Agree, that we could plan 2.8.1 for bug-fixing and 2.9 for new major changes and maybe it will help Ivan to decide move it to next releases.
Agree that scope is frozen, agree that it makes the release is hard for our release manager. чт, 9 янв. 2020 г. в 19:38, Maxim Muzafarov <mmu...@apache.org>: > Folks, > > > Let me remind you that we are working on the 2.8 release branch > stabilization currently (please, keep it in mind). > > > Do we have a really STRONG reason for adding such a change [1] to the > ignite-2.8 branch? This PR [2] doesn't look a very simple +5,517 > −2,038, 111 files changed. > Do we have customer requests for this feature or maybe users who are > waiting for exactly that ENUM values exactly in 2.8 release (not the > 2.8.1 for instance)? > Can we just simply remove IgniteCluster#readOnly to eliminate any > backward compatibility issues between 2.8 and 2.9 releases? > Do we have extended test results report (on just only TC.Bot green > visa) on this feature to be sure that we will not add any blocker > issues to the release? For instance, on pre-production environment. > > I'd like to notice that we also have more than enough the release > blocker issues [3] which are still `in progress` and such a release > run becomes endless. Such changes without strong reasons looks too > scary for me a special after scope and code freeze dates. > > Please, dispel my doubts. > > [1] https://issues.apache.org/jira/browse/IGNITE-12225 > [2] https://github.com/apache/ignite/pull/7194 > [3] > https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Unresolvedissues(notrelatedtodocumentation) > > On Thu, 9 Jan 2020 at 19:01, Alexey Zinoviev <zaleslaw....@gmail.com> > wrote: > > > > +1 > > > > чт, 9 янв. 2020 г. в 18:52, Sergey Antonov <antonovserge...@gmail.com>: > > > > > +1 > > > > > > I'm preparing patch for 2.8 branch now. TC Bot visa for 2.8 branch > will be > > > at 13 Jan > > > > > > чт, 9 янв. 2020 г., 21:06 Ivan Pavlukhin <vololo...@gmail.com>: > > > > > > > +1 > > > > > > > > чт, 9 янв. 2020 г. в 16:38, Ivan Rakov <ivan.glu...@gmail.com>: > > > > > > > > > > Maxim M. and anyone who is interested, > > > > > > > > > > I suggest to include this fix to 2.8 release: > > > > > https://issues.apache.org/jira/browse/IGNITE-12225 > > > > > Basically, it's a result of the following discussion: > > > > > > > > > > > > > http://apache-ignite-developers.2346864.n4.nabble.com/DISCUSSION-Single-point-in-API-for-changing-cluster-state-td43665.html > > > > > > > > > > The fix affects public API: IgniteCluster#readOnly methods that > work > > > with > > > > > boolean are replaced with ones that work with enum. > > > > > If we include it, we won't be obliged to keep deprecated boolean > > > version > > > > of > > > > > API in the code (which is currently present in 2.8 branch) as it > wasn't > > > > > published in any release. > > > > > > > > > > On Tue, Dec 31, 2019 at 3:54 PM Ilya Kasnacheev < > > > > ilya.kasnach...@gmail.com> > > > > > wrote: > > > > > > > > > > > Hello! > > > > > > > > > > > > I have ran dependency checker plugin and quote the following: > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-urideploy: > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-spring: > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-spring-data: > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-aop: > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-visor-console: > > > > > > > > > > > > spring-core-4.3.18.RELEASE.jar > > > > > > (pkg:maven/org.springframework/spring-core@4.3.18.RELEASE, > > > > > > > > > > > cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*, > > > > > > > cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*, > > > > > > > cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*) > > > : > > > > > > CVE-2018-15756 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-spring-data_2.0: > > > > > > > > > > > > spring-core-5.0.8.RELEASE.jar > > > > > > (pkg:maven/org.springframework/spring-core@5.0.8.RELEASE, > > > > > > > > > > > cpe:2.3:a:pivotal_software:spring_framework:5.0.8.release:*:*:*:*:*:*:*, > > > > > > > cpe:2.3:a:springsource:spring_framework:5.0.8.release:*:*:*:*:*:*:*, > > > > > > > cpe:2.3:a:vmware:springsource_spring_framework:5.0.8:*:*:*:*:*:*:*) : > > > > > > CVE-2018-15756 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-rest-http: > > > > > > > > > > > > jetty-server-9.4.11.v20180605.jar > > > > > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605, > > > > > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*, > > > > > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) : > > > > > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247 > > > > > > jackson-databind-2.9.6.jar > > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6, > > > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) : > > > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, > > > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, > > > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, > > > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, > > > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-kubernetes: > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-aws: > > > > > > > > > > > > jackson-databind-2.9.6.jar > > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6, > > > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) : > > > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, > > > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, > > > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, > > > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, > > > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531 > > > > > > bcprov-ext-jdk15on-1.54.jar > > > > > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.54) : > > > CVE-2015-6644, > > > > > > CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, > > > CVE-2016-1000341, > > > > > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, > > > CVE-2016-1000345, > > > > > > CVE-2016-1000346, CVE-2016-1000352, CVE-2016-2427, > CVE-2017-13098, > > > > > > CVE-2018-1000180, CVE-2018-1000613 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-gce: > > > > > > > > > > > > httpclient-4.0.1.jar > > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.0.1 > > > > > > , > > > > > > cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*) : CVE-2011-1498, > > > > > > CVE-2014-3577, CVE-2015-5262 > > > > > > guava-jdk5-17.0.jar (pkg:maven/com.google.guava/guava-jdk5@17.0, > > > > > > cpe:2.3:a:google:guava:17.0:*:*:*:*:*:*:*) : CVE-2018-10237 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-cloud: > > > > > > > > > > > > openstack-keystone-2.0.0.jar > > > > > > (pkg:maven/org.apache.jclouds.api/openstack-keystone@2.0.0, > > > > > > cpe:2.3:a:openstack:keystone:2.0.0:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:openstack:openstack:2.0.0:*:*:*:*:*:*:*) : > CVE-2013-2014, > > > > > > CVE-2013-4222, CVE-2013-6391, CVE-2014-0204, CVE-2014-3476, > > > > CVE-2014-3520, > > > > > > CVE-2014-3621, CVE-2015-3646, CVE-2015-7546, CVE-2018-14432, > > > > CVE-2018-20170 > > > > > > cloudstack-2.0.0.jar > > > (pkg:maven/org.apache.jclouds.api/cloudstack@2.0.0 > > > > , > > > > > > cpe:2.3:a:apache:cloudstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2136, > > > > > > CVE-2013-6398, CVE-2014-0031, CVE-2014-9593, CVE-2015-3252 > > > > > > docker-2.0.0.jar (pkg:maven/org.apache.jclouds.api/docker@2.0.0, > > > > > > cpe:2.3:a:docker:docker:2.0.0:*:*:*:*:*:*:*) : CVE-2018-10892, > > > > > > CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884, > > > > > > CVE-2019-5736 > > > > > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1, > > > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237 > > > > > > docker-1.9.3.jar (pkg:maven/org.apache.jclouds.labs/docker@1.9.3 > , > > > > > > cpe:2.3:a:docker:docker:1.9.3:*:*:*:*:*:*:*) : CVE-2016-3697, > > > > > > CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, > > > > > > CVE-2019-16884, CVE-2019-5736 > > > > > > jsch.agentproxy.core-0.0.8.jar > > > > > > (pkg:maven/com.jcraft/jsch.agentproxy.core@0.0.8, > > > > > > cpe:2.3:a:jcraft:jsch:0.0.8:*:*:*:*:*:*:*) : CVE-2016-5725 > > > > > > bcprov-ext-jdk15on-1.49.jar > > > > > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.49) : > > > CVE-2015-6644, > > > > > > CVE-2015-7940, CVE-2016-1000338, CVE-2016-1000339, > CVE-2016-1000341, > > > > > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, > > > CVE-2016-1000345, > > > > > > CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, > CVE-2018-1000613 > > > > > > okhttp-2.2.0.jar (pkg:maven/com.squareup.okhttp/okhttp@2.2.0, > > > > > > cpe:2.3:a:squareup:okhttp:2.2.0:*:*:*:*:*:*:*) : CVE-2016-2402 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-mesos: > > > > > > > > > > > > mesos-1.5.0.jar (pkg:maven/org.apache.mesos/mesos@1.5.0, > > > > > > cpe:2.3:a:apache:mesos:1.5.0:*:*:*:*:*:*:*) : CVE-2018-11793, > > > > > > CVE-2018-1330, CVE-2018-8023, CVE-2019-0204, CVE-2019-5736 > > > > > > jetty-server-9.4.11.v20180605.jar > > > > > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605, > > > > > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*, > > > > > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) : > > > > > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247 > > > > > > jackson-databind-2.9.6.jar > > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6, > > > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) : > > > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, > > > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, > > > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, > > > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, > > > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-kafka: > > > > > > > > > > > > kafka-clients-2.0.1.jar > > > (pkg:maven/org.apache.kafka/kafka-clients@2.0.1 > > > > , > > > > > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196 > > > > > > connect-api-2.0.1.jar > (pkg:maven/org.apache.kafka/connect-api@2.0.1, > > > > > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-flume: > > > > > > > > > > > > guava-11.0.2.jar (pkg:maven/com.google.guava/guava@11.0.2, > > > > > > cpe:2.3:a:google:guava:11.0.2:*:*:*:*:*:*:*) : CVE-2018-10237 > > > > > > jackson-core-asl-1.8.8.jar > > > > > > (pkg:maven/org.codehaus.jackson/jackson-core-asl@1.8.8, > > > > > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*) : > CVE-2017-15095, > > > > > > CVE-2017-17485, CVE-2017-7525 > > > > > > jackson-mapper-asl-1.8.8.jar > > > > > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.8.8, > > > > > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*) : > > > > > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, > > > > > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-14540, > > > > > > CVE-2019-16335, CVE-2019-17267 > > > > > > commons-collections-3.2.1.jar > > > > > > (pkg:maven/commons-collections/commons-collections@3.2.1, > > > > > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) : > > > > CVE-2015-6420, > > > > > > CVE-2017-15708, Remote code execution > > > > > > netty-3.9.4.Final.jar (pkg:maven/io.netty/netty@3.9.4.Final, > > > > > > cpe:2.3:a:netty:netty:3.9.4:*:*:*:*:*:*:*) : CVE-2015-2156, > > > > CVE-2019-16869, > > > > > > POODLE vulnerability in SSLv3.0 support > > > > > > servlet-api-2.5-20110124.jar > > > > > > (pkg:maven/org.mortbay.jetty/servlet-api@2.5-20110124, > > > > > > cpe:2.3:a:jetty:jetty:2.5.20110124:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:mortbay:jetty:2.5.20110124:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:mortbay_jetty:jetty:2.5.20110124:*:*:*:*:*:*:*) : > > > > CVE-2005-3747, > > > > > > CVE-2007-5615, CVE-2009-1523, CVE-2009-1524, CVE-2009-5048, > > > > CVE-2009-5049, > > > > > > CVE-2011-4461 > > > > > > jetty-util-6.1.26.jar > (pkg:maven/org.mortbay.jetty/jetty-util@6.1.26 > > > , > > > > > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : > CVE-2009-1523, > > > > > > CVE-2011-4461 > > > > > > jetty-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty@6.1.26, > > > > > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : > CVE-2009-1523, > > > > > > CVE-2011-4461, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, > > > > CVE-2017-9735, > > > > > > CVE-2019-10241, CVE-2019-10247 > > > > > > libthrift-0.9.0.jar (pkg:maven/org.apache.thrift/libthrift@0.9.0) > : > > > > > > CVE-2015-3254, CVE-2016-5397, CVE-2018-1320, CVE-2019-0205 > > > > > > httpclient-4.1.3.jar > > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.1.3 > > > > > > , > > > > > > cpe:2.3:a:apache:httpclient:4.1.3:*:*:*:*:*:*:*) : CVE-2014-3577, > > > > > > CVE-2015-5262 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-twitter: > > > > > > > > > > > > httpclient-4.2.5.jar > > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.2.5 > > > > > > , > > > > > > cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577, > > > > > > CVE-2015-5262 > > > > > > guava-14.0.1.jar (pkg:maven/com.google.guava/guava@14.0.1, > > > > > > cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*) : CVE-2018-10237 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-zookeeper: > > > > > > > > > > > > jackson-databind-2.9.8.jar > > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8, > > > > > > cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*) : > > > > CVE-2019-12086, > > > > > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439, > > > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, > > > > > > CVE-2019-17267, CVE-2019-17531 > > > > > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1, > > > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237 > > > > > > jackson-mapper-asl-1.9.13.jar > > > > > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13, > > > > > > cpe:2.3:a:fasterxml:jackson:1.9.13:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*) : > > > > > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, > > > > > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-10172, > > > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-17267 > > > > > > netty-all-4.1.29.Final.jar > (pkg:maven/io.netty/netty-all@4.1.29.Final > > > , > > > > > > cpe:2.3:a:netty:netty:4.1.29:*:*:*:*:*:*:*) : CVE-2019-16869 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-camel: > > > > > > > > > > > > camel-core-2.22.0.jar > (pkg:maven/org.apache.camel/camel-core@2.22.0, > > > > > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041, > > > > > > CVE-2019-0188, CVE-2019-0194 > > > > > > > > > > > > > > > > > > > > camel-core-2.22.0.jar/META-INF/maven/org.apache.camel/spi-annotations/pom.xml > > > > > > (pkg:maven/org.apache.camel/spi-annotations@2.22.0, > > > > > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041, > > > > > > CVE-2019-0188, CVE-2019-0194 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-storm: > > > > > > > > > > > > storm-core-1.1.1.jar (pkg:maven/org.apache.storm/storm-core@1.1.1 > , > > > > > > cpe:2.3:a:apache:storm:1.1.1:*:*:*:*:*:*:*) : CVE-2018-11779, > > > > > > CVE-2018-1331, CVE-2018-1332, CVE-2018-8008, CVE-2019-0202 > > > > > > > > > > > > > > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml > > > > > > (pkg:maven/org.eclipse.jetty/jetty-servlet@7.6.13.v20130916, > > > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*, > > > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : > > > CVE-2019-10247 > > > > > > > > > > > > > > > > > > > > storm-core-1.1.1.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml > > > > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.3.3, > > > > > > cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*) : CVE-2014-3577, > > > > > > CVE-2015-5262 > > > > > > > storm-core-1.1.1.jar/META-INF/maven/com.google.guava/guava/pom.xml > > > > > > (pkg:maven/com.google.guava/guava@16.0.1, > > > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237 > > > > > > storm-core-1.1.1.jar/META-INF/maven/io.netty/netty/pom.xml > > > > > > (pkg:maven/io.netty/netty@3.9.0.Final, > > > > > > cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*) : CVE-2014-0193, > > > > CVE-2014-3488, > > > > > > CVE-2015-2156, CVE-2019-16869, POODLE vulnerability in SSLv3.0 > > > support > > > > > > > > > > > > > > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml > > > > > > (pkg:maven/org.eclipse.jetty/jetty-server@7.6.13.v20130916, > > > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*, > > > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : > > > CVE-2011-4461, > > > > > > CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, > > > > CVE-2019-10241, > > > > > > CVE-2019-10247 > > > > > > > > > > > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml > > > > > > (pkg:maven/org.eclipse.jetty/jetty-util@7.6.13.v20130916, > > > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*, > > > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : > > > CVE-2011-4461, > > > > > > CVE-2019-10247 > > > > > > > > > > > > > > > > > > > > storm-core-1.1.1.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom.xml > > > > > > (pkg:maven/commons-fileupload/commons-fileupload@1.3.2, > > > > > > cpe:2.3:a:apache:commons_fileupload:1.3.2:*:*:*:*:*:*:*) : > > > > CVE-2016-1000031 > > > > > > > > > > > storm-core-1.1.1.jar/META-INF/maven/org.apache.hadoop/hadoop-auth/pom.xml > > > > > > (pkg:maven/org.apache.hadoop/hadoop-auth@2.6.1, > > > > > > cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*) : CVE-2015-1776, > > > > > > CVE-2016-3086, CVE-2016-5001, CVE-2016-5393, CVE-2016-6811, > > > > CVE-2017-15713, > > > > > > CVE-2017-3161, CVE-2017-3162, CVE-2017-3166, CVE-2018-11768, > > > > CVE-2018-1296, > > > > > > CVE-2018-8009, CVE-2018-8029 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-cassandra-store: > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-cassandra-serializers: > > > > > > > > > > > > commons-beanutils-1.9.2.jar > > > > > > (pkg:maven/commons-beanutils/commons-beanutils@1.9.2, > > > > > > cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*) : > > > > CVE-2019-10086 > > > > > > commons-collections-3.2.1.jar > > > > > > (pkg:maven/commons-collections/commons-collections@3.2.1, > > > > > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) : > > > > CVE-2015-6420, > > > > > > CVE-2017-15708, Remote code execution > > > > > > spring-core-4.3.18.RELEASE.jar > > > > > > (pkg:maven/org.springframework/spring-core@4.3.18.RELEASE, > > > > > > > > > > > cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*, > > > > > > > cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*, > > > > > > > cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*) > > > : > > > > > > CVE-2018-15756 > > > > > > netty-transport-4.1.27.Final.jar > > > > > > (pkg:maven/io.netty/netty-transport@4.1.27.Final, > > > > > > cpe:2.3:a:netty:netty:4.1.27:*:*:*:*:*:*:*) : CVE-2019-16869 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-flink: > > > > > > > > > > > > flink-hadoop-fs-1.5.0.jar > > > > (pkg:maven/org.apache.flink/flink-hadoop-fs@1.5.0 > > > > > > , > > > > > > cpe:2.3:a:apache:hadoop:1.5.0:*:*:*:*:*:*:*) : CVE-2016-5001, > > > > > > CVE-2017-3161, CVE-2017-3162 > > > > > > > > > > > > > > > > > > > > flink-shaded-netty-4.0.27.Final-2.0.jar/META-INF/maven/io.netty/netty-all/pom.xml > > > > > > (pkg:maven/io.netty/netty-all@4.0.27.Final, > > > > > > cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*) : CVE-2015-2156, > > > > CVE-2016-4970, > > > > > > CVE-2019-16869 > > > > > > > > > > > > > > > > > > > > flink-shaded-jackson-2.7.9-3.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml > > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9, > > > > > > cpe:2.3:a:fasterxml:jackson:2.7.9:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*) : > > > > CVE-2017-15095, > > > > > > CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, CVE-2018-11307, > > > > > > CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, > > > > > > CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, > > > > > > CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086, > > > > > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439, > > > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, > > > > > > CVE-2019-17267, CVE-2019-17531 > > > > > > > > > > > > > > > > > > > > flink-shaded-guava-18.0-2.0.jar/META-INF/maven/com.google.guava/guava/pom.xml > > > > > > (pkg:maven/com.google.guava/guava@18.0, > > > > > > cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237 > > > > > > > > > > > > One or more dependencies were identified with known > vulnerabilities > > > in > > > > > > ignite-rocketmq: > > > > > > > > > > > > netty-all-4.0.42.Final.jar > (pkg:maven/io.netty/netty-all@4.0.42.Final > > > , > > > > > > cpe:2.3:a:netty:netty:4.0.42:*:*:*:*:*:*:*) : CVE-2019-16869 > > > > > > netty-tcnative-boringssl-static-1.1.33.Fork26.jar > > > > > > (pkg:maven/io.netty/netty-tcnative-boringssl-static@1.1.33.Fork26 > , > > > > > > cpe:2.3:a:apache:tomcat:1.1.33:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:apache:tomcat_native:1.1.33:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:apache_software_foundation:tomcat:1.1.33:*:*:*:*:*:*:*, > > > > > > cpe:2.3:a:apache_tomcat:apache_tomcat:1.1.33:*:*:*:*:*:*:*) : > > > > > > CVE-2000-1210, CVE-2001-0590, CVE-2002-0493, CVE-2005-4838, > > > > CVE-2006-7196, > > > > > > CVE-2007-1358, CVE-2007-2449, CVE-2008-0128, CVE-2009-2696, > > > > CVE-2012-5568, > > > > > > CVE-2013-2185, CVE-2013-4286, CVE-2013-4322, CVE-2013-4444, > > > > CVE-2013-4590, > > > > > > CVE-2013-6357, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, > > > > CVE-2014-0119, > > > > > > CVE-2016-5425, CVE-2017-15698, CVE-2018-8019, CVE-2018-8020 > > > > > > > > > > > > Main offenders seem to be "jackson-databind" and old maintenance > > > > releases > > > > > > of Spring. I think we can bump most of that. > > > > > > > > > > > > Some integrations also clearly suffer, through it's a problem of > > > their > > > > > > users, since they need to declare their own libraries' versions > by > > > > > > convention. > > > > > > > > > > > > Regards, > > > > > > -- > > > > > > Ilya Kasnacheev > > > > > > > > > > > > > > > > > > пт, 27 дек. 2019 г. в 23:59, Denis Magda <dma...@apache.org>: > > > > > > > > > > > > > Ilya, no I see, thanks for the explanation. Agree with you, > let's > > > > update > > > > > > > the versions of the dependencies to the latest. > > > > > > > > > > > > > > - > > > > > > > Denis > > > > > > > > > > > > > > > > > > > > > On Thu, Dec 26, 2019 at 10:50 PM Ilya Kasnacheev < > > > > > > > ilya.kasnach...@gmail.com> > > > > > > > wrote: > > > > > > > > > > > > > > > Hello! > > > > > > > > > > > > > > > > I have committed ignite-spring-data_2.2 to ignite-2.8. > > > > > > > > > > > > > > > > By bumping versisons I mean the following: > > > > > > > > <slf4j.version>1.7.*7*</slf4j.version> > > > > > > > > <slf4j16.version>1.6.*4*</slf4j16.version> > > > > > > > > <snappy.version>1.1.7.*2*</snappy.version> > > > > > > > > <spark.hadoop.version>2.6.*5*</spark.hadoop.version> > > > > > > > > <spark.version>2.3.*0*</spark.version> > > > > > > > > > > > > <spring.data.version>1.13.*14*.RELEASE</spring.data.version> > > > > > > <!-- > > > > > > > > don't forget to update spring version --> > > > > > > > > <spring.version>4.3.*18*.RELEASE</spring.version><!-- > > > don't > > > > > > > forget > > > > > > > > to update spring-data version --> > > > > > > > > > > > > > > > > <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version> > > > > > > > > <!-- don't forget to update spring-5.0 version --> > > > > > > > > > > > > <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!-- > > > > > > > don't > > > > > > > > forget to update spring-data-2.0 version --> > > > > > > > > > > > > > > > > All these libraries have maintenance release (such as our > > > 2.7.*6*) > > > > and > > > > > > I > > > > > > > > think it would be beneficial to upgrade these dependencies > to the > > > > > > latest > > > > > > > > maintenance version found in Maven Central. > > > > > > > > For example, there is spring.data-2.0 2.0.*14*.RELEASE. > > > > > > > > > > > > > > > > Regards, > > > > > > > > -- > > > > > > > > Ilya Kasnacheev > > > > > > > > > > > > > > > > > > > > > > > > чт, 26 дек. 2019 г. в 19:32, Denis Magda <dma...@apache.org > >: > > > > > > > > > > > > > > > > > A huge +1 for adding Spring Data related > fixes/improvements. > > > > Ilya is > > > > > > > > right > > > > > > > > > that Spring Data related questions sparked last time due to > > > > missing > > > > > > > > support > > > > > > > > > of 2.2 version. > > > > > > > > > > > > > > > > > > Ilya, could you elaborate on what you mean under "bumping > the > > > > > > > versions"? > > > > > > > > Do > > > > > > > > > you suggest performing a straightforward upgrade of > > > > > > > "ignite-spring-data" > > > > > > > > to > > > > > > > > > version 2.2 and introducing > "ignite-spring-data-{old-version"} > > > > for > > > > > > the > > > > > > > > > previous versions? If it's so, I fully agree with the > proposal. > > > > > > > > > > > > > > > > > > - > > > > > > > > > Denis > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev < > > > > > > > > ilya.kasnach...@gmail.com > > > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > Hello! > > > > > > > > > > > > > > > > > > > > I propose to add the following ticket to the scope: > > > > > > > > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3 > > > > commits, be > > > > > > > > > careful > > > > > > > > > > with release version) > > > > > > > > > > > > > > > > > > > > Adding tickets to scope surely seems crazy now, but I > will > > > > provide > > > > > > > the > > > > > > > > > > following considerations: > > > > > > > > > > * This is Spring Data 2.2 integration, which we > currently do > > > > not > > > > > > > have, > > > > > > > > > > leading to lots of confused questions on stack overflow > and > > > > mailing > > > > > > > > list. > > > > > > > > > > Spring Data is important to our public image since many > > > people > > > > may > > > > > > > > learn > > > > > > > > > > about out project by starting with Spring Data. > > > > > > > > > > > > > > > > > > > > * It has zero code impact outside of its own module > (just 2 > > > POM > > > > > > file > > > > > > > > > > touched and that's all). > > > > > > > > > > > > > > > > > > > > * The core was ready since early November but, due to > gmail > > > > quirk, > > > > > > we > > > > > > > > did > > > > > > > > > > not react to it in time. > > > > > > > > > > > > > > > > > > > > WDYT? > > > > > > > > > > > > > > > > > > > > Another semi-related question. *Should we bump our > > > > dependencies' > > > > > > > > versions > > > > > > > > > > before releasing 2.8?