > > > > > > > procedure
> > > > > > > > > > > > > > > > for the upgrade of servers from 3.4 to
> > > > > > > > > > > > > > > > 3.5.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > The full release notes is available at:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
>
> > > > > > > > > > > > > > > > *** Please download, test and vote by
> > > > > > > > > > > > > > > > October 2nd 2019,
> >
> > 23:59
> > > > > > > > > UTC+0.
> > > > > > > > > > > > > ***
> > > > > > > > > > > > > > > > Source files:
> > > > > > > > > > > > > > > >
> > > > > >
> > > > > > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> > > > > >
> > > > > > > > > > > > > > > > Maven staging repo:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
>
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
>
> > > > > > > > > > > > > > > > The release candidate tag in git to be
> > > > > > > > > > > > > > > > voted upon:
> > > > > > > > >
> > > > > > > > > release-3.5.6-rc2
>
> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
>
> > > > > > > > > > > > > > > > ZooKeeper's KEYS file containing PGP
> > > > > > > > > > > > > > > > keys we use to sign
> >
> > the
> > > > > > > > > > > > release:
> > > > > > > > > > > > > > > > https://www.apache.org/dist/zookeeper/KEYS
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Should we release this candidate?
> > > > > > > > > > > > > > > > Enrico Olivelli
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > >
> > >
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Patrick Hunt <ph...@apache.org>.
On Wed, Oct 2, 2019 at 9:59 PM Brian Nixon <br...@gmail.com> wrote:
> NIO is still the default server factory so I'm guessing many users of 3.4
> simply aren't configuring Netty. And our recommendation for users who want
> Netty could be to upgrade to a 3.5 release as that should be better in
> every way for them.
>
> Is there a principle determining the difference between leaving the code
> available in 3.4 with a warning attached and removing the code entirely so
> that they would have to independently modify and package in order to use
> the feature?
>
>
Primarily/historically what i mentioned - we don't introduce major
features/changes (esp non-b/w compat) in fix releases.
Patrick
>
> On Wed, Oct 2, 2019 at 8:48 AM Patrick Hunt <ph...@apache.org> wrote:
>
> > On Wed, Oct 2, 2019 at 1:49 AM Andor Molnar <an...@apache.org> wrote:
> >
> > > Hi Pat,
> > >
> > > Would you please clarify what do you mean “dropping netty support from
> > > 3.4”?
> > >
> > >
> > My simplistic thought was just that. Ship new versions of 3.4 that remove
> > support for netty. That could mean turning if off by default (not sure
> how
> > much work that would be) or just purging the netty code from the codebase
> > entirely. (3.4). It would be an exception to our "don't break b/w compact
> > in fix releases" policy, but this is an extreme case imo. We have no
> > intention of supporting netty in 3.4 going forward as evidenced by the
> fact
> > that the netty version is locked to netty 3 (long out of support by netty
> > as they are no longer backporting fixes) and we have no intention of
> > updating to the new version of netty on 3.4. Maybe this CVE don't affect
> > us, but at some point it will. Users have the option to move to a stable,
> > b/w compat, 3.5. release. Not optimal I agree.
> >
> >
> > > Does that mean we won’t submit security patches from now on, but keep
> the
> > > Netty classes (NettyServerCnxnFactory and ClientCnxnSocketNetty)
> > available
> > > OR remove these classes from the codebase?
> > >
> > > The latter means we’ll drop client SSL feature too.
> > >
> > >
> > Say there is a new CVE on netty and it's not backported to netty3, what
> > would we do in that case. I guess we could wait/kick the can down the
> road
> > till we really hit that. For the moment just say that it doesn't affect
> us
> > as you researched and add to 3.4 exceptions.
> >
> > This is just my suggestion/option rather than a recommendation, open to
> > other ideas. ;-)
> >
> > Patrick
> >
> >
> > > Andor
> > >
> > >
> > >
> > > > On 2019. Oct 2., at 2:27, Michael Han <ha...@apache.org> wrote:
> > > >
> > > >>> How about officially dropping netty support from 3.4 and asking
> > people
> > > > to move to the new version
> > > > +1. This sounds a good opportunity to deprecate 3.4 branch.
> > > >
> > > > On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <eo...@gmail.com>
> > > wrote:
> > > >
> > > >> Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <
> > phunt@apache.org>
> > > ha
> > > >> scritto:
> > > >>
> > > >>> Another option/solution: How about officially dropping netty
> support
> > > from
> > > >>> 3.4 and asking people to move to the new version (3.5 stable or
> > later)?
> > > >>>
> > > >>
> > > >> Sounds good
> > > >>
> > > >> Enrico
> > > >>
> > > >>
> > > >>>
> > > >>> Patrick
> > > >>>
> > > >>> On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <an...@apache.org>
> > wrote:
> > > >>>
> > > >>>> I agree with 3.4 should not be refactored in any way even for a
> > > >> security
> > > >>>> fix.
> > > >>>>
> > > >>>> What's wrong with the "alpha story"?
> > > >>>>
> > > >>>> I think releasing in an early stage with "-alpha", "-beta"
> modifiers
> > > is
> > > >>>> not a bad thing alone, as long as it doesn't take years to get to
> > the
> > > >>>> stable release.
> > > >>>>
> > > >>>> Andor
> > > >>>>
> > > >>>>
> > > >>>> On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> > > >>>>
> > > >>>>> Date: Tue, 1 Oct 2019 10:54:24 +0200
> > > >>>>> From: Enrico Olivelli <eo...@gmail.com>
> > > >>>>> Reply-To: dev@zookeeper.apache.org
> > > >>>>> To: dev@zookeeper.apache.org
> > > >>>>> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> > > >>>>>
> > > >>>>> Il mar 1 ott 2019, 10:38 Andor Molnar <an...@apache.org> ha
> > scritto:
> > > >>>>>
> > > >>>>>> Backporting Netty 4 would be a huge, cumbersome task, I hope we
> > > >> don’t
> > > >>>> have
> > > >>>>>> to do it.
> > > >>>>>>
> > > >>>>>
> > > >>>>> Yes, 3.4 is mature and stable and closed for refactors.
> > > >>>>>
> > > >>>>>
> > > >>>>>> However I had a quick look at the details of this CVE and it
> seems
> > > >> to
> > > >>> me
> > > >>>>>> that it only affects the HTTP codec:
> > > >>>>>>
> > > >>>>>>
> > > >>>>
> > > >>>
> > > >>
> > >
> >
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
> > > >>>>>>
> > > >>>>>> Can’t we just say 3.4.14 is not affected?
> > > >>>>>> We’re not running HTTP server inside ZooKeeper.
> > > >>>>>>
> > > >>>>>> Otherwise we might be able to release 3.6.0-alpha1 now, put a
> date
> > > >> for
> > > >>>> 3.4
> > > >>>>>> EOL and highlight on the webpage that this
> > > >>>>>>
> > > >>>>>
> > > >>>>> Please do not start an 'alpha' story like for 3.5....
> > > >>>>>
> > > >>>>> CVE probably won’t be resolved on that branch, please upgrade to
> > 3.5.
> > > >>>>>>
> > > >>>>>
> > > >>>>> +1
> > > >>>>>
> > > >>>>>
> > > >>>>> Enrico
> > > >>>>>
> > > >>>>>>
> > > >>>>>> As a third option we could ask Norman to kindly fix 3.10.6.Final
> > as
> > > >>>> well…
> > > >>>>>> or submit a PR ourselves, it doesn’t seem to me a big deal.
> > > >>>>>>
> > > >>>>>
> > > >>>>> Not so useful
> > > >>>>>
> > > >>>>>>
> > > >>>>>> What do you think?
> > > >>>>>>
> > > >>>>>> Andor
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>> On 2019. Oct 1., at 2:00, Patrick Hunt <ph...@apache.org>
> wrote:
> > > >>>>>>>
> > > >>>>>>> I pushed patches for 3.5 and trunk and the tests passed on my
> > mac.
> > > >>>>>> However
> > > >>>>>>> 3.4 is using netty 3.10.6.Final and as such it's not a simple
> > > >>> upgrade.
> > > >>>>>>> (there are no fixes against 3.10 for this CVE, at least not so
> > far)
> > > >>> Not
> > > >>>>>>> sure what we want to do about this... someone would need to
> > > >> backport
> > > >>>> the
> > > >>>>>>> netty 4.1 changes into 3.4 afaict.
