[DISCUSS] Release 4.14.2

[Yong Zhang <yo...@apache.org>]

Hi,

We have changed the BouncyCastle at this PR
https://github.com/apache/bookkeeper/pull/2631,
which introduces an Incompatible issue. Detail:
https://github.com/apache/pulsar/issues/10937.

This also blocks the user upgrade their charts to pulsar 2.8.0
https://github.com/apache/pulsar-helm-chart/pull/130

We have fixed it by https://github.com/apache/bookkeeper/pull/2740,
so I want to start a new release of bookkeeper for unblocking the users.

If there are no objections, I'll move forward with the patch release.

Thanks,
Yong

Re: [DISCUSS] Release 4.14.2

[Yong Zhang <zh...@gmail.com>]

That's because my maven version is too old. Using maven 3.8.1 will work.
So it's not an issue for the current release. Let start validation the RC1
of the 4.14.2!

Thanks for Enrico's helping!

Thanks,
Yong

On Wed, 18 Aug 2021 at 21:34, Yong Zhang <zh...@gmail.com> wrote:

> Looks like we have CI to run it when pushing commits to the branch.
> Here is the branch-4.14 CI status:
> https://github.com/apache/bookkeeper/runs/3356954459,
> the license check is passed on it.
>
> But when I build the bookkeeper and run the `dev/check-all-licesnses` on
> my laptop, it failed.
> I tried it with master branch and branch-4.14, they all failing.
>
> There is the error:
> ```
> ++ dirname dev/check-all-licenses
> + HERE=dev
> + BOOKKEEPER_DIST=dev/../bookkeeper-dist
> + dev/check-binary-license
> dev/../bookkeeper-dist/server/target/bookkeeper-server-4.14.2-SNAPSHOT-bin.tar.gz
> io.netty-netty-transport-native-epoll-4.1.63.Final.jar unaccounted for in
> LICENSE
>
> It looks like there are issues with the LICENSE/NOTICE in
> dev/../bookkeeper-dist/server/target/bookkeeper-server-4.14.2-SNAPSHOT-bin.tar.gz.
> See http://bookkeeper.apache.org/community/licensing for details on how
> to fix.
> ```
>
> Have you seen this before?
>
> Yong
>
>
> On Wed, 18 Aug 2021 at 18:25, Enrico Olivelli <eo...@gmail.com> wrote:
>
>> Il giorno mer 18 ago 2021 alle ore 11:08 Yong Zhang <
>> zhangyong1025.zy@gmail.com> ha scritto:
>>
>> > Do you mean the apache-rat check? I just ran it and looks good.
>> >
>>
>> see here
>>
>> https://github.com/apache/bookkeeper/blob/master/.github/workflows/pr-validation.yml#L54
>>
>> dev/check-all-licenses
>>
>> usually we run it against every PR but it is not running for cherry-picks
>>
>> I suggest you to run that tool before preparing the new RC, this way we
>> will save some -1 because of license file issues.
>> Probably there is not problem actually, but I wanted to let you know about
>> this topic
>>
>>
>> Enrico
>>
>> >
>> > On Wed, 18 Aug 2021 at 14:48, Enrico Olivelli <eo...@gmail.com>
>> wrote:
>> >
>> > > Yong,
>> > > did you run the license check after cherry picking?
>> > >
>> > > Enrico
>> > >
>> > > Il giorno mer 18 ago 2021 alle ore 02:57 Yong Zhang <
>> > > zhangyong1025.zy@gmail.com> ha scritto:
>> > >
>> > > > I have cherry-picked them[1] into the branch-4.14. Will roll out a
>> new
>> > > RC.
>> > > >
>> > > > [1]
