I was also thinking that we could/would release a 3.10.0 as "current" and 3.9 would move to stable...
Regards, Patrick On Wed, Aug 6, 2025 at 11:40 AM Christopher <ctubb...@apache.org> wrote: > +1 to that idea. > > The releases page[1] says "Apache ZooKeeper 3.9.3 is our current > release, and 3.8.4 our latest stable release". Is 3.9 sufficiently > stable to replace 3.8 as the current "stable"? If the answer is yes, > then I think it makes sense to EOL 3.8. > > [1]: https://zookeeper.apache.org/releases.html#download > > On Mon, Aug 4, 2025 at 2:52 PM Patrick Hunt <ph...@apache.org> wrote: > > > > Should we sunset that minor release due to the "unfixable" security issue > > and EOL of dependenc(ies)? > > > > Patrick > > > > On Mon, Aug 4, 2025 at 10:03 AM Andor Molnar <an...@apache.org> wrote: > > > > > Yeah, I agree with that, but we can’t leave things here just like that. > > > Either we should keep updating the logging libraries on all active > branches > > > or add the necessary suppression to Owasp. Otherwise the report result > will > > > be completely meaningless. > > > > > > Andor > > > > > > > > > > > > > On Aug 4, 2025, at 08:21, Christopher <ctubb...@apache.org> wrote: > > > > > > > > Yes, that is basically my concern. I commented at > > > > > https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 > > > > > > > > On Fri, Aug 1, 2025, 18:43 Andor Molnar <an...@apache.org> wrote: > > > > > > > >> Christopher raised concern about it in > > > >> > > > >> > > > > https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 > > > >> > > > >> I suspect because SLF4j has to be major upgraded with logback 1.x > -> 2.x > > > >> which should not be done in bugfix releases. > > > >> > > > >> I’m not sure. Maybe we should just add another Owasp suppression, > but > > > that > > > >> wouldn’t be appropriate either. > > > >> > > > >> Andor > > > >> > > > >> > > > >> > > > >>> On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> wrote: > > > >>> > > > >>> That’s my understanding too, but looks like folks skipped even the > 3.9 > > > >> backport in the case of logback. > > > >>> > > > >>> Andor > > > >>> > > > >>> > > > >>> > > > >>>> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> wrote: > > > >>>> > > > >>>> My understanding, I thought the rule was to backport any patch to > all > > > of > > > >>>> the active releases unless it's a new feature. Perhaps ask the > folks > > > who > > > >>>> committed? > > > >>>> > > > >>>> Patrick > > > >>>> > > > >>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org> > > > wrote: > > > >>>> > > > >>>>> Hi folks, > > > >>>>> > > > >>>>> Currently I’m working on some backports, because OWASP reports > CVEs > > > on > > > >> the > > > >>>>> 3.8 branch and noticed in the PRs that we should only upgrade > logback > > > >> on > > > >>>>> the master branch. Why is that? > > > >>>>> > > > >>>>> logback-core-1.2.13.jar > (pkg:maven/ch.qos.logback/logback-core@1.2.13 > > > , > > > >>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, > > > >> CVE-2024-12801 > > > >>>>> > > > >>>>> Regards, > > > >>>>> Andor > > > >>>>> > > > >>>>> > > > >>>>> > > > >>> > > > >> > > > >> > > > > > > >