> > > >>>>>>>
> > > >>>>>>> Patrick
> > > >>>>>>>
> > > >>>>>>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <phunt@apache.org
> >
> > > >>> wrote:
> > > >>>>>>>
> > > >>>>>>>> I'll work on it today.
> > > >>>>>>>>
> > > >>>>>>>> Patrick
> > > >>>>>>>>
> > > >>>>>>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <
> > > >>> eolivelli@gmail.com
> > > >>>>>
> > > >>>>>>>> wrote:
> > > >>>>>>>>
> > > >>>>>>>>> Okay
> > > >>>>>>>>>
> > > >>>>>>>>> I am cancelling the release.
> > > >>>>>>>>>
> > > >>>>>>>>> I have a problem with my box, I can't work on netty upgrade.
> > > >>>>>>>>>
> > > >>>>>>>>> Any volounteer?
> > > >>>>>>>>>
> > > >>>>>>>>> Enrico
> > > >>>>>>>>>
> > > >>>>>>>>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha
> > > >>>> scritto:
> > > >>>>>>>>>
> > > >>>>>>>>>> The good news is: we need to release 3.4.15 too. :)
> > > >>>>>>>>>>
> > > >>>>>>>>>> Andor
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <phunt@apache.org
> >
> > > >>> wrote:
> > > >>>>>>>>>>>
> > > >>>>>>>>>>> created:
> > https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> > > >>>>>>>>>>>
> > > >>>>>>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <
> > > >> phunt@apache.org>
> > > >>>>>>>>> wrote:
> > > >>>>>>>>>>>
> > > >>>>>>>>>>>> -1 - when I run dependency check on the release candidate
> > > >>> artifact
> > > >>>>>>>>> it's
> > > >>>>>>>>>>>> failing with:
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>>> I ran this on trunk and it's passing, as such it must be
> an
> > > >>> issue
> > > >>>>>>>>> with
> > > >>>>>>>>>> the
> > > >>>>>>>>>>>> the 3.5.6 netty version specifically. It's listed as a
> high,
> > > >> we
> > > >>>>>>>>> should
> > > >>>>>>>>>>>> patch this as well before releasing.
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>>> Patrick
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <
> > > >>>>>> eolivelli@gmail.com
> > > >>>>>>>>>>
> > > >>>>>>>>>>>> wrote:
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>>>> This is a bugfix release candidate for 3.5.6.
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>> It fixes 28 issues, including upgrade of third party
> > > >> libraries,
> > > >>>>>>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores,
> and
> > > >>> better
> > > >>>>>>>>>>>>> procedure
> > > >>>>>>>>>>>>> for the upgrade of servers from 3.4 to 3.5.
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>> The full release notes is available at:
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>
> > > >>>>
> > > >>>
> > > >>
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>> *** Please download, test and vote by October 2nd 2019,
> > 23:59
> > > >>>>>> UTC+0.
> > > >>>>>>>>>> ***
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>> Source files:
> > > >>>>>>>>>>>>>
> > > >>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>> Maven staging repo:
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>
> > > >>>>
> > > >>>
> > > >>
> > >
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>> The release candidate tag in git to be voted upon:
> > > >>>>>> release-3.5.6-rc2
> > > >>>>>>>>>>>>>
> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign
> > the
> > > >>>>>>>>> release:
> > > >>>>>>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>> Should we release this candidate?
> > > >>>>>>>>>>>>> Enrico Olivelli
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>>
> > > >>
> > >
> > >
> >
>
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Brian Nixon <br...@gmail.com>.
NIO is still the default server factory so I'm guessing many users of 3.4
simply aren't configuring Netty. And our recommendation for users who want
Netty could be to upgrade to a 3.5 release as that should be better in
every way for them.
Is there a principle determining the difference between leaving the code
available in 3.4 with a warning attached and removing the code entirely so
that they would have to independently modify and package in order to use
the feature?
On Wed, Oct 2, 2019 at 8:48 AM Patrick Hunt <ph...@apache.org> wrote:
> On Wed, Oct 2, 2019 at 1:49 AM Andor Molnar <an...@apache.org> wrote:
>
> > Hi Pat,
> >
> > Would you please clarify what do you mean “dropping netty support from
> > 3.4”?
> >
> >
> My simplistic thought was just that. Ship new versions of 3.4 that remove
> support for netty. That could mean turning if off by default (not sure how
> much work that would be) or just purging the netty code from the codebase
> entirely. (3.4). It would be an exception to our "don't break b/w compact
> in fix releases" policy, but this is an extreme case imo. We have no
> intention of supporting netty in 3.4 going forward as evidenced by the fact
> that the netty version is locked to netty 3 (long out of support by netty
> as they are no longer backporting fixes) and we have no intention of
> updating to the new version of netty on 3.4. Maybe this CVE don't affect
> us, but at some point it will. Users have the option to move to a stable,
> b/w compat, 3.5. release. Not optimal I agree.
>
>
> > Does that mean we won’t submit security patches from now on, but keep the
> > Netty classes (NettyServerCnxnFactory and ClientCnxnSocketNetty)
> available
> > OR remove these classes from the codebase?
> >
> > The latter means we’ll drop client SSL feature too.
> >
> >
> Say there is a new CVE on netty and it's not backported to netty3, what
> would we do in that case. I guess we could wait/kick the can down the road
> till we really hit that. For the moment just say that it doesn't affect us
> as you researched and add to 3.4 exceptions.
>
> This is just my suggestion/option rather than a recommendation, open to
> other ideas. ;-)
>
> Patrick
>
>
> > Andor
> >
> >
> >
> > > On 2019. Oct 2., at 2:27, Michael Han <ha...@apache.org> wrote:
> > >
> > >>> How about officially dropping netty support from 3.4 and asking
> people
> > > to move to the new version
> > > +1. This sounds a good opportunity to deprecate 3.4 branch.
> > >
> > > On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <eo...@gmail.com>
> > wrote:
> > >
> > >> Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <
> phunt@apache.org>
> > ha
> > >> scritto:
> > >>
> > >>> Another option/solution: How about officially dropping netty support
> > from
> > >>> 3.4 and asking people to move to the new version (3.5 stable or
> later)?
> > >>>
> > >>
> > >> Sounds good
> > >>
> > >> Enrico
> > >>
> > >>
> > >>>
> > >>> Patrick
> > >>>
> > >>> On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <an...@apache.org>
> wrote:
> > >>>
> > >>>> I agree with 3.4 should not be refactored in any way even for a
> > >> security
> > >>>> fix.
> > >>>>
> > >>>> What's wrong with the "alpha story"?
> > >>>>
> > >>>> I think releasing in an early stage with "-alpha", "-beta" modifiers
> > is
> > >>>> not a bad thing alone, as long as it doesn't take years to get to
> the
> > >>>> stable release.
> > >>>>
> > >>>> Andor
> > >>>>
> > >>>>
> > >>>> On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> > >>>>
> > >>>>> Date: Tue, 1 Oct 2019 10:54:24 +0200
> > >>>>> From: Enrico Olivelli <eo...@gmail.com>
> > >>>>> Reply-To: dev@zookeeper.apache.org
> > >>>>> To: dev@zookeeper.apache.org
> > >>>>> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> > >>>>>
> > >>>>> Il mar 1 ott 2019, 10:38 Andor Molnar <an...@apache.org> ha
> scritto:
> > >>>>>
> > >>>>>> Backporting Netty 4 would be a huge, cumbersome task, I hope we
> > >> don’t
> > >>>> have
> > >>>>>> to do it.
> > >>>>>>
> > >>>>>
> > >>>>> Yes, 3.4 is mature and stable and closed for refactors.
> > >>>>>
> > >>>>>
> > >>>>>> However I had a quick look at the details of this CVE and it seems
> > >> to
> > >>> me
> > >>>>>> that it only affects the HTTP codec:
> > >>>>>>
> > >>>>>>
> > >>>>
> > >>>
> > >>
> >
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
> > >>>>>>
> > >>>>>> Can’t we just say 3.4.14 is not affected?
> > >>>>>> We’re not running HTTP server inside ZooKeeper.