>> > > >
>> > > >
>> > >
>> >
>> https://github.com/apache/bookkeeper/pulls?q=is%3Apr+label%3Arelease%2F4.14.2+is%3Aclosed
>> > > >
>> > > > Yong
>> > > >
>> > > > On Wed, 18 Aug 2021 at 08:44, Yong Zhang <
>> zhangyong1025.zy@gmail.com>
>> > > > wrote:
>> > > >
>> > > > > I saw there has some other security PRs, should we include that in
>> > this
>> > > > > release?
>> > > > >
>> > > > >
>> > > > >
>> > > >
>> > >
>> >
>> https://github.com/apache/bookkeeper/pulls?q=is%3Apr+SECURITY+is%3Aclosed+milestone%3A4.15.0
>> > > > >
>> > > > > Yong
>> > > > >
>> > > > > On Wed, 18 Aug 2021 at 00:01, Enrico Olivelli <
>> eolivelli@gmail.com>
>> > > > wrote:
>> > > > >
>> > > > >> good point Flavio
>> > > > >> the PR that fixed that problem has been merged only on master
>> branch
>> > > > >> (4.15.0)
>> > > > >> https://github.com/apache/bookkeeper/pull/2693
>> > > > >>
>> > > > >> it is a good motivation to roll out a new RC IMHO,
>> > > > >> the PR is already merged to another branch, it is only a matter
>> of
>> > > > cherry
>> > > > >> picking
>> > > > >>
>> > > > >> Enrico
>> > > > >>
>> > > > >> Il giorno mar 17 ago 2021 alle ore 17:53 Flavio Junqueira <
>> > > > fpj@apache.org
>> > > > >> >
>> > > > >> ha scritto:
>> > > > >>
>> > > > >> > It sounds like there are more vulnerabilities that can be
>> > addressed
>> > > > with
>> > > > >> > upgrades:
>> > > > >> >
>> > > > >> > https://github.com/apache/bookkeeper/issues/2511 <
>> > > > >> > https://github.com/apache/bookkeeper/issues/2511>
>> > > > >> >
>> > > > >> > Do we want to proceed with 4.14.2 and consider a 4.14.3 that
>> > > addresses
>> > > > >> > other vulnerabilities or try to address as many as we are aware
>> > of?
>> > > > I'm
>> > > > >> > asking because I'm already seeing an RC out.
>> > > > >> >
>> > > > >> > Thanks,
>> > > > >> > -Flavio
>> > > > >> >
>> > > > >> > > On 17 Aug 2021, at 07:59, Sijie Guo <gu...@gmail.com>
>> wrote:
>> > > > >> > >
>> > > > >> > > +1
>> > > > >> > >
>> > > > >> > > On Thu, Aug 12, 2021 at 11:59 PM Yong Zhang <yong@apache.org
>> >
>> > > > wrote:
>> > > > >> > >>
>> > > > >> > >> Hi,
>> > > > >> > >>
>> > > > >> > >> We have changed the BouncyCastle at this PR
>> > > > >> > >> https://github.com/apache/bookkeeper/pull/2631,
>> > > > >> > >> which introduces an Incompatible issue. Detail:
>> > > > >> > >> https://github.com/apache/pulsar/issues/10937.
>> > > > >> > >>
>> > > > >> > >> This also blocks the user upgrade their charts to pulsar
>> 2.8.0
>> > > > >> > >> https://github.com/apache/pulsar-helm-chart/pull/130
>> > > > >> > >>
>> > > > >> > >> We have fixed it by
>> > > https://github.com/apache/bookkeeper/pull/2740
>> > > > ,
>> > > > >> > >> so I want to start a new release of bookkeeper for
>> unblocking
>> > the
>> > > > >> users.
>> > > > >> > >>
>> > > > >> > >> If there are no objections, I'll move forward with the patch
>> > > > release.
>> > > > >> > >>
>> > > > >> > >> Thanks,
>> > > > >> > >> Yong
>> > > > >> >
>> > > > >> >
>> > > > >>
>> > > > >
>> > > >
>> > >
>> >
>>
>

