I think 3.10 is probably overdue anyway. I remember somebody asking about it on the mailing list a few months ago, but I may be mistaken.
On Wed, Aug 6, 2025 at 2:47 PM Patrick Hunt <ph...@apache.org> wrote: > > I was also thinking that we could/would release a 3.10.0 as "current" and > 3.9 would move to stable... > > Regards, > > Patrick > > On Wed, Aug 6, 2025 at 11:40 AM Christopher <ctubb...@apache.org> wrote: > > > +1 to that idea. > > > > The releases page[1] says "Apache ZooKeeper 3.9.3 is our current > > release, and 3.8.4 our latest stable release". Is 3.9 sufficiently > > stable to replace 3.8 as the current "stable"? If the answer is yes, > > then I think it makes sense to EOL 3.8. > > > > [1]: https://zookeeper.apache.org/releases.html#download > > > > On Mon, Aug 4, 2025 at 2:52 PM Patrick Hunt <ph...@apache.org> wrote: > > > > > > Should we sunset that minor release due to the "unfixable" security issue > > > and EOL of dependenc(ies)? > > > > > > Patrick > > > > > > On Mon, Aug 4, 2025 at 10:03 AM Andor Molnar <an...@apache.org> wrote: > > > > > > > Yeah, I agree with that, but we can’t leave things here just like that. > > > > Either we should keep updating the logging libraries on all active > > branches > > > > or add the necessary suppression to Owasp. Otherwise the report result > > will > > > > be completely meaningless. > > > > > > > > Andor > > > > > > > > > > > > > > > > > On Aug 4, 2025, at 08:21, Christopher <ctubb...@apache.org> wrote: > > > > > > > > > > Yes, that is basically my concern. I commented at > > > > > > > https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 > > > > > > > > > > On Fri, Aug 1, 2025, 18:43 Andor Molnar <an...@apache.org> wrote: > > > > > > > > > >> Christopher raised concern about it in > > > > >> > > > > >> > > > > > > https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 > > > > >> > > > > >> I suspect because SLF4j has to be major upgraded with logback 1.x > > -> 2.x > > > > >> which should not be done in bugfix releases. > > > > >> > > > > >> I’m not sure. Maybe we should just add another Owasp suppression, > > but > > > > that > > > > >> wouldn’t be appropriate either. > > > > >> > > > > >> Andor > > > > >> > > > > >> > > > > >> > > > > >>> On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> wrote: > > > > >>> > > > > >>> That’s my understanding too, but looks like folks skipped even the > > 3.9 > > > > >> backport in the case of logback. > > > > >>> > > > > >>> Andor > > > > >>> > > > > >>> > > > > >>> > > > > >>>> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> wrote: > > > > >>>> > > > > >>>> My understanding, I thought the rule was to backport any patch to > > all > > > > of > > > > >>>> the active releases unless it's a new feature. Perhaps ask the > > folks > > > > who > > > > >>>> committed? > > > > >>>> > > > > >>>> Patrick > > > > >>>> > > > > >>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org> > > > > wrote: > > > > >>>> > > > > >>>>> Hi folks, > > > > >>>>> > > > > >>>>> Currently I’m working on some backports, because OWASP reports > > CVEs > > > > on > > > > >> the > > > > >>>>> 3.8 branch and noticed in the PRs that we should only upgrade > > logback > > > > >> on > > > > >>>>> the master branch. Why is that? > > > > >>>>> > > > > >>>>> logback-core-1.2.13.jar > > (pkg:maven/ch.qos.logback/logback-core@1.2.13 > > > > , > > > > >>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, > > > > >> CVE-2024-12801 > > > > >>>>> > > > > >>>>> Regards, > > > > >>>>> Andor > > > > >>>>> > > > > >>>>> > > > > >>>>> > > > > >>> > > > > >> > > > > >> > > > > > > > > > >