> > >>>>>>
> > >>>>>> Otherwise we might be able to release 3.6.0-alpha1 now, put a date
> > >> for
> > >>>> 3.4
> > >>>>>> EOL and highlight on the webpage that this
> > >>>>>>
> > >>>>>
> > >>>>> Please do not start an 'alpha' story like for 3.5....
> > >>>>>
> > >>>>> CVE probably won’t be resolved on that branch, please upgrade to
> 3.5.
> > >>>>>>
> > >>>>>
> > >>>>> +1
> > >>>>>
> > >>>>>
> > >>>>> Enrico
> > >>>>>
> > >>>>>>
> > >>>>>> As a third option we could ask Norman to kindly fix 3.10.6.Final
> as
> > >>>> well…
> > >>>>>> or submit a PR ourselves, it doesn’t seem to me a big deal.
> > >>>>>>
> > >>>>>
> > >>>>> Not so useful
> > >>>>>
> > >>>>>>
> > >>>>>> What do you think?
> > >>>>>>
> > >>>>>> Andor
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>> On 2019. Oct 1., at 2:00, Patrick Hunt <ph...@apache.org> wrote:
> > >>>>>>>
> > >>>>>>> I pushed patches for 3.5 and trunk and the tests passed on my
> mac.
> > >>>>>> However
> > >>>>>>> 3.4 is using netty 3.10.6.Final and as such it's not a simple
> > >>> upgrade.
> > >>>>>>> (there are no fixes against 3.10 for this CVE, at least not so
> far)
> > >>> Not
> > >>>>>>> sure what we want to do about this... someone would need to
> > >> backport
> > >>>> the
> > >>>>>>> netty 4.1 changes into 3.4 afaict.
> > >>>>>>>
> > >>>>>>> Patrick
> > >>>>>>>
> > >>>>>>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <ph...@apache.org>
> > >>> wrote:
> > >>>>>>>
> > >>>>>>>> I'll work on it today.
> > >>>>>>>>
> > >>>>>>>> Patrick
> > >>>>>>>>
> > >>>>>>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <
> > >>> eolivelli@gmail.com
> > >>>>>
> > >>>>>>>> wrote:
> > >>>>>>>>
> > >>>>>>>>> Okay
> > >>>>>>>>>
> > >>>>>>>>> I am cancelling the release.
> > >>>>>>>>>
> > >>>>>>>>> I have a problem with my box, I can't work on netty upgrade.
> > >>>>>>>>>
> > >>>>>>>>> Any volounteer?
> > >>>>>>>>>
> > >>>>>>>>> Enrico
> > >>>>>>>>>
> > >>>>>>>>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha
> > >>>> scritto:
> > >>>>>>>>>
> > >>>>>>>>>> The good news is: we need to release 3.4.15 too. :)
> > >>>>>>>>>>
> > >>>>>>>>>> Andor
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <ph...@apache.org>
> > >>> wrote:
> > >>>>>>>>>>>
> > >>>>>>>>>>> created:
> https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> > >>>>>>>>>>>
> > >>>>>>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <
> > >> phunt@apache.org>
> > >>>>>>>>> wrote:
> > >>>>>>>>>>>
> > >>>>>>>>>>>> -1 - when I run dependency check on the release candidate
> > >>> artifact
> > >>>>>>>>> it's
> > >>>>>>>>>>>> failing with:
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> I ran this on trunk and it's passing, as such it must be an
> > >>> issue
> > >>>>>>>>> with
> > >>>>>>>>>> the
> > >>>>>>>>>>>> the 3.5.6 netty version specifically. It's listed as a high,
> > >> we
> > >>>>>>>>> should
> > >>>>>>>>>>>> patch this as well before releasing.
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> Patrick
> > >>>>>>>>>>>>
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <
> > >>>>>> eolivelli@gmail.com
> > >>>>>>>>>>
> > >>>>>>>>>>>> wrote:
> > >>>>>>>>>>>>
> > >>>>>>>>>>>>> This is a bugfix release candidate for 3.5.6.
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> It fixes 28 issues, including upgrade of third party
> > >> libraries,
> > >>>>>>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and
> > >>> better
> > >>>>>>>>>>>>> procedure
> > >>>>>>>>>>>>> for the upgrade of servers from 3.4 to 3.5.
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> The full release notes is available at:
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>
> > >>>>>>
> > >>>>
> > >>>
> > >>
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> *** Please download, test and vote by October 2nd 2019,
> 23:59
> > >>>>>> UTC+0.
> > >>>>>>>>>> ***
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> Source files:
> > >>>>>>>>>>>>>
> > >>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> Maven staging repo:
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>
> > >>>>>>
> > >>>>
> > >>>
> > >>
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> The release candidate tag in git to be voted upon:
> > >>>>>> release-3.5.6-rc2
> > >>>>>>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign
> the
> > >>>>>>>>> release:
> > >>>>>>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> Should we release this candidate?
> > >>>>>>>>>>>>> Enrico Olivelli
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>
> > >>>
> > >>
> >
> >
>
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Patrick Hunt <ph...@apache.org>.
On Wed, Oct 2, 2019 at 1:49 AM Andor Molnar <an...@apache.org> wrote:
> Hi Pat,
>
> Would you please clarify what do you mean “dropping netty support from
> 3.4”?
>
>
My simplistic thought was just that. Ship new versions of 3.4 that remove
support for netty. That could mean turning if off by default (not sure how
much work that would be) or just purging the netty code from the codebase
entirely. (3.4). It would be an exception to our "don't break b/w compact
in fix releases" policy, but this is an extreme case imo. We have no
intention of supporting netty in 3.4 going forward as evidenced by the fact
that the netty version is locked to netty 3 (long out of support by netty
as they are no longer backporting fixes) and we have no intention of
updating to the new version of netty on 3.4. Maybe this CVE don't affect
us, but at some point it will. Users have the option to move to a stable,
b/w compat, 3.5. release. Not optimal I agree.
> Does that mean we won’t submit security patches from now on, but keep the
> Netty classes (NettyServerCnxnFactory and ClientCnxnSocketNetty) available
> OR remove these classes from the codebase?
>
> The latter means we’ll drop client SSL feature too.
>
>
Say there is a new CVE on netty and it's not backported to netty3, what
would we do in that case. I guess we could wait/kick the can down the road
till we really hit that. For the moment just say that it doesn't affect us
as you researched and add to 3.4 exceptions.
This is just my suggestion/option rather than a recommendation, open to
other ideas. ;-)
Patrick
> Andor
>
>
>
> > On 2019. Oct 2., at 2:27, Michael Han <ha...@apache.org> wrote:
> >
> >>> How about officially dropping netty support from 3.4 and asking people
> > to move to the new version
> > +1. This sounds a good opportunity to deprecate 3.4 branch.
> >
> > On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <eo...@gmail.com>
> wrote:
> >
> >> Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <ph...@apache.org>
> ha
> >> scritto:
> >>
> >>> Another option/solution: How about officially dropping netty support
> from
> >>> 3.4 and asking people to move to the new version (3.5 stable or later)?
> >>>
> >>
> >> Sounds good
> >>
> >> Enrico
> >>
> >>
> >>>
> >>> Patrick
> >>>
> >>> On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <an...@apache.org> wrote:
> >>>
> >>>> I agree with 3.4 should not be refactored in any way even for a
> >> security
> >>>> fix.
> >>>>
> >>>> What's wrong with the "alpha story"?
> >>>>
> >>>> I think releasing in an early stage with "-alpha", "-beta" modifiers
> is
> >>>> not a bad thing alone, as long as it doesn't take years to get to the
> >>>> stable release.
> >>>>
> >>>> Andor
> >>>>
> >>>>
> >>>> On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> >>>>
> >>>>> Date: Tue, 1 Oct 2019 10:54:24 +0200
> >>>>> From: Enrico Olivelli <eo...@gmail.com>
> >>>>> Reply-To: dev@zookeeper.apache.org
> >>>>> To: dev@zookeeper.apache.org
> >>>>> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> >>>>>
> >>>>> Il mar 1 ott 2019, 10:38 Andor Molnar <an...@apache.org> ha scritto:
> >>>>>
> >>>>>> Backporting Netty 4 would be a huge, cumbersome task, I hope we
> >> don’t
> >>>> have
> >>>>>> to do it.