Re: [DISCUSS] Release 4.14.2

[Yong Zhang <zh...@gmail.com>]

Looks like we have CI to run it when pushing commits to the branch.
Here is the branch-4.14 CI status:
https://github.com/apache/bookkeeper/runs/3356954459,
the license check is passed on it.

But when I build the bookkeeper and run the `dev/check-all-licesnses` on my
laptop, it failed.
I tried it with master branch and branch-4.14, they all failing.

There is the error:
```
++ dirname dev/check-all-licenses
+ HERE=dev
+ BOOKKEEPER_DIST=dev/../bookkeeper-dist
+ dev/check-binary-license
dev/../bookkeeper-dist/server/target/bookkeeper-server-4.14.2-SNAPSHOT-bin.tar.gz
io.netty-netty-transport-native-epoll-4.1.63.Final.jar unaccounted for in
LICENSE

It looks like there are issues with the LICENSE/NOTICE in
dev/../bookkeeper-dist/server/target/bookkeeper-server-4.14.2-SNAPSHOT-bin.tar.gz.
See http://bookkeeper.apache.org/community/licensing for details on how to
fix.
```

Have you seen this before?

Yong


On Wed, 18 Aug 2021 at 18:25, Enrico Olivelli <eo...@gmail.com> wrote:

> Il giorno mer 18 ago 2021 alle ore 11:08 Yong Zhang <
> zhangyong1025.zy@gmail.com> ha scritto:
>
> > Do you mean the apache-rat check? I just ran it and looks good.
> >
>
> see here
>
> https://github.com/apache/bookkeeper/blob/master/.github/workflows/pr-validation.yml#L54
>
> dev/check-all-licenses
>
> usually we run it against every PR but it is not running for cherry-picks
>
> I suggest you to run that tool before preparing the new RC, this way we
> will save some -1 because of license file issues.
> Probably there is not problem actually, but I wanted to let you know about
> this topic
>
>
> Enrico
>
> >
> > On Wed, 18 Aug 2021 at 14:48, Enrico Olivelli <eo...@gmail.com>
> wrote:
> >
> > > Yong,
> > > did you run the license check after cherry picking?
> > >
> > > Enrico
> > >
> > > Il giorno mer 18 ago 2021 alle ore 02:57 Yong Zhang <
> > > zhangyong1025.zy@gmail.com> ha scritto:
> > >
> > > > I have cherry-picked them[1] into the branch-4.14. Will roll out a
> new
> > > RC.
> > > >
> > > > [1]
> > > >
> > > >
> > >
> >
> https://github.com/apache/bookkeeper/pulls?q=is%3Apr+label%3Arelease%2F4.14.2+is%3Aclosed
> > > >
> > > > Yong
> > > >
> > > > On Wed, 18 Aug 2021 at 08:44, Yong Zhang <zhangyong1025.zy@gmail.com
> >
> > > > wrote:
> > > >
> > > > > I saw there has some other security PRs, should we include that in
> > this
> > > > > release?
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/apache/bookkeeper/pulls?q=is%3Apr+SECURITY+is%3Aclosed+milestone%3A4.15.0
> > > > >
> > > > > Yong
> > > > >
> > > > > On Wed, 18 Aug 2021 at 00:01, Enrico Olivelli <eolivelli@gmail.com
> >
> > > > wrote:
> > > > >
> > > > >> good point Flavio
> > > > >> the PR that fixed that problem has been merged only on master
> branch
> > > > >> (4.15.0)
> > > > >> https://github.com/apache/bookkeeper/pull/2693
> > > > >>
> > > > >> it is a good motivation to roll out a new RC IMHO,
> > > > >> the PR is already merged to another branch, it is only a matter of
> > > > cherry
> > > > >> picking
> > > > >>
> > > > >> Enrico
> > > > >>
> > > > >> Il giorno mar 17 ago 2021 alle ore 17:53 Flavio Junqueira <
> > > > fpj@apache.org
> > > > >> >
> > > > >> ha scritto:
> > > > >>
> > > > >> > It sounds like there are more vulnerabilities that can be
> > addressed
> > > > with
> > > > >> > upgrades:
> > > > >> >
> > > > >> > https://github.com/apache/bookkeeper/issues/2511 <
> > > > >> > https://github.com/apache/bookkeeper/issues/2511>
> > > > >> >
> > > > >> > Do we want to proceed with 4.14.2 and consider a 4.14.3 that
> > > addresses
> > > > >> > other vulnerabilities or try to address as many as we are aware
> > of?
> > > > I'm
> > > > >> > asking because I'm already seeing an RC out.
> > > > >> >
> > > > >> > Thanks,
> > > > >> > -Flavio
> > > > >> >
> > > > >> > > On 17 Aug 2021, at 07:59, Sijie Guo <gu...@gmail.com>
> wrote:
> > > > >> > >
> > > > >> > > +1
> > > > >> > >
> > > > >> > > On Thu, Aug 12, 2021 at 11:59 PM Yong Zhang <yo...@apache.org>
> > > > wrote:
> > > > >> > >>
> > > > >> > >> Hi,
> > > > >> > >>
> > > > >> > >> We have changed the BouncyCastle at this PR
> > > > >> > >> https://github.com/apache/bookkeeper/pull/2631,
> > > > >> > >> which introduces an Incompatible issue. Detail:
> > > > >> > >> https://github.com/apache/pulsar/issues/10937.
> > > > >> > >>
> > > > >> > >> This also blocks the user upgrade their charts to pulsar
> 2.8.0
> > > > >> > >> https://github.com/apache/pulsar-helm-chart/pull/130
> > > > >> > >>
> > > > >> > >> We have fixed it by
> > > https://github.com/apache/bookkeeper/pull/2740
> > > > ,
> > > > >> > >> so I want to start a new release of bookkeeper for unblocking
> > the
> > > > >> users.
> > > > >> > >>
> > > > >> > >> If there are no objections, I'll move forward with the patch
> > > > release.
> > > > >> > >>
> > > > >> > >> Thanks,
> > > > >> > >> Yong
> > > > >> >
> > > > >> >
> > > > >>
> > > > >
> > > >
> > >
> >
>

Re: [DISCUSS] Release 4.14.2

[Enrico Olivelli <eo...@gmail.com>]

Il giorno mer 18 ago 2021 alle ore 11:08 Yong Zhang <
zhangyong1025.zy@gmail.com> ha scritto:

