Another option/solution: How about officially dropping netty support from 3.4 and asking people to move to the new version (3.5 stable or later)?
Patrick On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <[email protected]> wrote: > I agree with 3.4 should not be refactored in any way even for a security > fix. > > What's wrong with the "alpha story"? > > I think releasing in an early stage with "-alpha", "-beta" modifiers is > not a bad thing alone, as long as it doesn't take years to get to the > stable release. > > Andor > > > On Tue, 1 Oct 2019, Enrico Olivelli wrote: > > > Date: Tue, 1 Oct 2019 10:54:24 +0200 > > From: Enrico Olivelli <[email protected]> > > Reply-To: [email protected] > > To: [email protected] > > Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 > > > > Il mar 1 ott 2019, 10:38 Andor Molnar <[email protected]> ha scritto: > > > >> Backporting Netty 4 would be a huge, cumbersome task, I hope we don’t > have > >> to do it. > >> > > > > Yes, 3.4 is mature and stable and closed for refactors. > > > > > >> However I had a quick look at the details of this CVE and it seems to me > >> that it only affects the HTTP codec: > >> > >> > https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95 > >> > >> Can’t we just say 3.4.14 is not affected? > >> We’re not running HTTP server inside ZooKeeper. > >> > >> Otherwise we might be able to release 3.6.0-alpha1 now, put a date for > 3.4 > >> EOL and highlight on the webpage that this > >> > > > > Please do not start an 'alpha' story like for 3.5.... > > > > CVE probably won’t be resolved on that branch, please upgrade to 3.5. > >> > > > > +1 > > > > > > Enrico > > > >> > >> As a third option we could ask Norman to kindly fix 3.10.6.Final as > well… > >> or submit a PR ourselves, it doesn’t seem to me a big deal. > >> > > > > Not so useful > > > >> > >> What do you think? > >> > >> Andor > >> > >> > >> > >> > >>> On 2019. Oct 1., at 2:00, Patrick Hunt <[email protected]> wrote: > >>> > >>> I pushed patches for 3.5 and trunk and the tests passed on my mac. > >> However > >>> 3.4 is using netty 3.10.6.Final and as such it's not a simple upgrade. > >>> (there are no fixes against 3.10 for this CVE, at least not so far) Not > >>> sure what we want to do about this... someone would need to backport > the > >>> netty 4.1 changes into 3.4 afaict. > >>> > >>> Patrick > >>> > >>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <[email protected]> wrote: > >>> > >>>> I'll work on it today. > >>>> > >>>> Patrick > >>>> > >>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <[email protected] > > > >>>> wrote: > >>>> > >>>>> Okay > >>>>> > >>>>> I am cancelling the release. > >>>>> > >>>>> I have a problem with my box, I can't work on netty upgrade. > >>>>> > >>>>> Any volounteer? > >>>>> > >>>>> Enrico > >>>>> > >>>>> Il lun 30 set 2019, 20:32 Andor Molnar <[email protected]> ha > scritto: > >>>>> > >>>>>> The good news is: we need to release 3.4.15 too. :) > >>>>>> > >>>>>> Andor > >>>>>> > >>>>>> > >>>>>> > >>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <[email protected]> wrote: > >>>>>>> > >>>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563 > >>>>>>> > >>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <[email protected]> > >>>>> wrote: > >>>>>>> > >>>>>>>> -1 - when I run dependency check on the release candidate artifact > >>>>> it's > >>>>>>>> failing with: > >>>>>>>> > >>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869 > >>>>>>>> > >>>>>>>> I ran this on trunk and it's passing, as such it must be an issue > >>>>> with > >>>>>> the > >>>>>>>> the 3.5.6 netty version specifically. It's listed as a high, we > >>>>> should > >>>>>>>> patch this as well before releasing. > >>>>>>>> > >>>>>>>> Patrick > >>>>>>>> > >>>>>>>> > >>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli < > >> [email protected] > >>>>>> > >>>>>>>> wrote: > >>>>>>>> > >>>>>>>>> This is a bugfix release candidate for 3.5.6. > >>>>>>>>> > >>>>>>>>> It fixes 28 issues, including upgrade of third party libraries, > >>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better > >>>>>>>>> procedure > >>>>>>>>> for the upgrade of servers from 3.4 to 3.5. > >>>>>>>>> > >>>>>>>>> The full release notes is available at: > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>> > >>>>> > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 > >>>>>>>>> > >>>>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59 > >> UTC+0. > >>>>>> *** > >>>>>>>>> > >>>>>>>>> Source files: > >>>>>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2 > >>>>>>>>> > >>>>>>>>> Maven staging repo: > >>>>>>>>> > >>>>>>>>> > >>>>>> > >>>>> > >> > https://repository.apache.org/content/repositories/orgapachezookeeper-1042/ > >>>>>>>>> > >>>>>>>>> The release candidate tag in git to be voted upon: > >> release-3.5.6-rc2 > >>>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2 > >>>>>>>>> > >>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the > >>>>> release: > >>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS > >>>>>>>>> > >>>>>>>>> Should we release this candidate? > >>>>>>>>> Enrico Olivelli > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>>>> > >>>>> > >>>> > >> > >> > >