> >>>>>>
> >>>>>
> >>>>> Yes, 3.4 is mature and stable and closed for refactors.
> >>>>>
> >>>>>
> >>>>>> However I had a quick look at the details of this CVE and it seems
> >> to
> >>> me
> >>>>>> that it only affects the HTTP codec:
> >>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
> >>>>>>
> >>>>>> Can’t we just say 3.4.14 is not affected?
> >>>>>> We’re not running HTTP server inside ZooKeeper.
> >>>>>>
> >>>>>> Otherwise we might be able to release 3.6.0-alpha1 now, put a date
> >> for
> >>>> 3.4
> >>>>>> EOL and highlight on the webpage that this
> >>>>>>
> >>>>>
> >>>>> Please do not start an 'alpha' story like for 3.5....
> >>>>>
> >>>>> CVE probably won’t be resolved on that branch, please upgrade to 3.5.
> >>>>>>
> >>>>>
> >>>>> +1
> >>>>>
> >>>>>
> >>>>> Enrico
> >>>>>
> >>>>>>
> >>>>>> As a third option we could ask Norman to kindly fix 3.10.6.Final as
> >>>> well…
> >>>>>> or submit a PR ourselves, it doesn’t seem to me a big deal.
> >>>>>>
> >>>>>
> >>>>> Not so useful
> >>>>>
> >>>>>>
> >>>>>> What do you think?
> >>>>>>
> >>>>>> Andor
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> On 2019. Oct 1., at 2:00, Patrick Hunt <ph...@apache.org> wrote:
> >>>>>>>
> >>>>>>> I pushed patches for 3.5 and trunk and the tests passed on my mac.
> >>>>>> However
> >>>>>>> 3.4 is using netty 3.10.6.Final and as such it's not a simple
> >>> upgrade.
> >>>>>>> (there are no fixes against 3.10 for this CVE, at least not so far)
> >>> Not
> >>>>>>> sure what we want to do about this... someone would need to
> >> backport
> >>>> the
> >>>>>>> netty 4.1 changes into 3.4 afaict.
> >>>>>>>
> >>>>>>> Patrick
> >>>>>>>
> >>>>>>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <ph...@apache.org>
> >>> wrote:
> >>>>>>>
> >>>>>>>> I'll work on it today.
> >>>>>>>>
> >>>>>>>> Patrick
> >>>>>>>>
> >>>>>>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <
> >>> eolivelli@gmail.com
> >>>>>
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>>> Okay
> >>>>>>>>>
> >>>>>>>>> I am cancelling the release.
> >>>>>>>>>
> >>>>>>>>> I have a problem with my box, I can't work on netty upgrade.
> >>>>>>>>>
> >>>>>>>>> Any volounteer?
> >>>>>>>>>
> >>>>>>>>> Enrico
> >>>>>>>>>
> >>>>>>>>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha
> >>>> scritto:
> >>>>>>>>>
> >>>>>>>>>> The good news is: we need to release 3.4.15 too. :)
> >>>>>>>>>>
> >>>>>>>>>> Andor
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <ph...@apache.org>
> >>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> >>>>>>>>>>>
> >>>>>>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <
> >> phunt@apache.org>
> >>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> -1 - when I run dependency check on the release candidate
> >>> artifact
> >>>>>>>>> it's
> >>>>>>>>>>>> failing with:
> >>>>>>>>>>>>
> >>>>>>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
> >>>>>>>>>>>>
> >>>>>>>>>>>> I ran this on trunk and it's passing, as such it must be an
> >>> issue
> >>>>>>>>> with
> >>>>>>>>>> the
> >>>>>>>>>>>> the 3.5.6 netty version specifically. It's listed as a high,
> >> we
> >>>>>>>>> should
> >>>>>>>>>>>> patch this as well before releasing.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Patrick
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <
> >>>>>> eolivelli@gmail.com
> >>>>>>>>>>
> >>>>>>>>>>>> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>> This is a bugfix release candidate for 3.5.6.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> It fixes 28 issues, including upgrade of third party
> >> libraries,
> >>>>>>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and
> >>> better
> >>>>>>>>>>>>> procedure
> >>>>>>>>>>>>> for the upgrade of servers from 3.4 to 3.5.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> The full release notes is available at:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59
> >>>>>> UTC+0.
> >>>>>>>>>> ***
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Source files:
> >>>>>>>>>>>>>
> >>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Maven staging repo:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> The release candidate tag in git to be voted upon:
> >>>>>> release-3.5.6-rc2
> >>>>>>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
> >>>>>>>>> release:
> >>>>>>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Should we release this candidate?
> >>>>>>>>>>>>> Enrico Olivelli
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>
> >>
>
>
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Andor Molnar <an...@apache.org>.
Hi Pat,
Would you please clarify what do you mean “dropping netty support from 3.4”?
Does that mean we won’t submit security patches from now on, but keep the Netty classes (NettyServerCnxnFactory and ClientCnxnSocketNetty) available OR remove these classes from the codebase?
The latter means we’ll drop client SSL feature too.
Andor
> On 2019. Oct 2., at 2:27, Michael Han <ha...@apache.org> wrote:
>
>>> How about officially dropping netty support from 3.4 and asking people
> to move to the new version
> +1. This sounds a good opportunity to deprecate 3.4 branch.
>
> On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <eo...@gmail.com> wrote:
>
>> Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <ph...@apache.org> ha
>> scritto:
>>
>>> Another option/solution: How about officially dropping netty support from
>>> 3.4 and asking people to move to the new version (3.5 stable or later)?
>>>
>>
>> Sounds good
>>
>> Enrico
>>
>>
>>>
>>> Patrick
>>>
>>> On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <an...@apache.org> wrote:
>>>
>>>> I agree with 3.4 should not be refactored in any way even for a
>> security
>>>> fix.
>>>>
>>>> What's wrong with the "alpha story"?
>>>>
>>>> I think releasing in an early stage with "-alpha", "-beta" modifiers is
>>>> not a bad thing alone, as long as it doesn't take years to get to the
>>>> stable release.
>>>>
>>>> Andor
>>>>
>>>>
>>>> On Tue, 1 Oct 2019, Enrico Olivelli wrote:
>>>>
>>>>> Date: Tue, 1 Oct 2019 10:54:24 +0200
>>>>> From: Enrico Olivelli <eo...@gmail.com>
>>>>> Reply-To: dev@zookeeper.apache.org
>>>>> To: dev@zookeeper.apache.org
>>>>> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
>>>>>
>>>>> Il mar 1 ott 2019, 10:38 Andor Molnar <an...@apache.org> ha scritto:
>>>>>
>>>>>> Backporting Netty 4 would be a huge, cumbersome task, I hope we
>> don’t
>>>> have
>>>>>> to do it.
>>>>>>
>>>>>
>>>>> Yes, 3.4 is mature and stable and closed for refactors.
>>>>>
>>>>>
>>>>>> However I had a quick look at the details of this CVE and it seems
>> to
>>> me
>>>>>> that it only affects the HTTP codec:
>>>>>>
>>>>>>
>>>>
>>>
>> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
>>>>>>
>>>>>> Can’t we just say 3.4.14 is not affected?
>>>>>> We’re not running HTTP server inside ZooKeeper.
>>>>>>
>>>>>> Otherwise we might be able to release 3.6.0-alpha1 now, put a date
>> for
>>>> 3.4
>>>>>> EOL and highlight on the webpage that this
>>>>>>
>>>>>
>>>>> Please do not start an 'alpha' story like for 3.5....
>>>>>
>>>>> CVE probably won’t be resolved on that branch, please upgrade to 3.5.
>>>>>>
>>>>>
>>>>> +1
>>>>>
>>>>>
>>>>> Enrico
>>>>>
>>>>>>
>>>>>> As a third option we could ask Norman to kindly fix 3.10.6.Final as
>>>> well…
>>>>>> or submit a PR ourselves, it doesn’t seem to me a big deal.
>>>>>>
>>>>>
>>>>> Not so useful
>>>>>
>>>>>>
>>>>>> What do you think?
>>>>>>
>>>>>> Andor
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On 2019. Oct 1., at 2:00, Patrick Hunt <ph...@apache.org> wrote:
>>>>>>>
>>>>>>> I pushed patches for 3.5 and trunk and the tests passed on my mac.
