Removing Netty support from branch-3.4

[Andor Molnar <an...@apache.org>]

Hi ZK users / devs,

ZooKeeper branch-3.4 is still on Netty 3 which is not maintained by the Netty team anymore. There’s no intention of updating it on our side, hence we’re planning to remove it from the codebase completely and ask existing users to upgrade to 3.5, if they still want to use Netty. 3.5 is a much better option anyway in various aspects: Netty 4 performs better, TLS support in both quorum and client communication, etc.

The default stack in 3.4 is NIO, so our gut feeling is that the impact on our existing users is low, however the most important effect of this change is probably the loss of encrypted client connections.

Please share your thoughts about this change and let us know if upgrading to 3.5 is not possible in your use case.

Tracking Jira: https://issues.apache.org/jira/browse/ZOOKEEPER-3568

Regards,
Andor

Re: Removing Netty support from branch-3.4

[Patrick Hunt <ph...@apache.org>]

On Fri, Oct 4, 2019 at 9:14 AM Enrico Olivelli <eo...@gmail.com> wrote:

> The release branch 3.4 is frozen and we should cut new releases only for
> important security reasons or other important issues for users that cannot
> upgrade to 3.5.
>
> Given that 3.5 is now the suggested version and the upgrade path is simple
> I think there is no need to put effort into this activity.
>
> Is there any other valid reason for not using 3.4 + Netty in production ?
> We can advise users on the website that Netty 3 is old, and it is suggested
> to move do plain NIO or to ZK 3.5 client.
> Is the Netty dependency flagging us with security risks ?
>
>
We can explain that netty/3.4 whatever we like, the issue is 1) in the near
term we'll deal with reports such as when it's found through automated
means, easier is to just address it directly. 2) eventually there is likely
to be a real issue that can't be explained away, we would need to address
it directly in that case. Once 3.4 is officially "no longer supported" it
would be easier, but atm that's not the case. Perhaps we should document an
EOL for 3.4 to help address and close the loop more generally?

Patrick


> Il giorno ven 4 ott 2019 alle ore 10:52 Andor Molnar <an...@apache.org> ha
> scritto:
>
> > Hi ZK users / devs,
> >
> > ZooKeeper branch-3.4 is still on Netty 3 which is not maintained by the
> > Netty team anymore. There’s no intention of updating it on our side,
> hence
> > we’re planning to remove it from the codebase completely and ask existing
> > users to upgrade to 3.5, if they still want to use Netty. 3.5 is a much
> > better option anyway in various aspects: Netty 4 performs better, TLS
> > support in both quorum and client communication, etc.
> >
> > The default stack in 3.4 is NIO, so our gut feeling is that the impact on
> > our existing users is low, however the most important effect of this
> change
> > is probably the loss of encrypted client connections.
> >
> > Please share your thoughts about this change and let us know if upgrading
> > to 3.5 is not possible in your use case.
> >
> > Tracking Jira: https://issues.apache.org/jira/browse/ZOOKEEPER-3568
> >
> > Regards,
> > Andor
> >
> >
> >
> >
>

Re: Removing Netty support from branch-3.4

[Patrick Hunt <ph...@apache.org>]

On Fri, Oct 4, 2019 at 9:14 AM Enrico Olivelli <eo...@gmail.com> wrote:

> The release branch 3.4 is frozen and we should cut new releases only for
> important security reasons or other important issues for users that cannot
> upgrade to 3.5.
>
> Given that 3.5 is now the suggested version and the upgrade path is simple
> I think there is no need to put effort into this activity.
>
> Is there any other valid reason for not using 3.4 + Netty in production ?
> We can advise users on the website that Netty 3 is old, and it is suggested
> to move do plain NIO or to ZK 3.5 client.
> Is the Netty dependency flagging us with security risks ?
>
>
We can explain that netty/3.4 whatever we like, the issue is 1) in the near
term we'll deal with reports such as when it's found through automated
means, easier is to just address it directly. 2) eventually there is likely
to be a real issue that can't be explained away, we would need to address
it directly in that case. Once 3.4 is officially "no longer supported" it
would be easier, but atm that's not the case. Perhaps we should document an
EOL for 3.4 to help address and close the loop more generally?

