Hello everyone! I've been testing the RC1 in a lot of our internal code, and a colleague brought up a potential high-priority CVE with that has been fixed in Velocity 2.3.
Looking at the recent Velocity change logs, it doesn't seem like there's any change that indicates a vulnerability in our use of velocity to generate code, but since we can transparently bump to a fixed version, we probably should. I'm cancelling the RC1, and I'll propose a vote on new artifacts very, very soon. On the positive side, I ran the API compatibility tools on the entire Avro project with 99.99% binary and source compatibility, which is nice! The one change was a recent change to the ZstandardCodec constructor, but noting that all instances are constructed using factory methods. Parquet and all of our internal code currently using Avro 1.10.1 passed all unit tests with Avro 1.10.2-rc1. See you soon with RC2! Ryan On Fri, Mar 5, 2021 at 6:06 PM Ryan Skraba <[email protected]> wrote: > Hi everyone, > > I'd like to propose the following RC1 to be released as the official Apache > Avro 1.10.2 release. > > The commit id is 56de625fd2b5a9b4e40bb0f9bcef1791d5ac5b40 > * This corresponds to the tag: release-1.10.2-rc1 > * https://github.com/apache/avro/releases/tag/release-1.10.2-rc1 > > The release tarball, signature, and checksums are here (revision 46480.) > * https://dist.apache.org/repos/dist/dev/avro/avro-1.10.2-rc1/ > > You can find the KEYS file here: > * https://dist.apache.org/repos/dist/dev/avro/KEYS > > Binary artifacts for Java are staged in Nexus here: > * > https://repository.apache.org/content/groups/staging/org/apache/avro/avro/1.10.2/ > > This release includes ~30 Jira issues: > * > https://jira.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.10.2 > > Some interesting highlights: > > Avro specification > - [AVRO-3028] Clarify that records encode values even if they equal their > default > > C# > - [AVRO-3005][AVRO-2983] BinaryDecoder fails to read large strings > > C++ > - [AVRO-3031] avrocppgen does not generate correct C++ code when the > schema contains > C++ reserved words > > Java > - [AVRO-2471] Java code generation doesn't add conversion for > timestamp-micros > - [AVRO-2860] More Closely Adhere to ASF Parent POM > - [AVRO-2944] DataFileReader has incorrect logic reading magic header > - [AVRO-3024] Bump Jackson to 2.12.1 > - [AVRO-3060] Support ZSTD level and BufferPool options > - [AVRO-3049] BinaryDecoder lacks checks on bytes array length > > Python > - [AVRO-3006] Update PyPI documentation to deprecate avro-python3 > *** The avro package supports Python 3, and avro-python3 will be removed > in > the next major release *** > > Ruby > - [AVRO-2984] Unnecessary memory allocations during serialization > - [AVRO-2998] Records with symbol keys fail validation > - [AVRO-2999] Optimize Ruby union serialization > - [AVRO-3000] Avoid unnecessary schema compatibility checks > - [AVRO-3023] Validate with Ruby 3 > > * Upgrade dependencies to latest versions, including CVE fixes. > * Multiple fixes, better documentation and more... > > Avro 1.10 is still using Travis, but the status isn't necessarily > reflected on the branch in github: > * https://travis-ci.com/github/apache/avro/builds/219113613 > > Please download, verify, and test. This vote will remain open for at least > 72 hours. Given sufficient votes, I would like to close after the weekend > on > noon UTC Wednesday, March 10th, 2021 > > [ ] +1 Release this as Apache Avro 1.10.2 > [ ] +0 > [ ] -1 Do not release this because... > > Best regards, > Ryan Skraba >