>>>>>> However
>>>>>>> 3.4 is using netty 3.10.6.Final and as such it's not a simple
>>> upgrade.
>>>>>>> (there are no fixes against 3.10 for this CVE, at least not so far)
>>> Not
>>>>>>> sure what we want to do about this... someone would need to
>> backport
>>>> the
>>>>>>> netty 4.1 changes into 3.4 afaict.
>>>>>>>
>>>>>>> Patrick
>>>>>>>
>>>>>>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <ph...@apache.org>
>>> wrote:
>>>>>>>
>>>>>>>> I'll work on it today.
>>>>>>>>
>>>>>>>> Patrick
>>>>>>>>
>>>>>>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <
>>> eolivelli@gmail.com
>>>>>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Okay
>>>>>>>>>
>>>>>>>>> I am cancelling the release.
>>>>>>>>>
>>>>>>>>> I have a problem with my box, I can't work on netty upgrade.
>>>>>>>>>
>>>>>>>>> Any volounteer?
>>>>>>>>>
>>>>>>>>> Enrico
>>>>>>>>>
>>>>>>>>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha
>>>> scritto:
>>>>>>>>>
>>>>>>>>>> The good news is: we need to release 3.4.15 too. :)
>>>>>>>>>>
>>>>>>>>>> Andor
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <ph...@apache.org>
>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <
>> phunt@apache.org>
>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> -1 - when I run dependency check on the release candidate
>>> artifact
>>>>>>>>> it's
>>>>>>>>>>>> failing with:
>>>>>>>>>>>>
>>>>>>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
>>>>>>>>>>>>
>>>>>>>>>>>> I ran this on trunk and it's passing, as such it must be an
>>> issue
>>>>>>>>> with
>>>>>>>>>> the
>>>>>>>>>>>> the 3.5.6 netty version specifically. It's listed as a high,
>> we
>>>>>>>>> should
>>>>>>>>>>>> patch this as well before releasing.
>>>>>>>>>>>>
>>>>>>>>>>>> Patrick
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <
>>>>>> eolivelli@gmail.com
>>>>>>>>>>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> This is a bugfix release candidate for 3.5.6.
>>>>>>>>>>>>>
>>>>>>>>>>>>> It fixes 28 issues, including upgrade of third party
>> libraries,
>>>>>>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and
>>> better
>>>>>>>>>>>>> procedure
>>>>>>>>>>>>> for the upgrade of servers from 3.4 to 3.5.
>>>>>>>>>>>>>
>>>>>>>>>>>>> The full release notes is available at:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>
>>>>
>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
>>>>>>>>>>>>>
>>>>>>>>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59
>>>>>> UTC+0.
>>>>>>>>>> ***
>>>>>>>>>>>>>
>>>>>>>>>>>>> Source files:
>>>>>>>>>>>>>
>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
>>>>>>>>>>>>>
>>>>>>>>>>>>> Maven staging repo:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>
>>>>
>>>
>> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
>>>>>>>>>>>>>
>>>>>>>>>>>>> The release candidate tag in git to be voted upon:
>>>>>> release-3.5.6-rc2
>>>>>>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
>>>>>>>>>>>>>
>>>>>>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
>>>>>>>>> release:
>>>>>>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS
>>>>>>>>>>>>>
>>>>>>>>>>>>> Should we release this candidate?
>>>>>>>>>>>>> Enrico Olivelli
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>
>>
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Michael Han <ha...@apache.org>.
>> How about officially dropping netty support from 3.4 and asking people
to move to the new version
+1. This sounds a good opportunity to deprecate 3.4 branch.
On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <eo...@gmail.com> wrote:
> Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <ph...@apache.org> ha
> scritto:
>
> > Another option/solution: How about officially dropping netty support from
> > 3.4 and asking people to move to the new version (3.5 stable or later)?
> >
>
> Sounds good
>
> Enrico
>
>
> >
> > Patrick
> >
> > On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <an...@apache.org> wrote:
> >
> > > I agree with 3.4 should not be refactored in any way even for a
> security
> > > fix.
> > >
> > > What's wrong with the "alpha story"?
> > >
> > > I think releasing in an early stage with "-alpha", "-beta" modifiers is
> > > not a bad thing alone, as long as it doesn't take years to get to the
> > > stable release.
> > >
> > > Andor
> > >
> > >
> > > On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> > >
> > > > Date: Tue, 1 Oct 2019 10:54:24 +0200
> > > > From: Enrico Olivelli <eo...@gmail.com>
> > > > Reply-To: dev@zookeeper.apache.org
> > > > To: dev@zookeeper.apache.org
> > > > Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> > > >
> > > > Il mar 1 ott 2019, 10:38 Andor Molnar <an...@apache.org> ha scritto:
> > > >
> > > >> Backporting Netty 4 would be a huge, cumbersome task, I hope we
> don’t
> > > have
> > > >> to do it.
> > > >>
> > > >
> > > > Yes, 3.4 is mature and stable and closed for refactors.
> > > >
> > > >
> > > >> However I had a quick look at the details of this CVE and it seems
> to
> > me
> > > >> that it only affects the HTTP codec:
> > > >>
> > > >>
> > >
> >
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
> > > >>
> > > >> Can’t we just say 3.4.14 is not affected?
> > > >> We’re not running HTTP server inside ZooKeeper.
> > > >>
> > > >> Otherwise we might be able to release 3.6.0-alpha1 now, put a date
> for
> > > 3.4
> > > >> EOL and highlight on the webpage that this
> > > >>
> > > >
> > > > Please do not start an 'alpha' story like for 3.5....
> > > >
> > > > CVE probably won’t be resolved on that branch, please upgrade to 3.5.
> > > >>
> > > >
> > > > +1
> > > >
> > > >
> > > > Enrico
> > > >
> > > >>
> > > >> As a third option we could ask Norman to kindly fix 3.10.6.Final as
> > > well…
> > > >> or submit a PR ourselves, it doesn’t seem to me a big deal.
> > > >>
> > > >
> > > > Not so useful
> > > >
> > > >>
> > > >> What do you think?
> > > >>
> > > >> Andor
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>> On 2019. Oct 1., at 2:00, Patrick Hunt <ph...@apache.org> wrote:
> > > >>>
> > > >>> I pushed patches for 3.5 and trunk and the tests passed on my mac.
> > > >> However
> > > >>> 3.4 is using netty 3.10.6.Final and as such it's not a simple
> > upgrade.
> > > >>> (there are no fixes against 3.10 for this CVE, at least not so far)
> > Not
> > > >>> sure what we want to do about this... someone would need to
> backport
> > > the
> > > >>> netty 4.1 changes into 3.4 afaict.
> > > >>>
> > > >>> Patrick
> > > >>>
> > > >>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <ph...@apache.org>
> > wrote:
> > > >>>
> > > >>>> I'll work on it today.
> > > >>>>
> > > >>>> Patrick
> > > >>>>
> > > >>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <
> > eolivelli@gmail.com
> > > >
> > > >>>> wrote:
> > > >>>>
> > > >>>>> Okay
> > > >>>>>
> > > >>>>> I am cancelling the release.
> > > >>>>>
> > > >>>>> I have a problem with my box, I can't work on netty upgrade.
> > > >>>>>
> > > >>>>> Any volounteer?
> > > >>>>>
> > > >>>>> Enrico
> > > >>>>>
> > > >>>>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha
> > > scritto:
> > > >>>>>
> > > >>>>>> The good news is: we need to release 3.4.15 too. :)
> > > >>>>>>
> > > >>>>>> Andor
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <ph...@apache.org>
> > wrote:
> > > >>>>>>>
> > > >>>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> > > >>>>>>>
> > > >>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <
> phunt@apache.org>
> > > >>>>> wrote:
> > > >>>>>>>
> > > >>>>>>>> -1 - when I run dependency check on the release candidate
> > artifact
> > > >>>>> it's
> > > >>>>>>>> failing with:
> > > >>>>>>>>
> > > >>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
> > > >>>>>>>>
> > > >>>>>>>> I ran this on trunk and it's passing, as such it must be an
> > issue
> > > >>>>> with
> > > >>>>>> the
> > > >>>>>>>> the 3.5.6 netty version specifically. It's listed as a high,
> we
> > > >>>>> should
> > > >>>>>>>> patch this as well before releasing.