> Do you mean the apache-rat check? I just ran it and looks good.
>

see here
https://github.com/apache/bookkeeper/blob/master/.github/workflows/pr-validation.yml#L54

dev/check-all-licenses

usually we run it against every PR but it is not running for cherry-picks

I suggest you to run that tool before preparing the new RC, this way we
will save some -1 because of license file issues.
Probably there is not problem actually, but I wanted to let you know about
this topic


Enrico

>
> On Wed, 18 Aug 2021 at 14:48, Enrico Olivelli <eo...@gmail.com> wrote:
>
> > Yong,
> > did you run the license check after cherry picking?
> >
> > Enrico
> >
> > Il giorno mer 18 ago 2021 alle ore 02:57 Yong Zhang <
> > zhangyong1025.zy@gmail.com> ha scritto:
> >
> > > I have cherry-picked them[1] into the branch-4.14. Will roll out a new
> > RC.
> > >
> > > [1]
> > >
> > >
> >
> https://github.com/apache/bookkeeper/pulls?q=is%3Apr+label%3Arelease%2F4.14.2+is%3Aclosed
> > >
> > > Yong
> > >
> > > On Wed, 18 Aug 2021 at 08:44, Yong Zhang <zh...@gmail.com>
> > > wrote:
> > >
> > > > I saw there has some other security PRs, should we include that in
> this
> > > > release?
> > > >
> > > >
> > > >
> > >
> >
> https://github.com/apache/bookkeeper/pulls?q=is%3Apr+SECURITY+is%3Aclosed+milestone%3A4.15.0
> > > >
> > > > Yong
> > > >
> > > > On Wed, 18 Aug 2021 at 00:01, Enrico Olivelli <eo...@gmail.com>
> > > wrote:
> > > >
> > > >> good point Flavio
> > > >> the PR that fixed that problem has been merged only on master branch
> > > >> (4.15.0)
> > > >> https://github.com/apache/bookkeeper/pull/2693
> > > >>
> > > >> it is a good motivation to roll out a new RC IMHO,
> > > >> the PR is already merged to another branch, it is only a matter of
> > > cherry
> > > >> picking
> > > >>
> > > >> Enrico
> > > >>
> > > >> Il giorno mar 17 ago 2021 alle ore 17:53 Flavio Junqueira <
> > > fpj@apache.org
> > > >> >
> > > >> ha scritto:
> > > >>
> > > >> > It sounds like there are more vulnerabilities that can be
> addressed
> > > with
> > > >> > upgrades:
> > > >> >
> > > >> > https://github.com/apache/bookkeeper/issues/2511 <
> > > >> > https://github.com/apache/bookkeeper/issues/2511>
> > > >> >
> > > >> > Do we want to proceed with 4.14.2 and consider a 4.14.3 that
> > addresses
> > > >> > other vulnerabilities or try to address as many as we are aware
> of?
> > > I'm
> > > >> > asking because I'm already seeing an RC out.
> > > >> >
> > > >> > Thanks,
> > > >> > -Flavio
> > > >> >
> > > >> > > On 17 Aug 2021, at 07:59, Sijie Guo <gu...@gmail.com> wrote:
> > > >> > >
> > > >> > > +1
> > > >> > >
> > > >> > > On Thu, Aug 12, 2021 at 11:59 PM Yong Zhang <yo...@apache.org>
> > > wrote:
> > > >> > >>
> > > >> > >> Hi,
> > > >> > >>
> > > >> > >> We have changed the BouncyCastle at this PR
> > > >> > >> https://github.com/apache/bookkeeper/pull/2631,
> > > >> > >> which introduces an Incompatible issue. Detail:
> > > >> > >> https://github.com/apache/pulsar/issues/10937.
> > > >> > >>
> > > >> > >> This also blocks the user upgrade their charts to pulsar 2.8.0
> > > >> > >> https://github.com/apache/pulsar-helm-chart/pull/130
> > > >> > >>
> > > >> > >> We have fixed it by
> > https://github.com/apache/bookkeeper/pull/2740
> > > ,
> > > >> > >> so I want to start a new release of bookkeeper for unblocking
> the
> > > >> users.
> > > >> > >>
> > > >> > >> If there are no objections, I'll move forward with the patch
> > > release.
> > > >> > >>
> > > >> > >> Thanks,
> > > >> > >> Yong
> > > >> >
> > > >> >
> > > >>
> > > >
> > >
> >
>

Re: [DISCUSS] Release 4.14.2

[Yong Zhang <zh...@gmail.com>]

Do you mean the apache-rat check? I just ran it and looks good.

