You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flume.apache.org by Justin Holmes <ju...@nascency.co.uk> on 2022/01/12 13:30:01 UTC
Flume release that includes the log4j patches.
Can we have a release that includes the fixed log4j vulnerabilities soon?
--
Justin Holmes
Re: Flume release that includes the log4j patches.
Posted by Apache <ra...@dslextreme.com>.
I should add that while I made one change that I needed to get the flume configuration from a Spring Cloud Configuration Server I have no plans for any other major changes.
Ralph
> On Jan 13, 2022, at 2:23 AM, Apache <ra...@dslextreme.com> wrote:
>
> Tristan, I am in the process of updating dependencies and applying patches in prep for a 1.10 release. I hope to have that ready to go within the next week.
>
> Ralph
>
>> On Jan 13, 2022, at 12:31 AM, Tristan Stevens <tr...@apache.org> wrote:
>>
>> I can confirm from Cloudera’s perspective that Kite is abandoned.
>>
>> +1 to removing and I think we’re heading towards a Flume 2.0 at this point. We can then take things like log4j2, Hive3, Hadoop 3, etc.
>>
>> Tristan
>>
>>
>> From: Ralph Goers <ra...@dslextreme.com>
>> Reply: dev@flume.apache.org <de...@flume.apache.org>
>> Date: 12 January 2022 at 17:22:14
>> To: dev@flume.apache.org <de...@flume.apache.org>
>> Subject: Re: Flume release that includes the log4j patches.
>>
>> Given that the Kite Dataset Sink is documented as being experimental and since Kite appears to have been abandoned I am making the decisions to remove the Kite Dataset Sink from Flume.
>>
>> Ralph
>>
>>>> On Jan 12, 2022, at 9:14 AM, Ralph Goers <ra...@dslextreme.com> wrote:
>>>
>>> I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.
>>>
>>> I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.
>>>
>>> In short, Apache Flume really needs more people to become active in the project.
>>>
>>> Ralph
>>>
>>>>> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:
>>>>
>>>> Can we have a release that includes the fixed log4j vulnerabilities soon?
>>>>
>>>> --
>>>> Justin Holmes
>>>
>>
Re: Flume release that includes the log4j patches.
Posted by Apache <ra...@dslextreme.com>.
Tristan, I am in the process of updating dependencies and applying patches in prep for a 1.10 release. I hope to have that ready to go within the next week.
Ralph
> On Jan 13, 2022, at 12:31 AM, Tristan Stevens <tr...@apache.org> wrote:
>
> I can confirm from Cloudera’s perspective that Kite is abandoned.
>
> +1 to removing and I think we’re heading towards a Flume 2.0 at this point. We can then take things like log4j2, Hive3, Hadoop 3, etc.
>
> Tristan
>
>
> From: Ralph Goers <ra...@dslextreme.com>
> Reply: dev@flume.apache.org <de...@flume.apache.org>
> Date: 12 January 2022 at 17:22:14
> To: dev@flume.apache.org <de...@flume.apache.org>
> Subject: Re: Flume release that includes the log4j patches.
>
> Given that the Kite Dataset Sink is documented as being experimental and since Kite appears to have been abandoned I am making the decisions to remove the Kite Dataset Sink from Flume.
>
> Ralph
>
>> On Jan 12, 2022, at 9:14 AM, Ralph Goers <ra...@dslextreme.com> wrote:
>>
>> I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.
>>
>> I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.
>>
>> In short, Apache Flume really needs more people to become active in the project.
>>
>> Ralph
>>
>>>> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:
>>>
>>> Can we have a release that includes the fixed log4j vulnerabilities soon?
>>>
>>> --
>>> Justin Holmes
>>
>
Re: Flume release that includes the log4j patches.
Posted by Tristan Stevens <tr...@apache.org>.
I can confirm from Cloudera’s perspective that Kite is abandoned.
+1 to removing and I think we’re heading towards a Flume 2.0 at this point. We can then take things like log4j2, Hive3, Hadoop 3, etc.
Tristan
From: Ralph Goers <ra...@dslextreme.com>
Reply: dev@flume.apache.org <de...@flume.apache.org>
Date: 12 January 2022 at 17:22:14
To: dev@flume.apache.org <de...@flume.apache.org>
Subject: Re: Flume release that includes the log4j patches.
Given that the Kite Dataset Sink is documented as being experimental and since Kite appears to have been abandoned I am making the decisions to remove the Kite Dataset Sink from Flume.
Ralph
> On Jan 12, 2022, at 9:14 AM, Ralph Goers <ra...@dslextreme.com> wrote:
>
> I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.
>
> I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.
>
> In short, Apache Flume really needs more people to become active in the project.
>
> Ralph
>
>> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:
>>
>> Can we have a release that includes the fixed log4j vulnerabilities soon?