> > > >>>>>>>>
> > > >>>>>>>> Patrick
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <
> > > >> eolivelli@gmail.com
> > > >>>>>>
> > > >>>>>>>> wrote:
> > > >>>>>>>>
> > > >>>>>>>>> This is a bugfix release candidate for 3.5.6.
> > > >>>>>>>>>
> > > >>>>>>>>> It fixes 28 issues, including upgrade of third party
> libraries,
> > > >>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and
> > better
> > > >>>>>>>>> procedure
> > > >>>>>>>>> for the upgrade of servers from 3.4 to 3.5.
> > > >>>>>>>>>
> > > >>>>>>>>> The full release notes is available at:
> > > >>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> > > >>>>>>>>>
> > > >>>>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59
> > > >> UTC+0.
> > > >>>>>> ***
> > > >>>>>>>>>
> > > >>>>>>>>> Source files:
> > > >>>>>>>>>
> > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> > > >>>>>>>>>
> > > >>>>>>>>> Maven staging repo:
> > > >>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>
> > >
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> > > >>>>>>>>>
> > > >>>>>>>>> The release candidate tag in git to be voted upon:
> > > >> release-3.5.6-rc2
> > > >>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> > > >>>>>>>>>
> > > >>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
> > > >>>>> release:
> > > >>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS
> > > >>>>>>>>>
> > > >>>>>>>>> Should we release this candidate?
> > > >>>>>>>>> Enrico Olivelli
> > > >>>>>>>>>
> > > >>>>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>>>
> > > >>
> > > >>
> > > >
> >
>
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Enrico Olivelli <eo...@gmail.com>.
Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt <ph...@apache.org> ha
scritto:
> Another option/solution: How about officially dropping netty support from
> 3.4 and asking people to move to the new version (3.5 stable or later)?
>
Sounds good
Enrico
>
> Patrick
>
> On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <an...@apache.org> wrote:
>
> > I agree with 3.4 should not be refactored in any way even for a security
> > fix.
> >
> > What's wrong with the "alpha story"?
> >
> > I think releasing in an early stage with "-alpha", "-beta" modifiers is
> > not a bad thing alone, as long as it doesn't take years to get to the
> > stable release.
> >
> > Andor
> >
> >
> > On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> >
> > > Date: Tue, 1 Oct 2019 10:54:24 +0200
> > > From: Enrico Olivelli <eo...@gmail.com>
> > > Reply-To: dev@zookeeper.apache.org
> > > To: dev@zookeeper.apache.org
> > > Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> > >
> > > Il mar 1 ott 2019, 10:38 Andor Molnar <an...@apache.org> ha scritto:
> > >
> > >> Backporting Netty 4 would be a huge, cumbersome task, I hope we don’t
> > have
> > >> to do it.
> > >>
> > >
> > > Yes, 3.4 is mature and stable and closed for refactors.
> > >
> > >
> > >> However I had a quick look at the details of this CVE and it seems to
> me
> > >> that it only affects the HTTP codec:
> > >>
> > >>
> >
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
> > >>
> > >> Can’t we just say 3.4.14 is not affected?
> > >> We’re not running HTTP server inside ZooKeeper.
> > >>
> > >> Otherwise we might be able to release 3.6.0-alpha1 now, put a date for
> > 3.4
> > >> EOL and highlight on the webpage that this
> > >>
> > >
> > > Please do not start an 'alpha' story like for 3.5....
> > >
> > > CVE probably won’t be resolved on that branch, please upgrade to 3.5.
> > >>
> > >
> > > +1
> > >
> > >
> > > Enrico
> > >
> > >>
> > >> As a third option we could ask Norman to kindly fix 3.10.6.Final as
> > well…
> > >> or submit a PR ourselves, it doesn’t seem to me a big deal.
> > >>
> > >
> > > Not so useful
> > >
> > >>
> > >> What do you think?
> > >>
> > >> Andor
> > >>
> > >>
> > >>
> > >>
> > >>> On 2019. Oct 1., at 2:00, Patrick Hunt <ph...@apache.org> wrote:
> > >>>
> > >>> I pushed patches for 3.5 and trunk and the tests passed on my mac.
> > >> However
> > >>> 3.4 is using netty 3.10.6.Final and as such it's not a simple
> upgrade.
> > >>> (there are no fixes against 3.10 for this CVE, at least not so far)
> Not
> > >>> sure what we want to do about this... someone would need to backport
> > the
> > >>> netty 4.1 changes into 3.4 afaict.
> > >>>
> > >>> Patrick
> > >>>
> > >>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <ph...@apache.org>
> wrote:
> > >>>
> > >>>> I'll work on it today.
> > >>>>
> > >>>> Patrick
> > >>>>
> > >>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <
> eolivelli@gmail.com
> > >
> > >>>> wrote:
> > >>>>
> > >>>>> Okay
> > >>>>>
> > >>>>> I am cancelling the release.
> > >>>>>
> > >>>>> I have a problem with my box, I can't work on netty upgrade.
> > >>>>>
> > >>>>> Any volounteer?
> > >>>>>
> > >>>>> Enrico
> > >>>>>
> > >>>>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha
> > scritto:
> > >>>>>
> > >>>>>> The good news is: we need to release 3.4.15 too. :)
> > >>>>>>
> > >>>>>> Andor
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <ph...@apache.org>
> wrote:
> > >>>>>>>
> > >>>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> > >>>>>>>
> > >>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <ph...@apache.org>
> > >>>>> wrote:
> > >>>>>>>
> > >>>>>>>> -1 - when I run dependency check on the release candidate
> artifact
> > >>>>> it's
> > >>>>>>>> failing with:
> > >>>>>>>>
> > >>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
> > >>>>>>>>
> > >>>>>>>> I ran this on trunk and it's passing, as such it must be an
> issue
> > >>>>> with
> > >>>>>> the
> > >>>>>>>> the 3.5.6 netty version specifically. It's listed as a high, we
> > >>>>> should
> > >>>>>>>> patch this as well before releasing.
> > >>>>>>>>
> > >>>>>>>> Patrick
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <
> > >> eolivelli@gmail.com
> > >>>>>>
> > >>>>>>>> wrote:
> > >>>>>>>>
> > >>>>>>>>> This is a bugfix release candidate for 3.5.6.
> > >>>>>>>>>
> > >>>>>>>>> It fixes 28 issues, including upgrade of third party libraries,
> > >>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and
> better
> > >>>>>>>>> procedure
> > >>>>>>>>> for the upgrade of servers from 3.4 to 3.5.
> > >>>>>>>>>
> > >>>>>>>>> The full release notes is available at:
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>
> > >>>>>
> > >>
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> > >>>>>>>>>
> > >>>>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59
> > >> UTC+0.
> > >>>>>> ***
> > >>>>>>>>>
> > >>>>>>>>> Source files:
> > >>>>>>>>>
> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> > >>>>>>>>>
> > >>>>>>>>> Maven staging repo:
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>
> > >>>>>
> > >>
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> > >>>>>>>>>
> > >>>>>>>>> The release candidate tag in git to be voted upon:
> > >> release-3.5.6-rc2
> > >>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> > >>>>>>>>>
> > >>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
> > >>>>> release:
> > >>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS
> > >>>>>>>>>
> > >>>>>>>>> Should we release this candidate?
> > >>>>>>>>> Enrico Olivelli
> > >>>>>>>>>
> > >>>>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>
> > >>
> > >
>
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Patrick Hunt <ph...@apache.org>.
Another option/solution: How about officially dropping netty support from
3.4 and asking people to move to the new version (3.5 stable or later)?
Patrick
On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <an...@apache.org> wrote:
> I agree with 3.4 should not be refactored in any way even for a security
> fix.
>
> What's wrong with the "alpha story"?
>
> I think releasing in an early stage with "-alpha", "-beta" modifiers is
> not a bad thing alone, as long as it doesn't take years to get to the
> stable release.
>
> Andor
>
>
> On Tue, 1 Oct 2019, Enrico Olivelli wrote:
>
> > Date: Tue, 1 Oct 2019 10:54:24 +0200
> > From: Enrico Olivelli <eo...@gmail.com>
> > Reply-To: dev@zookeeper.apache.org
> > To: dev@zookeeper.apache.org
> > Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
> >
> > Il mar 1 ott 2019, 10:38 Andor Molnar <an...@apache.org> ha scritto:
> >
> >> Backporting Netty 4 would be a huge, cumbersome task, I hope we don’t
> have
> >> to do it.