* I talk mainly about spring and > > > hibernate > > > > > > > > > > dependencies. We could switch them to their latest > > > maintenance > > > > > > > versions > > > > > > > > > to > > > > > > > > > > avoid shipping default links to outdated packages. > > > > > > > > > > > > > > > > > > > > I think this is one of things that are very hard to do > > > between > > > > > > > > releases, > > > > > > > > > so > > > > > > > > > > I think this dependencies bumping should be a part of a > > > formal > > > > > > > > > > release/testing cycle, and then be backported to master. > > > > > > > > > > > > > > > > > > > > I could volunteer to do that myself, if we agree to merge > > > these > > > > > > > version > > > > > > > > > > upgrades to ignite-2.8 and then re-test. > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > -- > > > > > > > > > > Ilya Kasnacheev > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky > > > > > > > > > <arzamas...@mail.ru.invalid > > > > > > > > > > >: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Igniters, i`l try to compare 2.8 release candidate vs > > > 2.7.6, > > > > > > > > > > > last sha 2.8 was build from : 9d114f3137f92aebc2562a > > > > > > > > > > > i use yardstick benchmarks, 4 bare machine with: 2x > Xeon > > > > X5570 > > > > > > > 96Gb > > > > > > > > > > 512GB > > > > > > > > > > > SSD 2048GB HDD 10GB/s > > > > > > > > > > > 1 for client (driver) and 3 for servers. > > > > > > > > > > > this mappings for graphs and real yardstick tests: > > > > > > > > > > > > > > > > > > > > > > atomic-put: IgnitePutBenchmark > > > > > > > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark > > > > > > > > > > > atomic-get: IgniteGetBenchmark > > > > > > > > > > > tx-get: IgniteGetTxBenchmark > > > > > > > > > > > tx-put: IgnitePutTxBenchmark > > > > > > > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark > > > > > > > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark > > > > > > > > > > > > > > > > > > > > > > cacheMode — partitioned > > > > > > > > > > > CacheWriteSynchronizationMode.FULL_SYNC > > > > > > > > > > > 1 backup > > > > > > > > > > > > > > > > > > > > > > 1. wal = log_only 2. wal = none 3. persistence > disabled. > > > > > > > > > > > Thanks Maxim for wiki page [1] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > [1] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks > > > > > > > > > > > > > > > > > > > > > > do we need some bisect or other work here ? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >------- Forwarded message ------- > > > > > > > > > > > >From: "Maxim Muzafarov" < mmu...@apache.org > > > > > > > > > > > > >To: dev@ignite.apache.org > > > > > > > > > > > >Cc: > > > > > > > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, > Manager] > > > > > > > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300 > > > > > > > > > > > > > > > > > > > > > > > >Igniters, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >It's almost a year has passed since the last major > Apache > > > > Ignite > > > > > > > 2.7 > > > > > > > > > > > >has been released. We've accumulated a lot of > performance > > > > > > > > improvements > > > > > > > > > > > >and a lot of new features which are waiting for their > > > > release > > > > > > > date. > > > > > > > > > > > >Here is my list of the most interesting things from my > > > point > > > > > > since > > > > > > > > the > > > > > > > > > > > >last major release: > > > > > > > > > > > > > > > > > > > > > > > >Service Grid, > > > > > > > > > > > >Monitoring, > > > > > > > > > > > >Recovery Read > > > > > > > > > > > >BLT auto-adjust, > > > > > > > > > > > >PDS compression, > > > > > > > > > > > >WAL page compression, > > > > > > > > > > > >Thin client: best effort affinity, > > > > > > > > > > > >Thin client: transactions support (not yet) > > > > > > > > > > > >SQL query history > > > > > > > > > > > >SQL statistics > > > > > > > > > > > > > > > > > > > > > > > >I think we should no longer wait and freeze the master > > > > branch > > > > > > > > anymore > > > > > > > > > > > >and prepare the next major release by the end of the > year. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8 > > > > release > > > > > > and > > > > > > > > also > > > > > > > > > > > >I want to propose myself to be the release manager of > the > > > > > > planning > > > > > > > > > > > >release. > > > > > > > > > > > > > > > > > > > > > > > >Scope Freeze: November 4, 2019 > > > > > > > > > > > >Code Freeze: November 18, 2019 > > > > > > > > > > > >Voting Date: December 10, 2019 > > > > > > > > > > > >Release Date: December 17, 2019 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >WDYT? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Best regards, > > > > Ivan Pavlukhin > > > > > > > >
