Flume release that includes the log4j patches.

[Justin Holmes <ju...@nascency.co.uk>]

Can we have a release that includes the fixed log4j vulnerabilities soon?

-- 
Justin Holmes

Re: Flume release that includes the log4j patches.

[Apache <ra...@dslextreme.com>]

I should add that while I made one change that I needed to get the flume configuration from a Spring Cloud Configuration Server I have no plans for any other major changes.

Ralph

> On Jan 13, 2022, at 2:23 AM, Apache <ra...@dslextreme.com> wrote:
> 
> Tristan, I am in the process of updating dependencies and applying patches in prep for a 1.10 release. I hope to have that ready to go within the next week.
> 
> Ralph
> 
>> On Jan 13, 2022, at 12:31 AM, Tristan Stevens <tr...@apache.org> wrote:
>> 
>> I can confirm from Cloudera’s perspective that Kite is abandoned.
>> 
>> +1 to removing and I think we’re heading towards a Flume 2.0 at this point. We can then take things like log4j2, Hive3, Hadoop 3, etc.
>> 
>> Tristan
>> 
>> 
>> From: Ralph Goers <ra...@dslextreme.com>
>> Reply: dev@flume.apache.org <de...@flume.apache.org>
>> Date: 12 January 2022 at 17:22:14
>> To: dev@flume.apache.org <de...@flume.apache.org>
>> Subject:  Re: Flume release that includes the log4j patches.  
>> 
>> Given that the Kite Dataset Sink is documented as being experimental and since Kite appears to have been abandoned I am making the decisions to remove the Kite Dataset Sink from Flume.  
>> 
>> Ralph  
>> 
>>>> On Jan 12, 2022, at 9:14 AM, Ralph Goers <ra...@dslextreme.com> wrote:  
>>> 
>>> I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.  
>>> 
>>> I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.  
>>> 
>>> In short, Apache Flume really needs more people to become active in the project.  
>>> 
>>> Ralph  
>>> 
>>>>> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:  
>>>> 
>>>> Can we have a release that includes the fixed log4j vulnerabilities soon?  
>>>> 
>>>> --  
>>>> Justin Holmes  
>>> 
>> 

Re: Flume release that includes the log4j patches.

[Apache <ra...@dslextreme.com>]

Tristan, I am in the process of updating dependencies and applying patches in prep for a 1.10 release. I hope to have that ready to go within the next week.

Ralph

> On Jan 13, 2022, at 12:31 AM, Tristan Stevens <tr...@apache.org> wrote:
> 
> I can confirm from Cloudera’s perspective that Kite is abandoned.
> 
> +1 to removing and I think we’re heading towards a Flume 2.0 at this point. We can then take things like log4j2, Hive3, Hadoop 3, etc.
> 
> Tristan
> 
> 
> From: Ralph Goers <ra...@dslextreme.com>
> Reply: dev@flume.apache.org <de...@flume.apache.org>
> Date: 12 January 2022 at 17:22:14
> To: dev@flume.apache.org <de...@flume.apache.org>
> Subject:  Re: Flume release that includes the log4j patches.  
> 
> Given that the Kite Dataset Sink is documented as being experimental and since Kite appears to have been abandoned I am making the decisions to remove the Kite Dataset Sink from Flume.  
> 
> Ralph  
> 
>> On Jan 12, 2022, at 9:14 AM, Ralph Goers <ra...@dslextreme.com> wrote:  
>> 
>> I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.  
>> 
>> I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.  
>> 
>> In short, Apache Flume really needs more people to become active in the project.  
>> 
>> Ralph  
>> 
>>>> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:  
>>> 
>>> Can we have a release that includes the fixed log4j vulnerabilities soon?  
>>> 
>>> --  
>>> Justin Holmes  
>> 
> 

Re: Flume release that includes the log4j patches.

[Tristan Stevens <tr...@apache.org>]

I can confirm from Cloudera’s perspective that Kite is abandoned.

+1 to removing and I think we’re heading towards a Flume 2.0 at this point. We can then take things like log4j2, Hive3, Hadoop 3, etc.

Tristan


From: Ralph Goers <ra...@dslextreme.com>
Reply: dev@flume.apache.org <de...@flume.apache.org>
Date: 12 January 2022 at 17:22:14
To: dev@flume.apache.org <de...@flume.apache.org>
Subject:  Re: Flume release that includes the log4j patches.  

Given that the Kite Dataset Sink is documented as being experimental and since Kite appears to have been abandoned I am making the decisions to remove the Kite Dataset Sink from Flume.  

Ralph  

> On Jan 12, 2022, at 9:14 AM, Ralph Goers <ra...@dslextreme.com> wrote:  
>  
> I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.  
>  
> I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.  
>  
> In short, Apache Flume really needs more people to become active in the project.  
>  
> Ralph  
>  
>> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:  
>>  
>> Can we have a release that includes the fixed log4j vulnerabilities soon?  
>>  
>> --  
>> Justin Holmes  
>  

Re: Flume release that includes the log4j patches.