On Wed, 18 Aug 2021 at 14:48, Enrico Olivelli <eo...@gmail.com> wrote:

> Yong,
> did you run the license check after cherry picking?
>
> Enrico
>
> Il giorno mer 18 ago 2021 alle ore 02:57 Yong Zhang <
> zhangyong1025.zy@gmail.com> ha scritto:
>
> > I have cherry-picked them[1] into the branch-4.14. Will roll out a new
> RC.
> >
> > [1]
> >
> >
> https://github.com/apache/bookkeeper/pulls?q=is%3Apr+label%3Arelease%2F4.14.2+is%3Aclosed
> >
> > Yong
> >
> > On Wed, 18 Aug 2021 at 08:44, Yong Zhang <zh...@gmail.com>
> > wrote:
> >
> > > I saw there has some other security PRs, should we include that in this
> > > release?
> > >
> > >
> > >
> >
> https://github.com/apache/bookkeeper/pulls?q=is%3Apr+SECURITY+is%3Aclosed+milestone%3A4.15.0
> > >
> > > Yong
> > >
> > > On Wed, 18 Aug 2021 at 00:01, Enrico Olivelli <eo...@gmail.com>
> > wrote:
> > >
> > >> good point Flavio
> > >> the PR that fixed that problem has been merged only on master branch
> > >> (4.15.0)
> > >> https://github.com/apache/bookkeeper/pull/2693
> > >>
> > >> it is a good motivation to roll out a new RC IMHO,
> > >> the PR is already merged to another branch, it is only a matter of
> > cherry
> > >> picking
> > >>
> > >> Enrico
> > >>
> > >> Il giorno mar 17 ago 2021 alle ore 17:53 Flavio Junqueira <
> > fpj@apache.org
> > >> >
> > >> ha scritto:
> > >>
> > >> > It sounds like there are more vulnerabilities that can be addressed
> > with
> > >> > upgrades:
> > >> >
> > >> > https://github.com/apache/bookkeeper/issues/2511 <
> > >> > https://github.com/apache/bookkeeper/issues/2511>
> > >> >
> > >> > Do we want to proceed with 4.14.2 and consider a 4.14.3 that
> addresses
> > >> > other vulnerabilities or try to address as many as we are aware of?
> > I'm
> > >> > asking because I'm already seeing an RC out.
> > >> >
> > >> > Thanks,
> > >> > -Flavio
> > >> >
> > >> > > On 17 Aug 2021, at 07:59, Sijie Guo <gu...@gmail.com> wrote:
> > >> > >
> > >> > > +1
> > >> > >
> > >> > > On Thu, Aug 12, 2021 at 11:59 PM Yong Zhang <yo...@apache.org>
> > wrote:
> > >> > >>
> > >> > >> Hi,
> > >> > >>
> > >> > >> We have changed the BouncyCastle at this PR
> > >> > >> https://github.com/apache/bookkeeper/pull/2631,
> > >> > >> which introduces an Incompatible issue. Detail:
> > >> > >> https://github.com/apache/pulsar/issues/10937.
> > >> > >>
> > >> > >> This also blocks the user upgrade their charts to pulsar 2.8.0
> > >> > >> https://github.com/apache/pulsar-helm-chart/pull/130
> > >> > >>
> > >> > >> We have fixed it by
> https://github.com/apache/bookkeeper/pull/2740
> > ,
> > >> > >> so I want to start a new release of bookkeeper for unblocking the
> > >> users.
> > >> > >>
> > >> > >> If there are no objections, I'll move forward with the patch
> > release.
> > >> > >>
> > >> > >> Thanks,
> > >> > >> Yong
> > >> >
> > >> >
> > >>
> > >
> >
>

Re: [DISCUSS] Release 4.14.2

[Enrico Olivelli <eo...@gmail.com>]

Yong,
did you run the license check after cherry picking?

Enrico

Il giorno mer 18 ago 2021 alle ore 02:57 Yong Zhang <
zhangyong1025.zy@gmail.com> ha scritto:

