Re: [VOTE] Apache ZooKeeper release 3.7.1 candidate 0

[Christopher]

FWIW, I think it's a waste of time to cancel the vote on the basis of a
known false positive... you can just ignore the false positive and +1 a
vote anyway. I don't see this as "pushing it downstream" onto users. Users
are likely to not run the CVE check, because it's only useful at a point in
time. But, if they do, it's only ever useful at a specific point in time.
If users run it in the future, they could have any amount of false or true
positives.

Worst case scenario: mention the false positive in the release notes.

On Wed, May 4, 2022 at 2:21 PM Mohammad Arshad  wrote:

> Thanks Patrick Hunt for your feedback. I am cancelling this VOTE. Thanks
> Mate and Enrico for your quick votes. Thanks & Regards Arshad
>
> On Wed, May 4, 2022 at 11:03 PM Patrick Hunt  wrote:
>
> > The dependency checker is failing. We had a similar discussion about the
> > impact of this on a recent release candidate
> > . The
> > decision was to address the problem rather than push it downstream to end
> > users. iow this type of error results in all consumers having a question
> as
> > to whether there is a problem or not. Better to fix it now by spinning
> > another RC rather than have to deal with it magnified later.
> >
> > [ERROR] One or more dependencies were identified with vulnerabilities
> that
> > have a CVSS score greater than or equal to '0.0':
> > [ERROR]
> > [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
> > [ERROR]
> > [ERROR] See the dependency-check report for more details.
> >
> > On Sun, Apr 24, 2022 at 6:25 PM Mohammad Arshad 
> wrote:
> >
> > > This is a bug fix release candidate for 3.7.1. It contains 61 fixes.
> > >
> > > The full release notes is available at:
> > >
> > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12350030
> > >
> > > *** Please download, test and vote by Sunday, 01 May, 2022, 23:59
> UTC+0.
> > > ***
> > >
> > > Source files:
> > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/
> > >
> > > Maven staging repo:
> > >
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1075
> > >
> > > The release candidate tag in git to be voted upon: release-3.7.1-0
> > > https://github.com/apache/zookeeper/tree/release-3.7.1-0
> > >
> > > ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> > > https://www.apache.org/dist/zookeeper/KEYS
> > >
> > > The staging version of the website is:
> > >
> > >
> >
> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/website/index.html
> > >
> > >
> > > Should we release this candidate?
> > >
> > >
> > > -Arshad
> > >
> >
>

Re: [VOTE] Apache ZooKeeper release 3.7.1 candidate 0

[Mohammad Arshad]

Thanks Patrick Hunt for your feedback. I am cancelling this VOTE. Thanks
Mate and Enrico for your quick votes. Thanks & Regards Arshad

On Wed, May 4, 2022 at 11:03 PM Patrick Hunt  wrote:

> The dependency checker is failing. We had a similar discussion about the
> impact of this on a recent release candidate
> . The
> decision was to address the problem rather than push it downstream to end
> users. iow this type of error results in all consumers having a question as
> to whether there is a problem or not. Better to fix it now by spinning
> another RC rather than have to deal with it magnified later.
>
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
> [ERROR]
> [ERROR] See the dependency-check report for more details.
>
> On Sun, Apr 24, 2022 at 6:25 PM Mohammad Arshad  wrote:
>
> > This is a bug fix release candidate for 3.7.1. It contains 61 fixes.
> >
> > The full release notes is available at:
> >
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12350030
> >
> > *** Please download, test and vote by Sunday, 01 May, 2022, 23:59 UTC+0.
> > ***
> >
> > Source files:
> > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/
> >
> > Maven staging repo:
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1075
> >
> > The release candidate tag in git to be voted upon: release-3.7.1-0
> > https://github.com/apache/zookeeper/tree/release-3.7.1-0
> >
> > ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> > https://www.apache.org/dist/zookeeper/KEYS
> >
> > The staging version of the website is:
> >
> >
> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/website/index.html
> >
> >
> > Should we release this candidate?
> >
> >
> > -Arshad
> >
>

[Cancelled] Apache ZooKeeper release 3.7.1 candidate 0

[Mohammad Arshad]

Thanks  Patrick Hunt  for your feedback.
I am cancelling this VOTE.
Thanks Mate and Enrico for your quick votes.