[Ralph Goers <ra...@dslextreme.com>]

FWIW, I only removed the Dataset Sink. The morphline Solr Sink also has a dependency on Kite but I didn’t encounter any problems with it. Yet. 

Also, it seems a lot of Flume depends on Netty 4 (io.netty) but there is still some things that use Netty 3 (org.jboss.netty). 
For one, flume-sdk requires Netty 3. Netty 3 is EOL - https://netty.io/news/2016/06/29/3-10-6-Final.html. It appears that 
Netty 3 has at least https://nvd.nist.gov/vuln/detail/CVE-2021-43797 outstanding against it. Addressing that will require 
modifying a fair amount of code, which I hadn’t really planned to do for this release. 

Ralph

> On Jan 12, 2022, at 2:48 PM, Bessenyei Balázs Donát <be...@apache.org> wrote:
> 
> +1 on removing Kite if that's needed to create a new release. I was
> wondering if we can get confirmation on Kite being abandoned, but
> https://github.com/kite-sdk/kite/issues/507 seems like a good enough
> justification.
> 
> 
> Donat
> 
> On Wed, Jan 12, 2022 at 6:22 PM Ralph Goers <ra...@dslextreme.com> wrote:
>> 
>> Given that the Kite Dataset Sink is documented as being experimental and since Kite appears to have been abandoned I am making the decisions to remove the Kite Dataset Sink from Flume.
>> 
>> Ralph
>> 
>>> On Jan 12, 2022, at 9:14 AM, Ralph Goers <ra...@dslextreme.com> wrote:
>>> 
>>> I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.
>>> 
>>> I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.
>>> 
>>> In short, Apache Flume really needs more people to become active in the project.
>>> 
>>> Ralph
>>> 
>>>> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:
>>>> 
>>>> Can we have a release that includes the fixed log4j vulnerabilities soon?
>>>> 
>>>> --
>>>> Justin Holmes
>>> 
>> 

Re: Flume release that includes the log4j patches.

[Bessenyei Balázs Donát <be...@apache.org>]

+1 on removing Kite if that's needed to create a new release. I was
wondering if we can get confirmation on Kite being abandoned, but
https://github.com/kite-sdk/kite/issues/507 seems like a good enough
justification.


Donat

On Wed, Jan 12, 2022 at 6:22 PM Ralph Goers <ra...@dslextreme.com> wrote:
>
> Given that the Kite Dataset Sink is documented as being experimental and since Kite appears to have been abandoned I am making the decisions to remove the Kite Dataset Sink from Flume.
>
> Ralph
>
> > On Jan 12, 2022, at 9:14 AM, Ralph Goers <ra...@dslextreme.com> wrote:
> >
> > I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.
> >
> > I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.
> >
> > In short, Apache Flume really needs more people to become active in the project.
> >
> > Ralph
> >
> >> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:
> >>
> >> Can we have a release that includes the fixed log4j vulnerabilities soon?
> >>
> >> --
> >> Justin Holmes
> >
>

Re: Flume release that includes the log4j patches.

[Ralph Goers <ra...@dslextreme.com>]

Given that the Kite Dataset Sink is documented as being experimental and since Kite appears to have been abandoned I am making the decisions to remove the Kite Dataset Sink from Flume.

Ralph

> On Jan 12, 2022, at 9:14 AM, Ralph Goers <ra...@dslextreme.com> wrote:
> 
> I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.
> 
> I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.
> 
> In short, Apache Flume really needs more people to become active in the project.
> 
> Ralph
> 
>> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:
>> 
>> Can we have a release that includes the fixed log4j vulnerabilities soon?
>> 
>> -- 
>> Justin Holmes
> 

Re: Flume release that includes the log4j patches.

[Ralph Goers <ra...@dslextreme.com>]

I am working on exactly that. But there are quite a few dependencies that need to be updated besides Log4j. That update was pretty easy.

I am currently trying to update the Avro dependency as it also has security issues. Unfortunately, Avro’s upgrade is not completely binary compatible, which is causing an error in the kite-sdk, which appears to be an another Cloudera abandoned project.

In short, Apache Flume really needs more people to become active in the project.

Ralph

> On Jan 12, 2022, at 6:30 AM, Justin Holmes <ju...@nascency.co.uk> wrote:
> 
> Can we have a release that includes the fixed log4j vulnerabilities soon?
> 
> -- 
> Justin Holmes

Re: Flume release that includes the log4j patches.

[Tristan Stevens <tr...@apache.org>]

Justin,
There was never a release that included log4j2, so there shouldn’t be cause for concern from that perspective.

The log4j2 release will probably need to be a Flume 2.0, which would be the time to remove Kite and other old dependencies.
Tristan


From: Justin Holmes <ju...@nascency.co.uk>
Reply: dev@flume.apache.org <de...@flume.apache.org>
Date: 12 January 2022 at 13:52:48
To: dev@flume.apache.org <de...@flume.apache.org>
Subject:  Flume release that includes the log4j patches.  

Can we have a release that includes the fixed log4j vulnerabilities soon?  

--  
Justin Holmes