> I have cherry-picked them[1] into the branch-4.14. Will roll out a new RC.
>
> [1]
>
> https://github.com/apache/bookkeeper/pulls?q=is%3Apr+label%3Arelease%2F4.14.2+is%3Aclosed
>
> Yong
>
> On Wed, 18 Aug 2021 at 08:44, Yong Zhang <zh...@gmail.com>
> wrote:
>
> > I saw there has some other security PRs, should we include that in this
> > release?
> >
> >
> >
> https://github.com/apache/bookkeeper/pulls?q=is%3Apr+SECURITY+is%3Aclosed+milestone%3A4.15.0
> >
> > Yong
> >
> > On Wed, 18 Aug 2021 at 00:01, Enrico Olivelli <eo...@gmail.com>
> wrote:
> >
> >> good point Flavio
> >> the PR that fixed that problem has been merged only on master branch
> >> (4.15.0)
> >> https://github.com/apache/bookkeeper/pull/2693
> >>
> >> it is a good motivation to roll out a new RC IMHO,
> >> the PR is already merged to another branch, it is only a matter of
> cherry
> >> picking
> >>
> >> Enrico
> >>
> >> Il giorno mar 17 ago 2021 alle ore 17:53 Flavio Junqueira <
> fpj@apache.org
> >> >
> >> ha scritto:
> >>
> >> > It sounds like there are more vulnerabilities that can be addressed
> with
> >> > upgrades:
> >> >
> >> > https://github.com/apache/bookkeeper/issues/2511 <
> >> > https://github.com/apache/bookkeeper/issues/2511>
> >> >
> >> > Do we want to proceed with 4.14.2 and consider a 4.14.3 that addresses
> >> > other vulnerabilities or try to address as many as we are aware of?
> I'm
> >> > asking because I'm already seeing an RC out.
> >> >
> >> > Thanks,
> >> > -Flavio
> >> >
> >> > > On 17 Aug 2021, at 07:59, Sijie Guo <gu...@gmail.com> wrote:
> >> > >
> >> > > +1
> >> > >
> >> > > On Thu, Aug 12, 2021 at 11:59 PM Yong Zhang <yo...@apache.org>
> wrote:
> >> > >>
> >> > >> Hi,
> >> > >>
> >> > >> We have changed the BouncyCastle at this PR
> >> > >> https://github.com/apache/bookkeeper/pull/2631,
> >> > >> which introduces an Incompatible issue. Detail:
> >> > >> https://github.com/apache/pulsar/issues/10937.
> >> > >>
> >> > >> This also blocks the user upgrade their charts to pulsar 2.8.0
> >> > >> https://github.com/apache/pulsar-helm-chart/pull/130
> >> > >>
> >> > >> We have fixed it by https://github.com/apache/bookkeeper/pull/2740
> ,
> >> > >> so I want to start a new release of bookkeeper for unblocking the
> >> users.
> >> > >>
> >> > >> If there are no objections, I'll move forward with the patch
> release.
> >> > >>
> >> > >> Thanks,
> >> > >> Yong
> >> >
> >> >
> >>
> >
>

Re: [DISCUSS] Release 4.14.2

[Yong Zhang <zh...@gmail.com>]

I have cherry-picked them[1] into the branch-4.14. Will roll out a new RC.

[1]
https://github.com/apache/bookkeeper/pulls?q=is%3Apr+label%3Arelease%2F4.14.2+is%3Aclosed

Yong

On Wed, 18 Aug 2021 at 08:44, Yong Zhang <zh...@gmail.com> wrote:

> I saw there has some other security PRs, should we include that in this
> release?
>
>
> https://github.com/apache/bookkeeper/pulls?q=is%3Apr+SECURITY+is%3Aclosed+milestone%3A4.15.0
>
> Yong
>
> On Wed, 18 Aug 2021 at 00:01, Enrico Olivelli <eo...@gmail.com> wrote:
>
>> good point Flavio
>> the PR that fixed that problem has been merged only on master branch
>> (4.15.0)
>> https://github.com/apache/bookkeeper/pull/2693
>>
>> it is a good motivation to roll out a new RC IMHO,
>> the PR is already merged to another branch, it is only a matter of cherry
>> picking
>>
>> Enrico
>>
>> Il giorno mar 17 ago 2021 alle ore 17:53 Flavio Junqueira <fpj@apache.org
>> >
>> ha scritto:
>>
>> > It sounds like there are more vulnerabilities that can be addressed with
>> > upgrades:
>> >
>> > https://github.com/apache/bookkeeper/issues/2511 <
>> > https://github.com/apache/bookkeeper/issues/2511>
>> >
>> > Do we want to proceed with 4.14.2 and consider a 4.14.3 that addresses
>> > other vulnerabilities or try to address as many as we are aware of? I'm
>> > asking because I'm already seeing an RC out.
>> >
>> > Thanks,
>> > -Flavio
>> >
>> > > On 17 Aug 2021, at 07:59, Sijie Guo <gu...@gmail.com> wrote:
>> > >
>> > > +1
>> > >
>> > > On Thu, Aug 12, 2021 at 11:59 PM Yong Zhang <yo...@apache.org> wrote:
>> > >>
>> > >> Hi,
>> > >>
>> > >> We have changed the BouncyCastle at this PR
>> > >> https://github.com/apache/bookkeeper/pull/2631,
>> > >> which introduces an Incompatible issue. Detail:
>> > >> https://github.com/apache/pulsar/issues/10937.
>> > >>
>> > >> This also blocks the user upgrade their charts to pulsar 2.8.0
>> > >> https://github.com/apache/pulsar-helm-chart/pull/130
>> > >>
>> > >> We have fixed it by https://github.com/apache/bookkeeper/pull/2740,
>> > >> so I want to start a new release of bookkeeper for unblocking the
>> users.
>> > >>
>> > >> If there are no objections, I'll move forward with the patch release.
>> > >>
>> > >> Thanks,
>> > >> Yong
>> >
>> >
>>
>

Re: [DISCUSS] Release 4.14.2

[Yong Zhang <zh...@gmail.com>]

I saw there has some other security PRs, should we include that in this
release?

https://github.com/apache/bookkeeper/pulls?q=is%3Apr+SECURITY+is%3Aclosed+milestone%3A4.15.0

Yong

On Wed, 18 Aug 2021 at 00:01, Enrico Olivelli <eo...@gmail.com> wrote:

> good point Flavio
> the PR that fixed that problem has been merged only on master branch
> (4.15.0)
> https://github.com/apache/bookkeeper/pull/2693
>
> it is a good motivation to roll out a new RC IMHO,
> the PR is already merged to another branch, it is only a matter of cherry
> picking
>
> Enrico
>
> Il giorno mar 17 ago 2021 alle ore 17:53 Flavio Junqueira <fp...@apache.org>
> ha scritto:
>
> > It sounds like there are more vulnerabilities that can be addressed with
> > upgrades:
> >
> > https://github.com/apache/bookkeeper/issues/2511 <
> > https://github.com/apache/bookkeeper/issues/2511>
> >
> > Do we want to proceed with 4.14.2 and consider a 4.14.3 that addresses
> > other vulnerabilities or try to address as many as we are aware of? I'm
> > asking because I'm already seeing an RC out.
> >
> > Thanks,
> > -Flavio
> >
> > > On 17 Aug 2021, at 07:59, Sijie Guo <gu...@gmail.com> wrote:
> > >
> > > +1
> > >
> > > On Thu, Aug 12, 2021 at 11:59 PM Yong Zhang <yo...@apache.org> wrote:
> > >>
> > >> Hi,
> > >>
> > >> We have changed the BouncyCastle at this PR
> > >> https://github.com/apache/bookkeeper/pull/2631,
> > >> which introduces an Incompatible issue. Detail:
> > >> https://github.com/apache/pulsar/issues/10937.
> > >>
> > >> This also blocks the user upgrade their charts to pulsar 2.8.0
> > >> https://github.com/apache/pulsar-helm-chart/pull/130
> > >>
> > >> We have fixed it by https://github.com/apache/bookkeeper/pull/2740,
> > >> so I want to start a new release of bookkeeper for unblocking the
> users.
> > >>
> > >> If there are no objections, I'll move forward with the patch release.
> > >>
> > >> Thanks,
> > >> Yong
> >
> >
>

Re: [DISCUSS] Release 4.14.2

[Enrico Olivelli <eo...@gmail.com>]

good point Flavio
the PR that fixed that problem has been merged only on master branch
(4.15.0)
https://github.com/apache/bookkeeper/pull/2693

it is a good motivation to roll out a new RC IMHO,
the PR is already merged to another branch, it is only a matter of cherry
picking

Enrico

Il giorno mar 17 ago 2021 alle ore 17:53 Flavio Junqueira <fp...@apache.org>
ha scritto:

> It sounds like there are more vulnerabilities that can be addressed with
> upgrades:
>
> https://github.com/apache/bookkeeper/issues/2511 <
> https://github.com/apache/bookkeeper/issues/2511>
>
> Do we want to proceed with 4.14.2 and consider a 4.14.3 that addresses
> other vulnerabilities or try to address as many as we are aware of? I'm
> asking because I'm already seeing an RC out.
>
> Thanks,
> -Flavio
>
> > On 17 Aug 2021, at 07:59, Sijie Guo <gu...@gmail.com> wrote:
> >
> > +1
> >
> > On Thu, Aug 12, 2021 at 11:59 PM Yong Zhang <yo...@apache.org> wrote:
> >>
> >> Hi,
> >>
> >> We have changed the BouncyCastle at this PR
> >> https://github.com/apache/bookkeeper/pull/2631,
> >> which introduces an Incompatible issue. Detail:
> >> https://github.com/apache/pulsar/issues/10937.
> >>
> >> This also blocks the user upgrade their charts to pulsar 2.8.0
> >> https://github.com/apache/pulsar-helm-chart/pull/130
> >>
> >> We have fixed it by https://github.com/apache/bookkeeper/pull/2740,
> >> so I want to start a new release of bookkeeper for unblocking the users.
> >>
> >> If there are no objections, I'll move forward with the patch release.
> >>
> >> Thanks,
> >> Yong
>
>

Re: [DISCUSS] Release 4.14.2

[Flavio Junqueira <fp...@apache.org>]

It sounds like there are more vulnerabilities that can be addressed with upgrades:

https://github.com/apache/bookkeeper/issues/2511 <https://github.com/apache/bookkeeper/issues/2511>

Do we want to proceed with 4.14.2 and consider a 4.14.3 that addresses other vulnerabilities or try to address as many as we are aware of? I'm asking because I'm already seeing an RC out.

