Team, Still planning to do this but need a few more days on my end to have time for the RC generation pieces.
Thanks On Tue, Jan 4, 2022 at 9:43 AM Joe Witt <joe.w...@gmail.com> wrote: > > Team, > > Looking like it would be helpful to kick out a 1.15.3 to ensure build > works when building optional nars due to logging updates, fixes SFTP > behavior, fixes regression with GCP, etc.. > > I might kick this out but probably wont attempt to generate the RC > until this weekend. > > Thanks > > On Wed, Dec 22, 2021 at 5:21 PM Joe Witt <joe.w...@gmail.com> wrote: > > > > Team > > > > As you saw the vote for 1.15.2 has passed. Thanks all. However, I am > > holding off sending the announce thread and such because I can't get > > the website updated for some reason. It appears to be not unique to > > us as reported in > > https://issues.apache.org/jira/projects/INFRA/issues/INFRA-22647?filter=allopenissues. > > I've also reported in ASF INFRA slack so we'll see. Once sorted will > > wrap the final announce thread up. > > > > Thanks > > > > On Mon, Dec 20, 2021 at 10:19 AM Joe Witt <joe.w...@gmail.com> wrote: > > > > > > ...sooooo 1.15.1 was fun. But there is another log4j 2.x > > > vulnerability reported. While we remain minimally exposed we should > > > just get this over with totally. There are changes on main now which > > > eliminate the usage of log4j 2.x core entirely and block usage of it > > > going forward. Components can still use log4j as they always could > > > but they must bridge to slf4j using the proper dependencies as they > > > always should have anyway. We have the latest logback. All logs > > > should route to slf4j which we then actually write out using logback. > > > > > > So I'm going to go ahead and kick off a 1.15.2 to let us get this > > > resolved formally and help alleviate concerns folks tend to have now > > > around logging related vulnerabilities. > > > > > > Thanks > > > > > > On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <joe.w...@gmail.com> wrote: > > > > > > > > Here are the JIRAs I grabbed from the 1.16/main line to pull into > > > > 1.15.1 in addition. > > > > > > > > https://issues.apache.org/jira/browse/NIFI-9480?jql=project%20%3D%20NIFI%20AND%20fixVersion%20%3D%201.15.1 > > > > > > > > Thanks > > > > > > > > On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <joe.w...@gmail.com> wrote: > > > > > > > > > > Goodness. Two RC build release processes have failed a couple hours > > > > > into it due to apparent network/availability issues while sending > > > > > artifacts to repository.apache.org. I can only assume they're getting > > > > > hit with a lot of projects trying to do a lot of uploads and such. > > > > > Will try again in a bit/first thing in AM. Once we can get a > > > > > successful build up I might suggest we do what log4j has done and > > > > > simply open the vote long enough to get enough binding +1 votes and > > > > > get this out there. > > > > > > > > > > Thanks > > > > > > > > > > On Mon, Dec 13, 2021 at 10:04 AM Joe Witt <joe.w...@gmail.com> wrote: > > > > > > > > > > > > Thanks - will roll with that > > > > > > > > > > > > On Mon, Dec 13, 2021 at 10:03 AM David Handermann > > > > > > <exceptionfact...@apache.org> wrote: > > > > > > > > > > > > > > PR 5598 for NIFI-9474 is now merged into the main branch, which > > > > > > > streamlines > > > > > > > version updates to Log4j 2 dependencies. It also excludes > > > > > > > log4j-core older > > > > > > > than 2.15.0 from build artifacts, so this should provide a good > > > > > > > basis for a > > > > > > > patch release. > > > > > > > > > > > > > > https://github.com/apache/nifi/pull/5598 > > > > > > > > > > > > > > Regards, > > > > > > > David Handermann > > > > > > > > > > > > > > On Mon, Dec 13, 2021 at 10:44 AM Chris Sampson > > > > > > > <chris.samp...@naimuri.com.invalid> wrote: > > > > > > > > > > > > > > > I'd agree. The discussions in Slack and separate user mailing > > > > > > > > list thread > > > > > > > > are a reassurance for users (who read them), but a patch for > > > > > > > > the current > > > > > > > > 1.15 branch would seem sensible for people to pick up and > > > > > > > > assuage any > > > > > > > > remaining security concerns they may have around the library. > > > > > > > > > > > > > > > > That leaves 1.16 a little longer to get more good stuff merged > > > > > > > > in for the > > > > > > > > next feature release. > > > > > > > > > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > > > Chris Sampson > > > > > > > > > > > > > > > > On Mon, 13 Dec 2021, 14:19 David Handermann, > > > > > > > > <exceptionfact...@apache.org> > > > > > > > > wrote: > > > > > > > > > > > > > > > > > Joe, > > > > > > > > > > > > > > > > > > Thanks for starting this discussion. Moving forward with a > > > > > > > > > 1.15.1 patch > > > > > > > > > release sounds like the best path forward. > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > David Handermann > > > > > > > > > > > > > > > > > > On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <joe.w...@gmail.com> > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > Team > > > > > > > > > > > > > > > > > > > > We still dont think we are vulnerable but this now highly > > > > > > > > > > risky library > > > > > > > > > is > > > > > > > > > > present. We have PRs to eliminate it/main is fixed. I > > > > > > > > > > think we > > > > > > > > should > > > > > > > > > do > > > > > > > > > > a 24 hour 1.15.1 release/vote for it. It will eliminate > > > > > > > > > > concerns for > > > > > > > > > > users. We are frankly pretty close to a 1.16 release at > > > > > > > > > > this point as > > > > > > > > > > well it seems but can circle back. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any different views on 1.15.1? > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > > > > > > > >