On Wed, Oct 2, 2019 at 9:59 PM Brian Nixon <[email protected]> wrote:
> NIO is still the default server factory so I'm guessing many users of 3.4 > simply aren't configuring Netty. And our recommendation for users who want > Netty could be to upgrade to a 3.5 release as that should be better in > every way for them. > > Is there a principle determining the difference between leaving the code > available in 3.4 with a warning attached and removing the code entirely so > that they would have to independently modify and package in order to use > the feature? > > Primarily/historically what i mentioned - we don't introduce major features/changes (esp non-b/w compat) in fix releases. Patrick > > On Wed, Oct 2, 2019 at 8:48 AM Patrick Hunt <[email protected]> wrote: > > > On Wed, Oct 2, 2019 at 1:49 AM Andor Molnar <[email protected]> wrote: > > > > > Hi Pat, > > > > > > Would you please clarify what do you mean “dropping netty support from > > > 3.4”? > > > > > > > > My simplistic thought was just that. Ship new versions of 3.4 that remove > > support for netty. That could mean turning if off by default (not sure > how > > much work that would be) or just purging the netty code from the codebase > > entirely. (3.4). It would be an exception to our "don't break b/w compact > > in fix releases" policy, but this is an extreme case imo. We have no > > intention of supporting netty in 3.4 going forward as evidenced by the > fact > > that the netty version is locked to netty 3 (long out of support by netty > > as they are no longer backporting fixes) and we have no intention of > > updating to the new version of netty on 3.4. Maybe this CVE don't affect > > us, but at some point it will. Users have the option to move to a stable, > > b/w compat, 3.5. release. Not optimal I agree. > > > > > > > Does that mean we won’t submit security patches from now on, but keep > the > > > Netty classes (NettyServerCnxnFactory and ClientCnxnSocketNetty) > > available > > > OR remove these classes from the codebase? > > > > > > The latter means we’ll drop client SSL feature too. > > > > > > > > Say there is a new CVE on netty and it's not backported to netty3, what > > would we do in that case. I guess we could wait/kick the can down the > road > > till we really hit that. For the moment just say that it doesn't affect > us > > as you researched and add to 3.4 exceptions. > > > > This is just my suggestion/option rather than a recommendation, open to > > other ideas. ;-) > > > > Patrick > > > > > > > Andor > > > > > > > > > > > > > On 2019. Oct 2., at 2:27, Michael Han <[email protected]> wrote: > > > > > > > >>> How about officially dropping netty support from 3.4 and asking > > people > > > > to move to the new version > > > > +1. This sounds a good opportunity to deprecate 3.4 branch. > > > > > > > > On Tue, Oct 1, 2019 at 8:00 AM Enrico Olivelli <[email protected]> > > > wrote: > > > > > > > >> Il giorno mar 1 ott 2019 alle ore 16:15 Patrick Hunt < > > [email protected]> > > > ha > > > >> scritto: > > > >> > > > >>> Another option/solution: How about officially dropping netty > support > > > from > > > >>> 3.4 and asking people to move to the new version (3.5 stable or > > later)? > > > >>> > > > >> > > > >> Sounds good > > > >> > > > >> Enrico > > > >> > > > >> > > > >>> > > > >>> Patrick > > > >>> > > > >>> On Tue, Oct 1, 2019 at 4:22 AM Andor Molnar <[email protected]> > > wrote: > > > >>> > > > >>>> I agree with 3.4 should not be refactored in any way even for a > > > >> security > > > >>>> fix. > > > >>>> > > > >>>> What's wrong with the "alpha story"? > > > >>>> > > > >>>> I think releasing in an early stage with "-alpha", "-beta" > modifiers > > > is > > > >>>> not a bad thing alone, as long as it doesn't take years to get to > > the > > > >>>> stable release. > > > >>>> > > > >>>> Andor > > > >>>> > > > >>>> > > > >>>> On Tue, 1 Oct 2019, Enrico Olivelli wrote: > > > >>>> > > > >>>>> Date: Tue, 1 Oct 2019 10:54:24 +0200 > > > >>>>> From: Enrico Olivelli <[email protected]> > > > >>>>> Reply-To: [email protected] > > > >>>>> To: [email protected] > > > >>>>> Subject: Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 > > > >>>>> > > > >>>>> Il mar 1 ott 2019, 10:38 Andor Molnar <[email protected]> ha > > scritto: > > > >>>>> > > > >>>>>> Backporting Netty 4 would be a huge, cumbersome task, I hope we > > > >> don’t > > > >>>> have > > > >>>>>> to do it. > > > >>>>>> > > > >>>>> > > > >>>>> Yes, 3.4 is mature and stable and closed for refactors. > > > >>>>> > > > >>>>> > > > >>>>>> However I had a quick look at the details of this CVE and it > seems > > > >> to > > > >>> me > > > >>>>>> that it only affects the HTTP codec: > > > >>>>>> > > > >>>>>> > > > >>>> > > > >>> > > > >> > > > > > > https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95 > > > >>>>>> > > > >>>>>> Can’t we just say 3.4.14 is not affected? > > > >>>>>> We’re not running HTTP server inside ZooKeeper. > > > >>>>>> > > > >>>>>> Otherwise we might be able to release 3.6.0-alpha1 now, put a > date > > > >> for > > > >>>> 3.4 > > > >>>>>> EOL and highlight