>>
>> --
>> Justin Holmes
>
Re: Flume release that includes the log4j patches.
Posted by Ralph Goers <ra...@dslextreme.com>.
FWIW, I only removed the Dataset Sink. The morphline Solr Sink also has a dependency on Kite but I didn’t encounter any problems with it. Yet.
Also, it seems a lot of Flume depends on Netty 4 (io.netty) but there is still some things that use Netty 3 (org.jboss.netty).
For one, flume-sdk requires Netty 3. Netty 3 is EOL - https://netty.io/news/2016/06/29/3-10-6-Final.html. It appears that
Netty 3 has at least https://nvd.nist.gov/vuln/detail/CVE-2021-43797 outstanding against it. Addressing that will require
modifying a fair amount of code, which I hadn’t really planned to do for this release.
Ralph
> On Jan 12, 2022, at 2:48 PM, Bessenyei Balázs Donát <be...@apache.org> wrote:
>
> +1 on removing Kite if that's needed to create a new release. I was
> wondering if we can get confirmation on Kite being abandoned, but
> https://github.com/kite-sdk/kite/issues/507 seems like a good enough
> justification.
>
>
> Donat
>
> On Wed, Jan 12, 2022 at 6:22 PM Ralph Goers <ra...@dslextreme.com> wrote:
>>
>> Given that the Kite Dataset Sink is documented as being experimental and since Kite appears to have been abandoned I am making the decisions to remove the Kite Dataset Sink from Flume.
>>
>> Ralph
>>
>>> On Jan 12, 2022, at 9:14 AM, Ralph Goers <ra...@dslextreme.com> wrote:
>>>
>>> I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.
>>>
>>> I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.
>>>
>>> In short, Apache Flume really needs more people to become active in the project.
>>>
>>> Ralph
>>>
>>>> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:
>>>>
>>>> Can we have a release that includes the fixed log4j vulnerabilities soon?
>>>>
>>>> --
>>>> Justin Holmes
>>>
>>
Re: Flume release that includes the log4j patches.
Posted by Bessenyei Balázs Donát <be...@apache.org>.
+1 on removing Kite if that's needed to create a new release. I was
wondering if we can get confirmation on Kite being abandoned, but
https://github.com/kite-sdk/kite/issues/507 seems like a good enough
justification.
Donat
On Wed, Jan 12, 2022 at 6:22 PM Ralph Goers <ra...@dslextreme.com> wrote:
>
> Given that the Kite Dataset Sink is documented as being experimental and since Kite appears to have been abandoned I am making the decisions to remove the Kite Dataset Sink from Flume.
>
> Ralph
>
> > On Jan 12, 2022, at 9:14 AM, Ralph Goers <ra...@dslextreme.com> wrote:
> >
> > I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.
> >
> > I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.
> >
> > In short, Apache Flume really needs more people to become active in the project.
> >
> > Ralph
> >
> >> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:
> >>
> >> Can we have a release that includes the fixed log4j vulnerabilities soon?
> >>
> >> --
> >> Justin Holmes
> >
>
Re: Flume release that includes the log4j patches.
Posted by Ralph Goers <ra...@dslextreme.com>.
Given that the Kite Dataset Sink is documented as being experimental and since Kite appears to have been abandoned I am making the decisions to remove the Kite Dataset Sink from Flume.
Ralph
> On Jan 12, 2022, at 9:14 AM, Ralph Goers <ra...@dslextreme.com> wrote:
>
> I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.
>
> I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.
>
> In short, Apache Flume really needs more people to become active in the project.
>
> Ralph
>
>> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:
>>
>> Can we have a release that includes the fixed log4j vulnerabilities soon?
>>
>> --
>> Justin Holmes
>
Re: Flume release that includes the log4j patches.
Posted by Ralph Goers <ra...@dslextreme.com>.
I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.
I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.
In short, Apache Flume really needs more people to become active in the project.
Ralph
> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:
>
> Can we have a release that includes the fixed log4j vulnerabilities soon?
>
> --
> Justin Holmes
Re: Flume release that includes the log4j patches.
Posted by Tristan Stevens <tr...@apache.org>.
Justin,
There was never a release that included log4j2, so there shouldn’t be cause for concern from that perspective.
The log4j2 release will probably need to be a Flume 2.0, which would be the time to remove Kite and other old dependencies.
Tristan
From: Justin Holmes <ju...@nascency.co.uk>
Reply: dev@flume.apache.org <de...@flume.apache.org>
Date: 12 January 2022 at 13:52:48
To: dev@flume.apache.org <de...@flume.apache.org>
Subject: Flume release that includes the log4j patches.
Can we have a release that includes the fixed log4j vulnerabilities soon?
--
Justin Holmes