[jira] [Commented] (DRILL-8158) Remove non-reproducible build outputs
[ https://issues.apache.org/jira/browse/DRILL-8158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17693724#comment-17693724 ] ASF GitHub Bot commented on DRILL-8158: --- cgivre merged PR #2766: URL: https://github.com/apache/drill/pull/2766 > Remove non-reproducible build outputs > - > > Key: DRILL-8158 > URL: https://issues.apache.org/jira/browse/DRILL-8158 > Project: Apache Drill > Issue Type: Bug >Affects Versions: 1.20.0 >Reporter: Herve Boutemy >Assignee: James Turton >Priority: Major > Fix For: 1.20.2 > > > For context see [1] and [2]. The git-commit-id plugin includes information > like build host, email and time which is not compatible with a reproducible > build. Drill's built in sys.version table will return the build email and > time if they are present in the build's git.properties file so these columns > must be deprecated. Other useful Git-related information is retained. > In accompanying commits, some Kerberos unit test fixes are applied, and the > tests reenabled, and some updates to Release.md are included. > [1] [https://maven.apache.org/guides/mini/guide-reproducible-builds.html] > [2] > [https://github.com/jvm-repo-rebuild/reproducible-central#org.apache.drill:drill-root] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DRILL-8405) upgrade to snakeyaml 2.0 due to cve
[ https://issues.apache.org/jira/browse/DRILL-8405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17693700#comment-17693700 ] ASF GitHub Bot commented on DRILL-8405: --- pjfanning commented on PR #2767: URL: https://github.com/apache/drill/pull/2767#issuecomment-1445455789 It looks like Liquibase uses a snakeyaml 1.0 API call that is not supported in snaleyaml 2.0. ``` 2023-02-26T15:12:21.4680779Z Caused by: java.lang.NoSuchMethodError: org.yaml.snakeyaml.constructor.SafeConstructor: method ()V not found 2023-02-26T15:12:21.4681347Z at liquibase.parser.core.yaml.YamlChangeLogParser.parse(YamlChangeLogParser.java:23) 2023-02-26T15:12:21.4681830Z at liquibase.Liquibase.getDatabaseChangeLog(Liquibase.java:369) ``` > upgrade to snakeyaml 2.0 due to cve > --- > > Key: DRILL-8405 > URL: https://issues.apache.org/jira/browse/DRILL-8405 > Project: Apache Drill > Issue Type: Task >Reporter: PJ Fanning >Priority: Major > > https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DRILL-8158) Remove non-reproducible build outputs
[ https://issues.apache.org/jira/browse/DRILL-8158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17693675#comment-17693675 ] ASF GitHub Bot commented on DRILL-8158: --- hboutemy commented on PR #2766: URL: https://github.com/apache/drill/pull/2766#issuecomment-1445406594 I'd love that it could be feasible, but I don't think CI is able to check reproducibility another aspect is that we currently have no regression, but just fixes that are done step by step: once we have fixed one issue that creates a lot of noise, next release shows issues that are less noisy, then were not much visible before IMHO, we just need to accept that for such big project, having a build that is fully reproducible requires multiple iterations: that's not unexpected I'm confident that once this PR is merged, the remaining issues will impact much less content > Remove non-reproducible build outputs > - > > Key: DRILL-8158 > URL: https://issues.apache.org/jira/browse/DRILL-8158 > Project: Apache Drill > Issue Type: Bug >Affects Versions: 1.20.0 >Reporter: Herve Boutemy >Assignee: James Turton >Priority: Major > Fix For: 1.20.2 > > > For context see [1] and [2]. The git-commit-id plugin includes information > like build host, email and time which is not compatible with a reproducible > build. Drill's built in sys.version table will return the build email and > time if they are present in the build's git.properties file so these columns > must be deprecated. Other useful Git-related information is retained. > In accompanying commits, some Kerberos unit test fixes are applied, and the > tests reenabled, and some updates to Release.md are included. > [1] [https://maven.apache.org/guides/mini/guide-reproducible-builds.html] > [2] > [https://github.com/jvm-repo-rebuild/reproducible-central#org.apache.drill:drill-root] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DRILL-8405) upgrade to snakeyaml 2.0 due to cve
[ https://issues.apache.org/jira/browse/DRILL-8405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17693667#comment-17693667 ] ASF GitHub Bot commented on DRILL-8405: --- cgivre commented on PR #2767: URL: https://github.com/apache/drill/pull/2767#issuecomment-1445393983 Ugh.. it looks like the new library broke something. Disregard approval. :-( > upgrade to snakeyaml 2.0 due to cve > --- > > Key: DRILL-8405 > URL: https://issues.apache.org/jira/browse/DRILL-8405 > Project: Apache Drill > Issue Type: Task >Reporter: PJ Fanning >Priority: Major > > https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DRILL-8158) Remove non-reproducible build outputs
[ https://issues.apache.org/jira/browse/DRILL-8158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17693650#comment-17693650 ] ASF GitHub Bot commented on DRILL-8158: --- cgivre commented on PR #2766: URL: https://github.com/apache/drill/pull/2766#issuecomment-1445371514 @hboutemy Should we add this as a CI check? > Remove non-reproducible build outputs > - > > Key: DRILL-8158 > URL: https://issues.apache.org/jira/browse/DRILL-8158 > Project: Apache Drill > Issue Type: Bug >Affects Versions: 1.20.0 >Reporter: Herve Boutemy >Assignee: James Turton >Priority: Major > Fix For: 1.20.2 > > > For context see [1] and [2]. The git-commit-id plugin includes information > like build host, email and time which is not compatible with a reproducible > build. Drill's built in sys.version table will return the build email and > time if they are present in the build's git.properties file so these columns > must be deprecated. Other useful Git-related information is retained. > In accompanying commits, some Kerberos unit test fixes are applied, and the > tests reenabled, and some updates to Release.md are included. > [1] [https://maven.apache.org/guides/mini/guide-reproducible-builds.html] > [2] > [https://github.com/jvm-repo-rebuild/reproducible-central#org.apache.drill:drill-root] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DRILL-8405) upgrade to snakeyaml 2.0 due to cve
[ https://issues.apache.org/jira/browse/DRILL-8405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17693647#comment-17693647 ] ASF GitHub Bot commented on DRILL-8405: --- pjfanning opened a new pull request, #2767: URL: https://github.com/apache/drill/pull/2767 ## Description upgrade to snakeyaml 2.0 due to CVE ## Testing CI build > upgrade to snakeyaml 2.0 due to cve > --- > > Key: DRILL-8405 > URL: https://issues.apache.org/jira/browse/DRILL-8405 > Project: Apache Drill > Issue Type: Task >Reporter: PJ Fanning >Priority: Major > > https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (DRILL-8405) upgrade to snakeyaml 2.0 due to cve
PJ Fanning created DRILL-8405: - Summary: upgrade to snakeyaml 2.0 due to cve Key: DRILL-8405 URL: https://issues.apache.org/jira/browse/DRILL-8405 Project: Apache Drill Issue Type: Task Reporter: PJ Fanning https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in -- This message was sent by Atlassian Jira (v8.20.10#820010)