on the webpage that this > > > >>>>>> > > > >>>>> > > > >>>>> Please do not start an 'alpha' story like for 3.5.... > > > >>>>> > > > >>>>> CVE probably won’t be resolved on that branch, please upgrade to > > 3.5. > > > >>>>>> > > > >>>>> > > > >>>>> +1 > > > >>>>> > > > >>>>> > > > >>>>> Enrico > > > >>>>> > > > >>>>>> > > > >>>>>> As a third option we could ask Norman to kindly fix 3.10.6.Final > > as > > > >>>> well… > > > >>>>>> or submit a PR ourselves, it doesn’t seem to me a big deal. > > > >>>>>> > > > >>>>> > > > >>>>> Not so useful > > > >>>>> > > > >>>>>> > > > >>>>>> What do you think? > > > >>>>>> > > > >>>>>> Andor > > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>>> On 2019. Oct 1., at 2:00, Patrick Hunt <[email protected]> > wrote: > > > >>>>>>> > > > >>>>>>> I pushed patches for 3.5 and trunk and the tests passed on my > > mac. > > > >>>>>> However > > > >>>>>>> 3.4 is using netty 3.10.6.Final and as such it's not a simple > > > >>> upgrade. > > > >>>>>>> (there are no fixes against 3.10 for this CVE, at least not so > > far) > > > >>> Not > > > >>>>>>> sure what we want to do about this... someone would need to > > > >> backport > > > >>>> the > > > >>>>>>> netty 4.1 changes into 3.4 afaict. > > > >>>>>>> > > > >>>>>>> Patrick > > > >>>>>>> > > > >>>>>>> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <[email protected] > > > > > >>> wrote: > > > >>>>>>> > > > >>>>>>>> I'll work on it today. > > > >>>>>>>> > > > >>>>>>>> Patrick > > > >>>>>>>> > > > >>>>>>>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli < > > > >>> [email protected] > > > >>>>> > > > >>>>>>>> wrote: > > > >>>>>>>> > > > >>>>>>>>> Okay > > > >>>>>>>>> > > > >>>>>>>>> I am cancelling the release. > > > >>>>>>>>> > > > >>>>>>>>> I have a problem with my box, I can't work on netty upgrade. > > > >>>>>>>>> > > > >>>>>>>>> Any volounteer? > > > >>>>>>>>> > > > >>>>>>>>> Enrico > > > >>>>>>>>> > > > >>>>>>>>> Il lun 30 set 2019, 20:32 Andor Molnar <[email protected]> ha > > > >>>> scritto: > > > >>>>>>>>> > > > >>>>>>>>>> The good news is: we need to release 3.4.15 too. :) > > > >>>>>>>>>> > > > >>>>>>>>>> Andor > > > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <[email protected] > > > > > >>> wrote: > > > >>>>>>>>>>> > > > >>>>>>>>>>> created: > > https://issues.apache.org/jira/browse/ZOOKEEPER-3563 > > > >>>>>>>>>>> > > > >>>>>>>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt < > > > >> [email protected]> > > > >>>>>>>>> wrote: > > > >>>>>>>>>>> > > > >>>>>>>>>>>> -1 - when I run dependency check on the release candidate > > > >>> artifact > > > >>>>>>>>> it's > > > >>>>>>>>>>>> failing with: > > > >>>>>>>>>>>> > > > >>>>>>>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869 > > > >>>>>>>>>>>> > > > >>>>>>>>>>>> I ran this on trunk and it's passing, as such it must be > an > > > >>> issue > > > >>>>>>>>> with > > > >>>>>>>>>> the > > > >>>>>>>>>>>> the 3.5.6 netty version specifically. It's listed as a > high, > > > >> we > > > >>>>>>>>> should > > > >>>>>>>>>>>> patch this as well before releasing. > > > >>>>>>>>>>>> > > > >>>>>>>>>>>> Patrick > > > >>>>>>>>>>>> > > > >>>>>>>>>>>> > > > >>>>>>>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli < > > > >>>>>> [email protected] > > > >>>>>>>>>> > > > >>>>>>>>>>>> wrote: > > > >>>>>>>>>>>> > > > >>>>>>>>>>>>> This is a bugfix release candidate for 3.5.6. > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> It fixes 28 issues, including upgrade of third party > > > >> libraries, > > > >>>>>>>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, > and > > > >>> better > > > >>>>>>>>>>>>> procedure > > > >>>>>>>>>>>>> for the upgrade of servers from 3.4 to 3.5. > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> The full release notes is available at: > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>> > > > >>>>>> > > > >>>> > > > >>> > > > >> > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> *** Please download, test and vote by October 2nd 2019, > > 23:59 > > > >>>>>> UTC+0. > > > >>>>>>>>>> *** > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> Source files: > > > >>>>>>>>>>>>> > > > >>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2 > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> Maven staging repo: > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>> > > > >>>>>> > > > >>>> > > > >>> > > > >> > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1042/ > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> The release candidate tag in git to be voted upon: > > > >>>>>> release-3.5.6-rc2 > > > >>>>>>>>>>>>> > https://github.com/apache/zookeeper/tree/release-3.5.6-rc2 > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign > > the > > > >>>>>>>>> release: > > > >>>>>>>>>>>>> https://www.apache.org/dist/zookeeper/KEYS > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> Should we release this candidate? > > > >>>>>>>>>>>>> Enrico Olivelli > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>> > > > >>>>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>> > > > >>> > > > >> > > > > > > > > >