Thanks & Regards
Arshad


On Wed, May 4, 2022 at 11:03 PM Patrick Hunt  wrote:

> The dependency checker is failing. We had a similar discussion about the
> impact of this on a recent release candidate
> . The
> decision was to address the problem rather than push it downstream to end
> users. iow this type of error results in all consumers having a question as
> to whether there is a problem or not. Better to fix it now by spinning
> another RC rather than have to deal with it magnified later.
>
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
> [ERROR]
> [ERROR] See the dependency-check report for more details.
>
> On Sun, Apr 24, 2022 at 6:25 PM Mohammad Arshad  wrote:
>
> > This is a bug fix release candidate for 3.7.1. It contains 61 fixes.
> >
> > The full release notes is available at:
> >
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12350030
> >
> > *** Please download, test and vote by Sunday, 01 May, 2022, 23:59 UTC+0.
> > ***
> >
> > Source files:
> > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/
> >
> > Maven staging repo:
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1075
> >
> > The release candidate tag in git to be voted upon: release-3.7.1-0
> > https://github.com/apache/zookeeper/tree/release-3.7.1-0
> >
> > ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> > https://www.apache.org/dist/zookeeper/KEYS
> >
> > The staging version of the website is:
> >
> >
> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/website/index.html
> >
> >
> > Should we release this candidate?
> >
> >
> > -Arshad
> >
>

Re: [VOTE] Apache ZooKeeper release 3.7.1 candidate 0

[Patrick Hunt]

The dependency checker is failing. We had a similar discussion about the
impact of this on a recent release candidate
. The
decision was to address the problem rather than push it downstream to end
users. iow this type of error results in all consumers having a question as
to whether there is a problem or not. Better to fix it now by spinning
another RC rather than have to deal with it magnified later.

[ERROR] One or more dependencies were identified with vulnerabilities that
have a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
[ERROR]
[ERROR] See the dependency-check report for more details.

On Sun, Apr 24, 2022 at 6:25 PM Mohammad Arshad  wrote:

> This is a bug fix release candidate for 3.7.1. It contains 61 fixes.
>
> The full release notes is available at:
>
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12350030
>
> *** Please download, test and vote by Sunday, 01 May, 2022, 23:59 UTC+0.
> ***
>
> Source files:
> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/
>
> Maven staging repo:
> https://repository.apache.org/content/repositories/orgapachezookeeper-1075
>
> The release candidate tag in git to be voted upon: release-3.7.1-0
> https://github.com/apache/zookeeper/tree/release-3.7.1-0
>
> ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> https://www.apache.org/dist/zookeeper/KEYS
>
> The staging version of the website is:
>
> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/website/index.html
>
>
> Should we release this candidate?
>
>
> -Arshad
>

Re: [VOTE] Apache ZooKeeper release 3.7.1 candidate 0

[Enrico Olivelli]

+1 (binding)
- Verified checksums, signatures, licence files
- Built on Ubuntu with JDK11, all tests passed (I used surefire-forkcount=1)
- Run smoke tests on the binaries produced by building the source package