Thanks,
-Flavio

> On 17 Aug 2021, at 07:59, Sijie Guo <gu...@gmail.com> wrote:
> 
> +1
> 
> On Thu, Aug 12, 2021 at 11:59 PM Yong Zhang <yo...@apache.org> wrote:
>> 
>> Hi,
>> 
>> We have changed the BouncyCastle at this PR
>> https://github.com/apache/bookkeeper/pull/2631,
>> which introduces an Incompatible issue. Detail:
>> https://github.com/apache/pulsar/issues/10937.
>> 
>> This also blocks the user upgrade their charts to pulsar 2.8.0
>> https://github.com/apache/pulsar-helm-chart/pull/130
>> 
>> We have fixed it by https://github.com/apache/bookkeeper/pull/2740,
>> so I want to start a new release of bookkeeper for unblocking the users.
>> 
>> If there are no objections, I'll move forward with the patch release.
>> 
>> Thanks,
>> Yong

Re: [DISCUSS] Release 4.14.2

[Sijie Guo <gu...@gmail.com>]

+1

On Thu, Aug 12, 2021 at 11:59 PM Yong Zhang <yo...@apache.org> wrote:
>
> Hi,
>
> We have changed the BouncyCastle at this PR
> https://github.com/apache/bookkeeper/pull/2631,
> which introduces an Incompatible issue. Detail:
> https://github.com/apache/pulsar/issues/10937.
>
> This also blocks the user upgrade their charts to pulsar 2.8.0
> https://github.com/apache/pulsar-helm-chart/pull/130
>
> We have fixed it by https://github.com/apache/bookkeeper/pull/2740,
> so I want to start a new release of bookkeeper for unblocking the users.
>
> If there are no objections, I'll move forward with the patch release.
>
> Thanks,
> Yong

Re: [DISCUSS] Release 4.14.2

[Lothruin Mirwen <lo...@gmail.com>]

I ran tests with latest 4.14.2 sources and I didn't find any problems
regarding bouncycastle. Prior with 4.14.1 I failed to upgrade BK artifacts
due to bc fips introduced in 4.14.0. :)

Thank you
Diego

Il giorno ven 13 ago 2021 alle ore 10:42 Enrico Olivelli <
eolivelli@gmail.com> ha scritto:

> Yong,
> I was going to send this email. Perfect timing!
>
> +1 to cutting the release asap
>
> Please note that there are a few dependency upgrades prs related to
> security issues, explicitly the upgrade of libthrift.
>
> Please verify that all security patches are in and that they have been
> cherry picked to branch 4.14
>
> We aren't cutting releases often and when it happens it is better to
> resolve every know security report
>
> Thank you!
> Enrico
>
> Il Ven 13 Ago 2021, 08:59 Yong Zhang <yo...@apache.org> ha scritto:
>
> > Hi,
> >
> > We have changed the BouncyCastle at this PR
> > https://github.com/apache/bookkeeper/pull/2631,
> > which introduces an Incompatible issue. Detail:
> > https://github.com/apache/pulsar/issues/10937.
> >
> > This also blocks the user upgrade their charts to pulsar 2.8.0
> > https://github.com/apache/pulsar-helm-chart/pull/130
> >
> > We have fixed it by https://github.com/apache/bookkeeper/pull/2740,
> > so I want to start a new release of bookkeeper for unblocking the users.
> >
> > If there are no objections, I'll move forward with the patch release.
> >
> > Thanks,
> > Yong
> >
>

Re: [DISCUSS] Release 4.14.2

[Enrico Olivelli <eo...@gmail.com>]

Yong,
I was going to send this email. Perfect timing!

+1 to cutting the release asap

Please note that there are a few dependency upgrades prs related to
security issues, explicitly the upgrade of libthrift.

Please verify that all security patches are in and that they have been
cherry picked to branch 4.14

We aren't cutting releases often and when it happens it is better to
resolve every know security report

Thank you!
Enrico

Il Ven 13 Ago 2021, 08:59 Yong Zhang <yo...@apache.org> ha scritto:

> Hi,
>
> We have changed the BouncyCastle at this PR
> https://github.com/apache/bookkeeper/pull/2631,
> which introduces an Incompatible issue. Detail:
> https://github.com/apache/pulsar/issues/10937.
>
> This also blocks the user upgrade their charts to pulsar 2.8.0
> https://github.com/apache/pulsar-helm-chart/pull/130
>
> We have fixed it by https://github.com/apache/bookkeeper/pull/2740,
> so I want to start a new release of bookkeeper for unblocking the users.
>
> If there are no objections, I'll move forward with the patch release.
>
> Thanks,
> Yong
>