Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

On a thread in general@incubator (the one with subject "Looking for a champion: resurrect log4j 1.x") a member of the ZooKeeper PMC said they would be moving to Logback, that is where I got that information from. Yes I will open an discussion on dev@ and a JIRA soon. My opinion is log4j 2 has

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

This is the thread in zookeeper dev mailing list for discussing whether to migrate to logback https://lists.apache.org/thread/1ktv03wvqtfg22d13c1yo1lgnjv6xpkt AFAICT they haven't decided yet, a member in the community posted exactly what I want to say I think it would be a mistake to use the

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

Although this isn't really the right place I did want to circle back here because in this context we are discussing HBase 3 and voting on alpha versions toward a GA version. ZooKeeper has decided to migrate from log4j to logback. Perhaps there would be interest in doing that here, before 3.0 is

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

https://github.com/apache/hbase/pull/3965 Andrew Purtell 于2021年12月19日周日 13:51写道： > Sure, we are on the same page about this RC. > > > On Dec 18, 2021, at 9:46 PM, 张铎 wrote: > > > > I think we are on the same page that we should upgrade to the newest > log4j2 > > version since the final

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

Sure, we are on the same page about this RC. > On Dec 18, 2021, at 9:46 PM, 张铎 wrote: > > I think we are on the same page that we should upgrade to the newest log4j2 > version since the final release has not been published yet. > > But on log4j1, in our community we have discussed this

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

I think we are on the same page that we should upgrade to the newest log4j2 version since the final release has not been published yet. But on log4j1, in our community we have discussed this before when there is a CVE for it. You can view this page https://logging.apache.org/log4j/1.2/ And even

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

As to your first point, I think it is a simple consideration: A user’s security department or compliance regulator will ask: “Does this version include log4j with a known CVE?” Why would we provide a release where they have to answer “yes” when we can provide them a release where they can

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

After 2.15.0, all the problems require you manually put some special markers in the pattern layout in your configuration file, so it is already less hurt, we do not have something like %m{lookup} in the pattern layout by default. Anyway, since we haven’t released 3.0.0-alpha-2 yet, let’s upgrade

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

Apologies, I managed to hit the send button before finishing. My veto can be cured by upgrading Log4J to ** 2.17.0 ** . See https://logging.apache.org/log4j/2.x/security.html. On Sat, Dec 18, 2021 at 1:22 PM Andrew Purtell wrote: > -1 (binding) > > The Log4J issues are not fixed by 2.15. > > I

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

-1 (binding) The Log4J issues are not fixed by 2.15. I wish we had remained on Log4J 1. Hadoop 3 is still on 1, although I know they have plans to upgrade. It does not seem advisable to use Log4J 2 at all actually. Another option that does not include such a dangerous reference/rewrite mechanism

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

+1 (binding) * Xsums/sigs good * Can build from source * Log4j 2.15 is included (more on this in the below) * log4j2.formatMsgNoLookups=true is set (multiple times per process, but properly set) * hbase-config.sh issue is fixed over rc1 Best as I've been able to keep up, it seems like we

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

+1 * Signature: ok * Checksum : ok * Rat check (1.8.0_301): ok - mvn clean apache-rat:check * Built from source (1.8.0_301): ok - mvn clean install -DskipTests * Unit tests pass (1.8.0_301): ok - mvn package -P runSmallTests -Dsurefire.rerunFailingTestsCount=3 * Nightly build results look

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

Just a reminder, we still need more votes to make this release to address the log4j2 CVE. Nick Dimiduk 于2021年12月15日周三 04:38写道： > +1 > > * Signature: ok > * Checksum : ok > * Rat check (11.0.11): ok > - mvn clean apache-rat:check -D skipTests > * Built

Re: [VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

+1 * Signature: ok * Checksum : ok * Rat check (11.0.11): ok - mvn clean apache-rat:check -D skipTests * Built from source (11.0.11): ok - mvn clean install -D skipTests -DskipTests On Tue, Dec 14, 2021 at 6:16 AM Duo Zhang wrote: > Please vote

[VOTE] Second release candidate for hbase 3.0.0-alpha-2 is available for download

Please vote on this Apache hbase release candidate, hbase-3.0.0-alpha-2RC1 The VOTE will remain open for at least 72 hours. [ ] +1 Release this package as Apache hbase 3.0.0-alpha-2 [ ] -1 Do not release this package because ... The tag to be voted on is 3.0.0-alpha-2RC1: