I like RERO but 3 releases in a week is a lot even for me :-) Gary
On Sun, Dec 12, 2021 at 9:41 PM Remko Popma <remko.po...@gmail.com> wrote: > It seems that Ralph has already started to work on a PR to remove message > lookups altogether from 2.x. > > I have come around to Volkan’s point that we don’t want to ask users to > upgrade Log4j every week. > > So it maybe better to cancel the 2.15.1 release and have a dedicated > security release 2.16.0 with just the JNDI change and removing message > lookups altogether. > > Does anyone have a strong desire to release 2.15.1 with just the JNDI > change? > > > > On Dec 13, 2021, at 11:06, Gary Gregory <garydgreg...@gmail.com> wrote: > > > > Should we proceed with 2.15.1 or cancel it and go to 2.16.0 straight > away? > > > > Gary > > > >> On Sun, Dec 12, 2021, 20:40 Remko Popma <remko.po...@gmail.com> wrote: > >> > >> I am also okay with removing Message Lookups from 2.x. > >> A release with that change should be called 2.16.0 though, not 2.15.1 or > >> 2.15.2. > >> > >> Also it makes sense to *only* have that security change (removing > Message > >> Lookups) in such a 2.16.0 release and not add other features. > >> This will reduce the testing burden for people looking to upgrade. > >> > >> > >> > >> On Mon, Dec 13, 2021 at 8:12 Ralph Goers <ralph.go...@dslextreme.com> > >> wrote: > >> > >>> Volkan, > >>> > >>> While ASF rules say a -1 vote is not a veto for all practical purposes > >> the > >>> release manager is going to consider it a blocker. > >>> > >>> A release that removes JNDI will prevent people from inadvertently > using > >>> the JNDI Lookup, JMS, or JndiContextSelector > >>> without understanding the security risk using them. Message Lookups > are a > >>> different problem. We are not disabling JNDI > >>> so people can re-enable message lookups. That would be crazy. We are > >>> disabling JNDI because, despite all the fixes we > >>> have made, I still don’t trust it. > >>> > >>> We have all agreed Message Lookups need to be killed in master. If we > are > >>> all in agreement to kill them now in 2.x I’m > >>> fine with that but the two are separate issues. > >>> > >>> If you are OK with the release than your vote should be anything but > -1. > >>> If you really feel it needs a -1 then we need to see > >>> if we are all ok completely removing the option to re-enable message > >>> lookups. I would completely understand if that is what > >>> you want and I would support that so please don’t feel pressured to > give > >>> in. > >>> > >>> Ralph > >>> > >>> > >>>> On Dec 12, 2021, at 2:08 PM, Volkan Yazıcı <vol...@yazi.ci> wrote: > >>>> > >>>> You don't need my vote. As far as I count, you already have more than > >> 3. > >>>> > >>>> I can imagine Ralph and the rest have worked sleeplessly for days. > >> Hence > >>> if > >>>> they think disabling JNDI buys us a benefit, so be it. > >>>> > >>>> If not millions, tens of thousands of people tried to upgrade Log4j to > >>>> 2.15.0 recently. A release where JNDI lookup disabled will only adress > >>>> people who still (astonishingly!) want to use "message lookups" – > >> correct > >>>> me if I'm wrong. Hence, I think in its current form, 2.15.1 will bring > >>> more > >>>> confusion than benefit to the general audience. I think the fix to the > >>>> vulnerability is to disable message lookups, not patches to the JNDI > >>>> lookup. I want to believe that users get this fact right and have > >> already > >>>> disabled it. We need to be really careful with our next release. We > >> can't > >>>> expect people to upgrade once a week. Putting aside the damage it does > >> to > >>>> the reputation of the project. > >>>> > >>>> On Sun, Dec 12, 2021 at 9:47 PM Remko Popma <remko.po...@gmail.com> > >>> wrote: > >>>> > >>>>> First, is this really a blocker for 2.15.1? > >>>>> I think it is prudent to do urgent releases soon. > >>>>> This JNDI change (LOG4J2-3208 > >>>>> <https://issues.apache.org/jira/browse/LOG4J2-3208>) feels urgent > >>> enough > >>>>> to > >>>>> warrant another shortened vote window. > >>>>> A larger change like removing message lookups should not be rushed > out > >>> like > >>>>> this, it needs review time. > >>>>> > >>>>> Second, do we really want to do this? Are we not overreacting? > >>>>> Would it not be better to remove lookups in message parameters only? > >>>>> (In implementation terms, resolve all lookups *before* interpolating > >> the > >>>>> message parameters?) > >>>>> > >>>>> Also, let me state the obvious, lookups *in configuration* are > >>> tremendously > >>>>> useful and should not be removed. > >>>>> This may be obvious to some of us, but I just want to make sure there > >>> is no > >>>>> confusion about that (because I personally was confused about this at > >>> some > >>>>> point). :-) > >>>>> > >>>>> Finally, if we decide to do this, should a change like this be in a > >>>>> point/bugfix release (2.15.1) or should it be a separate minor > release > >>> like > >>>>> 2.16.0? > >>>>> > >>>>> > >>>>> > >>>>> On Mon, Dec 13, 2021 at 5:10 AM Remko Popma <remko.po...