Good job, thank you Mohammad

Enrico

Il giorno lun 2 mag 2022 alle ore 14:14 Szalay-Bekő Máté
 ha scritto:
>
> +1 (binding)
>
> - I built the source code (-Pfull-build) on Ubuntu 18.04.6 using OpenJDK
> 11.0.14.1 and maven 3.6.0.
> - all the unit tests passed eventually (both Java and C-client).
> - I also built and executed unit tests for zkpython
> - checkstyle and spotbugs passed
> - apache-rat passed
> - owasp (CVE check) passed (with some false-positives, see ZOOKEEPER-4510)
> - fatjar built
> - I executed quick rolling-upgrade smoke tests (using
> https://github.com/symat/zk-rolling-upgrade-test):
> - rolling upgrade from 3.5.9 to 3.7.1
> - rolling upgrade from 3.6.3 to 3.7.1
> - rolling upgrade from 3.7.0 to 3.7.1
> - rolling upgrade from 3.7.1 to 3.8.0
>
> Few minor issues, none of them blocker in my opinion:
> - some false positive CVE problems (followed in
> https://issues.apache.org/jira/browse/ZOOKEEPER-4510)
> - some unit tests failed for me the first time, but succeeded when I run
> them one-by-one:
> - org.apache.zookeeper.ZKUtilTest
> - org.apache.zookeeper.server.ZooKeeperServerMainTest
> - org.apache.zookeeper.server.quorum.QuorumPeerMainMultiAddressTest
> - org.apache.zookeeper.server.quorum.QuorumPeerMainTest
> - org.apache.zookeeper.server.quorum.Zab1_0Test
> - org.apache.zookeeper.server.util.JvmPauseMonitorTest
> - org.apache.zookeeper.server.util.RequestPathMetricsCollectorTest
> - some C unit tests failed also on my docker environment (these run
> successfully on CI, so I assume it is only a problem on my docker setup):
> - Zookeeper_readOnly::testReadOnly (only on the multi-threaded C-client
> test suite)
> - Zookeeper_readOnly::testReadOnlyWithSSL (only on the multi-threaded
> C-client test suite)
>
> Thanks for your work preparing the RC!
>
> Kind regards,
> Máté
>
> On Fri, Apr 29, 2022 at 4:03 PM Christopher  wrote:
>
> > FWIW, this is already being tracked on
> > https://issues.apache.org/jira/browse/ZOOKEEPER-4510
> > It's a false positive. I don't think it should hold up a vote.
> >
> > On Fri, Apr 29, 2022 at 7:40 AM Szalay-Bekő Máté
> >  wrote:
> > >
> > > Hello Mohammad,
> > >
> > > Thanks for the RC! I'm still testing it (so no vote just yet), but I
> > found
> > > some CVE errors reported. The command "mvn clean package -DskipTests
> > > dependency-check:check" failed with:
> > >
> > > [ERROR] One or more dependencies were identified with vulnerabilities
> > that
> > > have a CVSS score greater than or equal to '0.0':
> > > [ERROR]
> > > [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
> > > [ERROR]
> > > [ERROR] See the dependency-check report for more details.
> > >
> > > I think this is a dependency-check plugin error and not an actual
> > security
> > > problem. At least I don't see Apache Chainsaw in our dependency tree, I
> > > don't know why maven dependency-check reports this. Anyway, it would be
> > > good if someone else can take a look too.
> > >
> > > Best regards,
> > > Máté
> > >
> > > On Mon, Apr 25, 2022 at 3:25 AM Mohammad Arshad 
> > wrote:
> > >
> > > > This is a bug fix release candidate for 3.7.1. It contains 61 fixes.
> > > >
> > > > The full release notes is available at:
> > > >
> > > >
> > > >
> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12350030
> > > >
> > > > *** Please download, test and vote by Sunday, 01 May, 2022, 23:59
> > UTC+0.
> > > > ***
> > > >
> > > > Source files:
> > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/
> > > >
> > > > Maven staging repo:
> > > >
> > https://repository.apache.org/content/repositories/orgapachezookeeper-1075
> > > >
> > > > The release candidate tag in git to be voted upon: release-3.7.1-0
> > > > https://github.com/apache/zookeeper/tree/release-3.7.1-0
> > > >
> > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> > > > https://www.apache.org/dist/zookeeper/KEYS
> > > >
> > > > The staging version of the website is:
> > > >
> > > >
> > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/website/index.html
> > > >
> > > >
> > > > Should we release this candidate?
> > > >
> > > >
> > > > -Arshad
> > > >
> >

Re: last 3.5 release

[Enrico Olivelli]

good idea

Enrico

Il giorno mer 4 mag 2022 alle ore 09:59 Szalay-Bekő Máté
 ha scritto:
>
> Hello All,
>
> Our communicated EoL date for branch 3.5 is approaching (1st of June), and
> I volunteer to cut the 3.5.10 release soon. Our last release (3.5.9)
> happened on 15 January, 2021, and I think it would make sense to have one
> last release on 3.5. Let me know if you disagree.
>
> It would include CVE fixes, the log4j1 elimination / reload4j migration (I
> need to backport that still) and a couple of other bug fixes.
>
> Please let me know if you think three would be any ticket / PR I should
> wait for. I'll also go through the recent list of bug fixes to see if we
> missed to backport something security related / really burning fix.
>
> Best regards,
> Mate

last 3.5 release

[Szalay-Bekő Máté]

Hello All,

Our communicated EoL date for branch 3.5 is approaching (1st of June), and
I volunteer to cut the 3.5.10 release soon. Our last release (3.5.9)
happened on 15 January, 2021, and I think it would make sense to have one
last release on 3.5. Let me know if you disagree.

It would include CVE fixes, the log4j1 elimination / reload4j migration (I
need to backport that still) and a couple of other bug fixes.

Please let me know if you think three would be any ticket / PR I should
wait for. I'll also go through the recent list of bug fixes to see if we
missed to backport something security related / really burning fix.

Best regards,
Mate