Apologies, I managed to hit the send button before finishing. My veto can be cured by upgrading Log4J to ** 2.17.0 ** . See https://logging.apache.org/log4j/2.x/security.html.
On Sat, Dec 18, 2021 at 1:22 PM Andrew Purtell <apurt...@apache.org> wrote: > -1 (binding) > > The Log4J issues are not fixed by 2.15. > > I wish we had remained on Log4J 1. Hadoop 3 is still on 1, although I know > they have plans to upgrade. It does not seem advisable to use Log4J 2 at > all actually. Another option that does not include such a dangerous > reference/rewrite mechanism might be preferable. > > On Sat, Dec 18, 2021 at 12:02 PM Josh Elser <els...@apache.org> wrote: > >> +1 (binding) >> >> * Xsums/sigs good >> * Can build from source >> * Log4j 2.15 is included (more on this in the below) >> * log4j2.formatMsgNoLookups=true is set (multiple times per process, but >> properly set) >> * hbase-config.sh issue is fixed over rc1 >> >> Best as I've been able to keep up, it seems like we should already >> upgrade to log4j 2.16 due to issues in 2.15. There are alos rumblings >> that 2.16 may have issues still. It's my opinion that the changes we >> have here in rc2 are a massive improvement over before. I think this is >> fine; I just wanted to acknowledge that we may still need to update >> again real soon. >> >> Thanks for your release manager work, Duo! >> >> On 12/14/21 9:06 AM, Duo Zhang wrote: >> > Please vote on this Apache hbase release candidate, >> > hbase-3.0.0-alpha-2RC1 >> > >> > The VOTE will remain open for at least 72 hours. >> > >> > [ ] +1 Release this package as Apache hbase 3.0.0-alpha-2 >> > [ ] -1 Do not release this package because ... >> > >> > The tag to be voted on is 3.0.0-alpha-2RC1: >> > >> > https://github.com/apache/hbase/tree/3.0.0-alpha-2RC1 >> > >> > This tag currently points to git reference >> > >> > a3ff8e4c812eefab6ad32af45ca449a1395a6510 >> > >> > The release files, including signatures, digests, as well as CHANGES.md >> > and RELEASENOTES.md included in this RC can be found at: >> > >> > https://dist.apache.org/repos/dist/dev/hbase/3.0.0-alpha-2RC1/ >> > >> > Maven artifacts are available in a staging repository at: >> > >> > >> https://repository.apache.org/content/repositories/orgapachehbase-1473/ >> > >> > Artifacts were signed with the 9AD2AE49 key which can be found in: >> > >> > https://downloads.apache.org/hbase/KEYS >> > >> > 3.0.0-alpha-2 is the second alpha release for our 3.0.0 major release >> line. >> > HBase 3.0.0 includes the following big feature/changes: >> > Synchronous Replication >> > OpenTelemetry Tracing >> > Distributed MOB Compaction >> > Backup and Restore >> > Move RSGroup balancer to core >> > Reimplement sync client on async client >> > CPEPs on shaded proto >> > Move the logging framework from log4j to log4j2 >> > >> > 3.0.0-alpha-2 contains a critical security fix for addressing the log4j2 >> > CVE-2021-44228. All users who already use 3.0.0-alpha-1 should upgrade >> > to 3.0.0-alpha-2 ASAP. >> > >> > Notice that this is not a production ready release. It is used to let >> our >> > users try and test the new major release, to get feedback before the >> final >> > GA release is out. >> > So please do NOT use it in production. Just try it and report back >> > everything you find unusual. >> > >> > And this time we will not include CHANGES.md and RELEASENOTE.md >> > in our source code, you can find it on the download site. For getting >> these >> > two files for old releases, please go to >> > >> > https://archive.apache.org/dist/hbase/ >> > >> > To learn more about Apache hbase, please see >> > >> > http://hbase.apache.org/ >> > >> > Thanks, >> > Your HBase Release Manager >> > >> > > > -- > Best regards, > Andrew > > Words like orphans lost among the crosstalk, meaning torn from truth's > decrepit hands > - A23, Crosstalk > -- Best regards, Andrew Words like orphans lost among the crosstalk, meaning torn from truth's decrepit hands - A23, Crosstalk