@gmail.com> > >>> wrote: > >>>>> > >>>>>> Shall we discuss this first please? > >>>>>> > >>>>>> On Mon, Dec 13, 2021 at 5:10 AM Matt Sicker <boa...@gmail.com> > >> wrote: > >>>>>> > >>>>>>> If you can handle that change, I can roll a new release candidate. > >>>>>>> > >>>>>>> Matt Sicker > >>>>>>> > >>>>>>>> On Dec 12, 2021, at 14:07, Volkan Yazıcı <vol...@yazi.ci> wrote: > >>>>>>>> > >>>>>>>> I know. I want them to be removed, not disabled. > >>>>>>>> > >>>>>>>>> On Sun, Dec 12, 2021 at 9:01 PM Matt Sicker <boa...@gmail.com> > >>>>> wrote: > >>>>>>>>> > >>>>>>>>> Those were already disabled in 2.15.0. > >>>>>>>>> > >>>>>>>>> Matt Sicker > >>>>>>>>> > >>>>>>>>>>> On Dec 12, 2021, at 13:41, Volkan Yazıcı <vol...@yazi.ci> > >> wrote: > >>>>>>>>>> > >>>>>>>>>> I very well recognize your heroic effort on tackling this issue > >>> and > >>>>>>> I am > >>>>>>>>>> very thankful for that. > >>>>>>>>>> I vote -1, because I want message (not configuration!) lookups > to > >>> be > >>>>>>>>>> removed. > >>>>>>>>>> > >>>>>>>>>> Message lookups create a vast attack surface. Anything they > offer > >>>>> can > >>>>>>>>>> simply be implemented by the user. > >>>>>>>>>> > >>>>>>>>>>> On Sun, Dec 12, 2021 at 4:48 AM Matt Sicker <boa...@gmail.com> > >>>>>>> wrote: > >>>>>>>>>>> > >>>>>>>>>>> This is a vote to release Log4j 2.15.1, the next version of the > >>>>>>> Log4j 2 > >>>>>>>>>>> project. > >>>>>>>>>>> > >>>>>>>>>>> Please download, test, and cast your votes on the log4j > >> developers > >>>>>>> list. > >>>>>>>>>>> [] +1, release the artifacts > >>>>>>>>>>> [] -1, don't release because... > >>>>>>>>>>> > >>>>>>>>>>> The vote will remain open for 72 hours (or more if required). > >> All > >>>>>>> votes > >>>>>>>>>>> are welcome and we encourage everyone to test the release, but > >>> only > >>>>>>>>> Logging > >>>>>>>>>>> PMC votes are “officially” counted. As always, at least 3 +1 > >> votes > >>>>>>> and > >>>>>>>>> more > >>>>>>>>>>> positive than negative votes are required. > >>>>>>>>>>> > >>>>>>>>>>> Changes in this release include: > >>>>>>>>>>> > >>>>>>>>>>> Fixed Bugs > >>>>>>>>>>> > >>>>>>>>>>> * LOG4J2-3208: Disable JNDI by default. Require > >> log4j2.enableJndi > >>>>> to > >>>>>>> be > >>>>>>>>>>> set to true to allow JNDI. > >>>>>>>>>>> > >>>>>>>>>>> Tag: > >>>>>>>>>>> a) for a new copy do "git clone > >>>>>>>>>>> https://github.com/apache/logging-log4j2.git < > >>>>>>>>>>> https://github.com/apache/logging-log4j2.git>" and then "git > >>>>>>> checkout > >>>>>>>>>>> tags/log4j-2.15.1-rc1” or just "git clone -b log4j-2.15.1-rc1 > >>>>>>>>>>> https://github.com/apache/logging-log4j2.git < > >>>>>>>>>>> https://github.com/apache/logging-log4j2.git>" > >>>>>>>>>>> b) for an existing working copy to “git pull” and then “git > >>>>> checkout > >>>>>>>>>>> tags/log4j-2.15.1-rc1” > >>>>>>>>>>> > >>>>>>>>>>> Web Site: > >> https://logging.staged.apache.org/log4j/2.x/index.html > >>>>> < > >>>>>>>>>>> https://logging.staged.apache.org/log4j/2.x/index.html>. > >>>>>>>>>>> > >>>>>>>>>>> Maven Artifacts: > >>>>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>> > >>> > >> > https://repository.apache.org/content/repositories/orgapachelogging-1067/ > >>>>>>>>>>> > >>>>>>>>>>> Distribution archives: > >>>>>>>>>>> https://dist.apache.org/repos/dist/dev/logging/log4j/ < > >>>>>>>>>>> https://dist.apache.org/repos/dist/dev/logging/log4j/> > >>>>>>>>>>> > >>>>>>>>>>> You may download all the Maven artifacts by executing: > >>>>>>>>>>> wget -e robots=off --cut-dirs=7 -nH -r -p -np > >>>>> --no-check-certificate > >>>>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>> > >>> > >> > https://repository.apache.org/content/repositories/orgapachelogging-1067/org/apache/logging/log4j/ > >>>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>> > >>> > >>> > >> >