Patrick


> Il giorno ven 4 ott 2019 alle ore 10:52 Andor Molnar <an...@apache.org> ha
> scritto:
>
> > Hi ZK users / devs,
> >
> > ZooKeeper branch-3.4 is still on Netty 3 which is not maintained by the
> > Netty team anymore. There’s no intention of updating it on our side,
> hence
> > we’re planning to remove it from the codebase completely and ask existing
> > users to upgrade to 3.5, if they still want to use Netty. 3.5 is a much
> > better option anyway in various aspects: Netty 4 performs better, TLS
> > support in both quorum and client communication, etc.
> >
> > The default stack in 3.4 is NIO, so our gut feeling is that the impact on
> > our existing users is low, however the most important effect of this
> change
> > is probably the loss of encrypted client connections.
> >
> > Please share your thoughts about this change and let us know if upgrading
> > to 3.5 is not possible in your use case.
> >
> > Tracking Jira: https://issues.apache.org/jira/browse/ZOOKEEPER-3568
> >
> > Regards,
> > Andor
> >
> >
> >
> >
>

Re: Removing Netty support from branch-3.4

[Enrico Olivelli <eo...@gmail.com>]

The release branch 3.4 is frozen and we should cut new releases only for
important security reasons or other important issues for users that cannot
upgrade to 3.5.

Given that 3.5 is now the suggested version and the upgrade path is simple
I think there is no need to put effort into this activity.

Is there any other valid reason for not using 3.4 + Netty in production ?
We can advise users on the website that Netty 3 is old, and it is suggested
to move do plain NIO or to ZK 3.5 client.
Is the Netty dependency flagging us with security risks ?

Il giorno ven 4 ott 2019 alle ore 10:52 Andor Molnar <an...@apache.org> ha
scritto:

> Hi ZK users / devs,
>
> ZooKeeper branch-3.4 is still on Netty 3 which is not maintained by the
> Netty team anymore. There’s no intention of updating it on our side, hence
> we’re planning to remove it from the codebase completely and ask existing
> users to upgrade to 3.5, if they still want to use Netty. 3.5 is a much
> better option anyway in various aspects: Netty 4 performs better, TLS
> support in both quorum and client communication, etc.
>
> The default stack in 3.4 is NIO, so our gut feeling is that the impact on
> our existing users is low, however the most important effect of this change
> is probably the loss of encrypted client connections.
>
> Please share your thoughts about this change and let us know if upgrading
> to 3.5 is not possible in your use case.
>
> Tracking Jira: https://issues.apache.org/jira/browse/ZOOKEEPER-3568
>
> Regards,
> Andor
>
>
>
>

Re: Removing Netty support from branch-3.4

[Enrico Olivelli <eo...@gmail.com>]

The release branch 3.4 is frozen and we should cut new releases only for
important security reasons or other important issues for users that cannot
upgrade to 3.5.

Given that 3.5 is now the suggested version and the upgrade path is simple
I think there is no need to put effort into this activity.

Is there any other valid reason for not using 3.4 + Netty in production ?
We can advise users on the website that Netty 3 is old, and it is suggested
to move do plain NIO or to ZK 3.5 client.
Is the Netty dependency flagging us with security risks ?

Il giorno ven 4 ott 2019 alle ore 10:52 Andor Molnar <an...@apache.org> ha
scritto:

> Hi ZK users / devs,
>
> ZooKeeper branch-3.4 is still on Netty 3 which is not maintained by the
> Netty team anymore. There’s no intention of updating it on our side, hence
> we’re planning to remove it from the codebase completely and ask existing
> users to upgrade to 3.5, if they still want to use Netty. 3.5 is a much
> better option anyway in various aspects: Netty 4 performs better, TLS
> support in both quorum and client communication, etc.
>
> The default stack in 3.4 is NIO, so our gut feeling is that the impact on
> our existing users is low, however the most important effect of this change
> is probably the loss of encrypted client connections.
>
> Please share your thoughts about this change and let us know if upgrading
> to 3.5 is not possible in your use case.
>
> Tracking Jira: https://issues.apache.org/jira/browse/ZOOKEEPER-3568
>
> Regards,
> Andor
>
>
>
>