> >>
> >
> > Yes, 3.4 is mature and stable and closed for refactors.
> >
> >
> >> However I had a quick look at the details of this CVE and it seems to me
> >> that it only affects the HTTP codec:
> >>
> >>
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
> >>
> >> Can’t we just say 3.4.14 is not affected?
> >> We’re not running HTTP server inside ZooKeeper.
> >>
> >> Otherwise we might be able to release 3.6.0-alpha1 now, put a date for
> 3.4
> >> EOL and highlight on the webpage that this
> >>
> >
> > Please do not start an 'alpha' story like for 3.5....
> >
> > CVE probably won’t be resolved on that branch, please upgrade to 3.5.
> >>
> >
> > +1
> >
> >
> > Enrico
> >
> >>
> >> As a third option we could ask Norman to kindly fix 3.10.6.Final as
> well…
> >> or submit a PR ourselves, it doesn’t seem to me a big deal.
> >>
> >
> > Not so useful
> >
> >>
> >> What do you think?
> >>
> >> Andor
> >>
> >>
> >>
> >>
> >>> On 2019. Oct 1., at 2:00, Patrick Hunt <ph...@apache.org> wrote:
> >>>
> >>> I pushed patches for 3.5 and trunk and the tests passed on my mac.
> >> However
> >>> 3.4 is using netty 3.10.6.Final and as such it's not a simple upgrade.
> >>> (there are no fixes against 3.10 for this CVE, at least not so far) Not
> >>> sure what we want to do about this... someone would need to backport
> the
> >>> netty 4.1 changes into 3.4 afaict.
> >>>
> >>> Patrick
> >>>
> >>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <ph...@apache.org> wrote:
> >>>
> >>>> I'll work on it today.
> >>>>
> >>>> Patrick
> >>>>
> >>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <eolivelli@gmail.com
> >
> >>>> wrote:
> >>>>
> >>>>> Okay
> >>>>>
> >>>>> I am cancelling the release.
> >>>>>
> >>>>> I have a problem with my box, I can't work on netty upgrade.
> >>>>>
> >>>>> Any volounteer?
> >>>>>
> >>>>> Enrico
> >>>>>
> >>>>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha
> scritto:
> >>>>>
> >>>>>> The good news is: we need to release 3.4.15 too. :)
> >>>>>>
> >>>>>> Andor
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <ph...@apache.org> wrote:
> >>>>>>>
> >>>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> >>>>>>>
> >>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <ph...@apache.org>
> >>>>> wrote:
> >>>>>>>
> >>>>>>>> -1 - when I run dependency check on the release candidate artifact
> >>>>> it's
> >>>>>>>> failing with:
> >>>>>>>>
> >>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
> >>>>>>>>
> >>>>>>>> I ran this on trunk and it's passing, as such it must be an issue
> >>>>> with
> >>>>>> the
> >>>>>>>> the 3.5.6 netty version specifically. It's listed as a high, we
> >>>>> should
> >>>>>>>> patch this as well before releasing.
> >>>>>>>>
> >>>>>>>> Patrick
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <
> >> eolivelli@gmail.com
> >>>>>>
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>>> This is a bugfix release candidate for 3.5.6.
> >>>>>>>>>
> >>>>>>>>> It fixes 28 issues, including upgrade of third party libraries,
> >>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better
> >>>>>>>>> procedure
> >>>>>>>>> for the upgrade of servers from 3.4 to 3.5.
> >>>>>>>>>
> >>>>>>>>> The full release notes is available at:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>
> >>>>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> >>>>>>>>>
> >>>>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59
> >> UTC+0.
> >>>>>> ***
> >>>>>>>>>
> >>>>>>>>> Source files:
> >>>>>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> >>>>>>>>>
> >>>>>>>>> Maven staging repo:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>
> >>>>>
> >>
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> >>>>>>>>>
> >>>>>>>>> The release candidate tag in git to be voted upon:
> >> release-3.5.6-rc2
> >>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> >>>>>>>>>
> >>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
> >>>>> release:
> >>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS
> >>>>>>>>>
> >>>>>>>>> Should we release this candidate?
> >>>>>>>>> Enrico Olivelli
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> >>
> >
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Andor Molnar <an...@apache.org>.
I agree with 3.4 should not be refactored in any way even for a security
fix.
What's wrong with the "alpha story"?
I think releasing in an early stage with "-alpha", "-beta" modifiers is
not a bad thing alone, as long as it doesn't take years to get to the
stable release.
Andor
On Tue, 1 Oct 2019, Enrico Olivelli wrote:
> Date: Tue, 1 Oct 2019 10:54:24 +0200
> From: Enrico Olivelli <eo...@gmail.com>
> Reply-To: dev@zookeeper.apache.org
> To: dev@zookeeper.apache.org
> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
>
> Il mar 1 ott 2019, 10:38 Andor Molnar <an...@apache.org> ha scritto:
>
>> Backporting Netty 4 would be a huge, cumbersome task, I hope we don’t have
>> to do it.
>>
>
> Yes, 3.4 is mature and stable and closed for refactors.
>
>
>> However I had a quick look at the details of this CVE and it seems to me
>> that it only affects the HTTP codec:
>>
>> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
>>
>> Can’t we just say 3.4.14 is not affected?
>> We’re not running HTTP server inside ZooKeeper.
>>
>> Otherwise we might be able to release 3.6.0-alpha1 now, put a date for 3.4
>> EOL and highlight on the webpage that this
>>
>
> Please do not start an 'alpha' story like for 3.5....
>
> CVE probably won’t be resolved on that branch, please upgrade to 3.5.
>>
>
> +1
>
>
> Enrico
>
>>
>> As a third option we could ask Norman to kindly fix 3.10.6.Final as well…
>> or submit a PR ourselves, it doesn’t seem to me a big deal.
>>
>
> Not so useful
>
>>
>> What do you think?
>>
>> Andor
>>
>>
>>
>>
>>> On 2019. Oct 1., at 2:00, Patrick Hunt <ph...@apache.org> wrote:
>>>
>>> I pushed patches for 3.5 and trunk and the tests passed on my mac.
>> However
>>> 3.4 is using netty 3.10.6.Final and as such it's not a simple upgrade.
>>> (there are no fixes against 3.10 for this CVE, at least not so far) Not
>>> sure what we want to do about this... someone would need to backport the
>>> netty 4.1 changes into 3.4 afaict.
>>>
>>> Patrick
>>>
>>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <ph...@apache.org> wrote:
>>>
>>>> I'll work on it today.
>>>>
>>>> Patrick
>>>>
>>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <eo...@gmail.com>
>>>> wrote:
>>>>
>>>>> Okay
>>>>>
>>>>> I am cancelling the release.
>>>>>
>>>>> I have a problem with my box, I can't work on netty upgrade.
>>>>>
>>>>> Any volounteer?
>>>>>
>>>>> Enrico
>>>>>
>>>>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha scritto:
>>>>>
>>>>>> The good news is: we need to release 3.4.15 too. :)
>>>>>>
>>>>>> Andor
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <ph...@apache.org> wrote:
>>>>>>>
>>>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
>>>>>>>
>>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <ph...@apache.org>
>>>>> wrote:
>>>>>>>
>>>>>>>> -1 - when I run dependency check on the release candidate artifact
>>>>> it's
>>>>>>>> failing with:
>>>>>>>>
>>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
>>>>>>>>
>>>>>>>> I ran this on trunk and it's passing, as such it must be an issue
>>>>> with
>>>>>> the
>>>>>>>> the 3.5.6 netty version specifically. It's listed as a high, we
>>>>> should
>>>>>>>> patch this as well before releasing.
>>>>>>>>
>>>>>>>> Patrick
>>>>>>>>
>>>>>>>>
>>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <
>> eolivelli@gmail.com
>>>>>>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> This is a bugfix release candidate for 3.5.6.
>>>>>>>>>
>>>>>>>>> It fixes 28 issues, including upgrade of third party libraries,
>>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better
>>>>>>>>> procedure
>>>>>>>>> for the upgrade of servers from 3.4 to 3.5.
