Team, +1 binding (with strong reservations for any future 1.x releases that don't turn the tide of reported vulnerable libs).
Did the normal check stuff and build and it seems good. Where I have delayed in responding is in digging into the nature of the reported vulnerabilities for this release using various scanning methods. We continue to drift on the 1.x line further away from what our user base does and should come to expect from us in terms of managing libraries with reported vulnerabilities. We know some of this but it also serves as a clear signal we need to now actively move away from the 1.x line and focus on making 2.x reflect the best of our efforts as well as help users move there. But for the findings... Using the dependency-check plugin for comparison here. This is not perfect but it is a good first approximation. The 1.x release has 169 dependencies (out of 2500 unique ones) with reported vulnerabilities. Of course that still does not mean they are actually vulnerable as used in nifi nor does it mean there are not false positives. However, by comparison the 2.x release has 19. On the 1.x line the bulk of these are related to various dependencies of Hadoop, Iceberg, Parquet but also things like JRuby, Neo4j, Ignite, H2, Derby, Cassandra, Jetty, and more. It is pretty daunting and crazy to look at. Some of this is long standing and known but some may be and do appear more recent. Would we know? Would we catch them or would they get lost in the noise. While there was a recent pass of updated dependency versions some of these take real effort and digging into for them to go away. Also this should serve as a general advisory to us that we should perhaps no longer be so stringent on keeping certain components around simply because we think there are a lot of users for them. If we can't get rid of vulnerabilities or manage them well because of components that seemingly forever have reported vulnerabilities they should be strong candidates to get dropped from our releases and codebase. I will not be supportive of further 1.x releases unless they're of the incremental variety and reduce these vulnerabilities. Thanks On Tue, Oct 22, 2024 at 3:13 PM Lehel Boér <lehe...@hotmail.com> wrote: > +1 (non-binding) > > Ran through release helper, verified successful build. > > Conf: > Apache Maven 3.9.9 > openjdk version "1.8.0_382" > OpenJDK Runtime Environment Corretto-8.382.05.1 (build 1.8.0_382-b05) > OpenJDK 64-Bit Server VM Corretto-8.382.05.1 (build 25.382-b05, mixed mode) > Default locale: en_US, platform encoding: UTF-8 > ProductName: macOS > ProductVersion: 14.5 > BuildVersion: 23F79 > > Checked a few commits. > > > Thanks for RM'ing Ferenc! > > ________________________________ > From: Dan S <dsti...@gmail.com> > Sent: Tuesday, October 22, 2024 15:58 > To: dev@nifi.apache.org <dev@nifi.apache.org> > Subject: Re: [VOTE] Release Apache NiFi 1.28.0 (RC1) > > +1 non-binding > > Verified checksum, signatures and hashes > Built the source code on > Java version: 1.8.0_412, vendor: Red Hat, Inc., runtime: > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.412.b08-2.el8.x86_64/jre > Default locale: en_US, platform encoding: UTF-8 > OS name: "linux", version: "4.18.0-513.24.1.el8_9.x86_64", arch: "amd64", > family: "unix" > > Ran a simple flow to confirm the fix for NIFI-13418 > <https://issues.apache.org/jira/browse/NIFI-13418>. As a result uncovered > a > bug reported in NIFI-13922 > <https://issues.apache.org/jira/browse/NIFI-13922>. > > Thanks for Rming Ferenc! > > On Tue, Oct 22, 2024 at 4:41 PM Kedvessy Péter <pkedve...@gmail.com> > wrote: > > > +1 non-binding > > > > Verified the followings: > > - checksum and signature > > - git commit hash and tag > > - NiFi build with contrib-check on the following environment: > > - mac os x 14.3.1 > > - openjdk 17.0.11 2024-04-16 > > OpenJDK Runtime Environment Temurin-17.0.11+9 (build 17.0.11+9) > > OpenJDK 64-Bit Server VM Temurin-17.0.11+9 (build 17.0.11+9, mixed > > mode) > > - maven 3.9.9 > > - simple flow execution > > - new minifi java agent features > > > > Thanks for managing this release, Ferenc. > > > > Regards, > > Peter > > > > Arpad Boda <ab...@apache.org> ezt írta (időpont: 2024. okt. 22., K, > > 17:37): > > > > > +1 (binding) > > > > > > Verified checksum, signature. > > > Built and executed tests on Mac, started a simple flow, everything > worked > > > as expected. > > > Thanks for working on this release, Ferenc! > > > > > > Thanks, > > > Arpad > > > > > > > > > On Tue, Oct 22, 2024 at 12:46 PM Ferenc Kis <briansolo1...@gmail.com> > > > wrote: > > > > > > > Team, > > > > > > > > I am pleased to be calling this vote for the source release of Apache > > > NiFi > > > > 1.28.0. > > > > > > > > Please review the following guide for how to verify a release > candidate > > > > build: > > > > > > > > > > > > > > > > > > https://cwiki.apache.org/confluence/display/NIFI/Release+Candidate+Verification > > > > > > > > The source being voted on the and the convenience binaries are > > available > > > on > > > > the Apache Distribution Repository: > > > > > > > > https://dist.apache.org/repos/dist/dev/nifi/nifi-1.28.0 > > > > > > > > The build artifacts are available on the Apache Nexus Repository: > > > > > > > > > https://repository.apache.org/content/repositories/orgapachenifi-1289 > > > > > > > > Git Tag: nifi-1.28.0-RC1 > > > > Git Commit ID: 8ecf23e77c8ca828a77f3b84554ed3347d8f7fa2 > > > > GitHub Commit Link: > > > > > > > > > > > > > > https://github.com/apache/nifi/commit/8ecf23e77c8ca828a77f3b84554ed3347d8f7fa2 > > > > > > > > Checksums of nifi-1.28.0-source-release.zip > > > > > > > > SHA256: > > 96ddd83ee11f6dd0889ff2f4b4112487f021b2b3f0573d7c0eeff40672620e93 > > > > SHA512: > > > > > > > > > > > > > > 22f0051b5e4a41b913e36f1fa2fabe6871471b0a4a51f3673b2fcc453382cd5d6eb132f7a6686ecdc065c295a2cfaf8199a653b822837f73a23016b6ae4bd143 > > > > > > > > Release artifacts are signed with the following key: > > > > > > > > https://people.apache.org/keys/committer/briansolo1985.asc > > > > > > > > KEYS file is available on the Apache Distribution Repository: > > > > > > > > https://dist.apache.org/repos/dist/release/nifi/KEYS > > > > > > > > Issues resolved for this version: 63 > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12354883 > > > > > > > > Release note highlights can be found on the project wiki: > > > > > > > > > > > > > > > > > > https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.28.0 > > > > > > > > The vote will be open for 72 hours. > > > > > > > > Please download the release candidate and evaluate the necessary > items > > > > including checking hashes, signatures, build from source, and test. > > Then > > > > please vote: > > > > > > > > [] +1 Release this package as nifi-1.28.0 > > > > [] +0 no opinion > > > > [] -1 Do not release this package because... > > > > > > > > > >
