+1

Cheers,
Till

On Mon, Dec 13, 2021 at 10:42 AM Jing Ge <j...@ververica.com> wrote:

> +1
>
> As I suggested to publish the blog post last week asap, users have been
> keen to have such urgent releases. Many thanks for it.
>
>
>
> On Mon, Dec 13, 2021 at 8:29 AM Konstantin Knauf <kna...@apache.org>
> wrote:
>
> > +1
> >
> > I didn't think this was necessary when I published the blog post on
> Friday,
> > but this has made higher waves than I expected over the weekend.
> >
> >
> >
> > On Mon, Dec 13, 2021 at 8:23 AM Yuan Mei <yuanmei.w...@gmail.com> wrote:
> >
> > > +1 for quick release.
> > >
> > > On Mon, Dec 13, 2021 at 2:55 PM Martijn Visser <mart...@ververica.com>
> > > wrote:
> > >
> > > > +1 to address the issue like this
> > > >
> > > > On Mon, 13 Dec 2021 at 07:46, Jingsong Li <jingsongl...@gmail.com>
> > > wrote:
> > > >
> > > > > +1 for fixing it in these versions and doing quick releases. Looks
> > good
> > > > to
> > > > > me.
> > > > >
> > > > > Best,
> > > > > Jingsong
> > > > >
> > > > > On Mon, Dec 13, 2021 at 2:18 PM Becket Qin <becket....@gmail.com>
> > > wrote:
> > > > > >
> > > > > > +1. The solution sounds good to me. There have been a lot of
> > > inquiries
> > > > > > about how to react to this.
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Jiangjie (Becket) Qin
> > > > > >
> > > > > > On Mon, Dec 13, 2021 at 12:40 PM Prasanna kumar <
> > > > > > prasannakumarram...@gmail.com> wrote:
> > > > > >
> > > > > > > 1+ for making Updates for 1.12.5 .
> > > > > > > We are looking for fix in 1.12 version.
> > > > > > > Please notify once the fix is done.
> > > > > > >
> > > > > > >
> > > > > > > On Mon, Dec 13, 2021 at 9:45 AM Leonard Xu <xbjt...@gmail.com>
> > > > wrote:
> > > > > > >
> > > > > > > > +1 for the quick release and the special vote period 24h.
> > > > > > > >
> > > > > > > > > 2021年12月13日 上午11:49,Dian Fu <dian0511...@gmail.com> 写道:
> > > > > > > > >
> > > > > > > > > +1 for the proposal and creating a quick release.
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > > Dian
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Mon, Dec 13, 2021 at 11:15 AM Kyle Bendickson <
> > > > k...@tabular.io>
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > >> +1 to doing a release for this widely publicized
> > > vulnerability.
> > > > > > > > >>
> > > > > > > > >> In my experience, users will often update to the latest
> > minor
> > > > > patch
> > > > > > > > version
> > > > > > > > >> without much fuss. Plus, users have also likely heard
> about
> > > this
> > > > > and
> > > > > > > > will
> > > > > > > > >> appreciate a simple fix (updating their version where
> > > possible).
> > > > > > > > >>
> > > > > > > > >> The work-around will need to still be noted for users who
> > > can’t
> > > > > > > upgrade
> > > > > > > > for
> > > > > > > > >> whatever reason (EMR hasn’t caught up, etc).
> > > > > > > > >>
> > > > > > > > >> I also agree with your assessment to apply a patch on each
> > of
> > > > > those
> > > > > > > > >> previous versions with only the log4j commit, so that they
> > > don’t
> > > > > need
> > > > > > > > to be
> > > > > > > > >> as rigorously tested.
> > > > > > > > >>
> > > > > > > > >> Best,
> > > > > > > > >> Kyle (GitHub @kbendick)
> > > > > > > > >>
> > > > > > > > >> On Sun, Dec 12, 2021 at 2:23 PM Stephan Ewen <
> > > se...@apache.org>
> > > > > > > wrote:
> > > > > > > > >>
> > > > > > > > >>> Hi all!
> > > > > > > > >>>
> > > > > > > > >>> Without doubt, you heard about the log4j vulnerability
> [1].
> > > > > > > > >>>
> > > > > > > > >>> There is an advisory blog post on how to mitigate this in
> > > > Apache
> > > > > > > Flink
> > > > > > > > >> [2],
> > > > > > > > >>> which involves setting a config option and restarting the
> > > > > processes.
> > > > > > > > That
> > > > > > > > >>> is fortunately a relatively simple fix.
> > > > > > > > >>>
> > > > > > > > >>> Despite this workaround, I think we should do an
> immediate
> > > > > release
> > > > > > > with
> > > > > > > > >> the
> > > > > > > > >>> updated dependency. Meaning not waiting for the next bug
> > fix
> > > > > releases
> > > > > > > > >>> coming in a few weeks, but releasing asap.
> > > > > > > > >>> The mood I perceive in the industry is pretty much
> panicky
> > > over
> > > > > this,
> > > > > > > > >> and I
> > > > > > > > >>> expect we will see many requests for a patched release
> and
> > > many
> > > > > > > > >> discussions
> > > > > > > > >>> why the workaround alone would not be enough due to
> certain
> > > > > > > guidelines.
> > > > > > > > >>>
> > > > > > > > >>> I suggest that we preempt those discussions and create
> > > releases
> > > > > the
> > > > > > > > >>> following way:
> > > > > > > > >>>
> > > > > > > > >>>  - we take the latest already released versions from each
> > > > release
> > > > > > > > >> branch:
> > > > > > > > >>>     ==> 1.14.0, 1.13.3, 1.12.5, 1.11.4
> > > > > > > > >>>  - we add a single commit to those that just updates the
> > > log4j
> > > > > > > > >> dependency
> > > > > > > > >>>  - we release those as 1.14.1, 1.13.4, 1.12.6, 1.11.5,
> etc.
> > > > > > > > >>>  - that way we don't need to do functional release tests,
> > > > > because the
> > > > > > > > >>> released code is identical to the previous release,
> except
> > > for
> > > > > the
> > > > > > > > log4j
> > > > > > > > >>> dependency
> > > > > > > > >>>  - we can then continue the work on the upcoming bugfix
> > > > releases
> > > > > as
> > > > > > > > >>> planned, without high pressure
> > > > > > > > >>>
> > > > > > > > >>> I would suggest creating those RCs immediately and
> release
> > > them
> > > > > with
> > > > > > > a
> > > > > > > > >>> special voting period (24h or so).
> > > > > > > > >>>
> > > > > > > > >>> WDYT?
> > > > > > > > >>>
> > > > > > > > >>> Best,
> > > > > > > > >>> Stephan
> > > > > > > > >>>
> > > > > > > > >>> [1] https://nvd.nist.gov/vuln/detail/CVE-2021-44228
> > > > > > > > >>> [2] https://flink.apache.org/2021/12/10/log4j-cve.html
> > > > > > > > >>>
> > > > > > > > >>
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Best, Jingsong Lee
> > > > >
> > > >
> > >
> >
> >
> > --
> >
> > Konstantin Knauf
> >
> > https://twitter.com/snntrable
> >
> > https://github.com/knaufk
> >
>

Reply via email to