>>>>>>>>>
>>>>>>>>> The full release notes is available at:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
>>>>>>>>>
>>>>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59
>> UTC+0.
>>>>>> ***
>>>>>>>>>
>>>>>>>>> Source files:
>>>>>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
>>>>>>>>>
>>>>>>>>> Maven staging repo:
>>>>>>>>>
>>>>>>>>>
>>>>>>
>>>>>
>> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
>>>>>>>>>
>>>>>>>>> The release candidate tag in git to be voted upon:
>> release-3.5.6-rc2
>>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
>>>>>>>>>
>>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
>>>>> release:
>>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS
>>>>>>>>>
>>>>>>>>> Should we release this candidate?
>>>>>>>>> Enrico Olivelli
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>
>>
>
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Enrico Olivelli <eo...@gmail.com>.
Il mar 1 ott 2019, 10:38 Andor Molnar <an...@apache.org> ha scritto:
> Backporting Netty 4 would be a huge, cumbersome task, I hope we don’t have
> to do it.
>
Yes, 3.4 is mature and stable and closed for refactors.
> However I had a quick look at the details of this CVE and it seems to me
> that it only affects the HTTP codec:
>
> https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
>
> Can’t we just say 3.4.14 is not affected?
> We’re not running HTTP server inside ZooKeeper.
>
> Otherwise we might be able to release 3.6.0-alpha1 now, put a date for 3.4
> EOL and highlight on the webpage that this
>
Please do not start an 'alpha' story like for 3.5....
CVE probably won’t be resolved on that branch, please upgrade to 3.5.
>
+1
Enrico
>
> As a third option we could ask Norman to kindly fix 3.10.6.Final as well…
> or submit a PR ourselves, it doesn’t seem to me a big deal.
>
Not so useful
>
> What do you think?
>
> Andor
>
>
>
>
> > On 2019. Oct 1., at 2:00, Patrick Hunt <ph...@apache.org> wrote:
> >
> > I pushed patches for 3.5 and trunk and the tests passed on my mac.
> However
> > 3.4 is using netty 3.10.6.Final and as such it's not a simple upgrade.
> > (there are no fixes against 3.10 for this CVE, at least not so far) Not
> > sure what we want to do about this... someone would need to backport the
> > netty 4.1 changes into 3.4 afaict.
> >
> > Patrick
> >
> > On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <ph...@apache.org> wrote:
> >
> >> I'll work on it today.
> >>
> >> Patrick
> >>
> >> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <eo...@gmail.com>
> >> wrote:
> >>
> >>> Okay
> >>>
> >>> I am cancelling the release.
> >>>
> >>> I have a problem with my box, I can't work on netty upgrade.
> >>>
> >>> Any volounteer?
> >>>
> >>> Enrico
> >>>
> >>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha scritto:
> >>>
> >>>> The good news is: we need to release 3.4.15 too. :)
> >>>>
> >>>> Andor
> >>>>
> >>>>
> >>>>
> >>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <ph...@apache.org> wrote:
> >>>>>
> >>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
> >>>>>
> >>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <ph...@apache.org>
> >>> wrote:
> >>>>>
> >>>>>> -1 - when I run dependency check on the release candidate artifact
> >>> it's
> >>>>>> failing with:
> >>>>>>
> >>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
> >>>>>>
> >>>>>> I ran this on trunk and it's passing, as such it must be an issue
> >>> with
> >>>> the
> >>>>>> the 3.5.6 netty version specifically. It's listed as a high, we
> >>> should
> >>>>>> patch this as well before releasing.
> >>>>>>
> >>>>>> Patrick
> >>>>>>
> >>>>>>
> >>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <
> eolivelli@gmail.com
> >>>>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> This is a bugfix release candidate for 3.5.6.
> >>>>>>>
> >>>>>>> It fixes 28 issues, including upgrade of third party libraries,
> >>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better
> >>>>>>> procedure
> >>>>>>> for the upgrade of servers from 3.4 to 3.5.
> >>>>>>>
> >>>>>>> The full release notes is available at:
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>
> >>>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> >>>>>>>
> >>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59
> UTC+0.
> >>>> ***
> >>>>>>>
> >>>>>>> Source files:
> >>>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
> >>>>>>>
> >>>>>>> Maven staging repo:
> >>>>>>>
> >>>>>>>
> >>>>
> >>>
> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
> >>>>>>>
> >>>>>>> The release candidate tag in git to be voted upon:
> release-3.5.6-rc2
> >>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
> >>>>>>>
> >>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
> >>> release:
> >>>>>>> https://www.apache.org/dist/zookeeper/KEYS
> >>>>>>>
> >>>>>>> Should we release this candidate?
> >>>>>>> Enrico Olivelli
> >>>>>>>
> >>>>>>
> >>>>
> >>>>
> >>>
> >>
>
>
Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Posted by Andor Molnar <an...@apache.org>.
Backporting Netty 4 would be a huge, cumbersome task, I hope we don’t have to do it.
However I had a quick look at the details of this CVE and it seems to me that it only affects the HTTP codec:
https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
Can’t we just say 3.4.14 is not affected?
We’re not running HTTP server inside ZooKeeper.
Otherwise we might be able to release 3.6.0-alpha1 now, put a date for 3.4 EOL and highlight on the webpage that this
CVE probably won’t be resolved on that branch, please upgrade to 3.5.
As a third option we could ask Norman to kindly fix 3.10.6.Final as well… or submit a PR ourselves, it doesn’t seem to me a big deal.
What do you think?
Andor
> On 2019. Oct 1., at 2:00, Patrick Hunt <ph...@apache.org> wrote:
>
> I pushed patches for 3.5 and trunk and the tests passed on my mac. However
> 3.4 is using netty 3.10.6.Final and as such it's not a simple upgrade.
> (there are no fixes against 3.10 for this CVE, at least not so far) Not
> sure what we want to do about this... someone would need to backport the
> netty 4.1 changes into 3.4 afaict.
>
> Patrick
>
> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <ph...@apache.org> wrote:
>
>> I'll work on it today.
>>
>> Patrick
>>
>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <eo...@gmail.com>
>> wrote:
>>
>>> Okay
>>>
>>> I am cancelling the release.
>>>
>>> I have a problem with my box, I can't work on netty upgrade.
>>>
>>> Any volounteer?
>>>
>>> Enrico
>>>
>>> Il lun 30 set 2019, 20:32 Andor Molnar <an...@apache.org> ha scritto:
>>>
>>>> The good news is: we need to release 3.4.15 too. :)
>>>>
>>>> Andor
>>>>
>>>>
>>>>
>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <ph...@apache.org> wrote:
>>>>>
>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
>>>>>
>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <ph...@apache.org>
>>> wrote:
>>>>>
>>>>>> -1 - when I run dependency check on the release candidate artifact
>>> it's
>>>>>> failing with:
>>>>>>
>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
>>>>>>
>>>>>> I ran this on trunk and it's passing, as such it must be an issue
>>> with
>>>> the
>>>>>> the 3.5.6 netty version specifically. It's listed as a high, we
>>> should
>>>>>> patch this as well before releasing.
>>>>>>
>>>>>> Patrick
>>>>>>
>>>>>>
>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <eolivelli@gmail.com
>>>>
>>>>>> wrote:
>>>>>>
>>>>>>> This is a bugfix release candidate for 3.5.6.
>>>>>>>
>>>>>>> It fixes 28 issues, including upgrade of third party libraries,
>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better
>>>>>>> procedure
>>>>>>> for the upgrade of servers from 3.4 to 3.5.
>>>>>>>
>>>>>>> The full release notes is available at:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
>>>>>>>
>>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59 UTC+0.
>>>> ***
>>>>>>>
>>>>>>> Source files:
>>>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
>>>>>>>
>>>>>>> Maven staging repo:
>>>>>>>
>>>>>>>
>>>>
>>> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
>>>>>>>
>>>>>>> The release candidate tag in git to be voted upon: release-3.5.6-rc2
>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
>>>>>>>
>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
>>> release:
>>>>>>> https://www.apache.org/dist/zookeeper/KEYS
>>>>>>>
>>>>>>> Should we release this candidate?
>>>>>>> Enrico Olivelli
>>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>