Re: [VOTE] Apache ZooKeeper release 3.8.1 candidate 0
-1 (non-binding) from me. I created a couple of PRs to test Apache Pulsar and Apache BookKeeper with this RC. https://github.com/apache/bookkeeper/pull/3754 https://github.com/dlg99/pulsar/pull/8 There are new test failures related to "Invalid Watcher, shouldn't be null!". The problem is caused by validateWatcher in constructor (added in 3.8.1) ``` private void validateWatcher(Watcher watcher) { if (watcher == null) { throw new IllegalArgumentException("Invalid Watcher, shouldn't be null!"); } } public ZooKeeper(String connectString, int sessionTimeout, Watcher watcher, boolean canBeReadOnly, HostProvider hostProvider, ZKClientConfig clientConfig) throws IOException { LOG.info("Initiating client connection, connectString={} sessionTimeout={} watcher={}", new Object[]{connectString, sessionTimeout, watcher}); this.validateWatcher(watcher); ... ``` So the calls like ``` ZooKeeper zkc = new ZooKeeper(zkUtil.getZooKeeperConnectString(), 1, null); ``` (where watcher is null) are no longer valid. Personally, I think it is a bit too much for a minor 3.8.x release, 3.9.0 would be a more appropriate version to require such changes. -- Andrey Yegorov On 2023/01/23 13:50:08 Enrico Olivelli wrote: > This is a release candidate for 3.8.1. > > This is a bugfix release. The full release notes is available at: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12351398=Html=12310801 > > *** Please download, test and vote by Thursday 26th 2023, 23:59 UTC+0. *** > > Source files: > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.8.1-candidate-0/ > > Maven staging repo: > https://repository.apache.org/content/repositories/orgapachezookeeper-1085/ > > The release candidate tag in git to be voted upon: release-3.8.1-0 > https://github.com/apache/zookeeper/tree/release-3.8.1-0 > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > https://www.apache.org/dist/zookeeper/KEYS > > The staging version of the website is: > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.8.1-candidate-0/website/index.html > > > Should we release this candidate? > > > Enrico Olivelli >
Re: [VOTE] Apache ZooKeeper release 3.8.1 candidate 0
Thanks Enrico - off the bat I did notice a couple license file mis-matches, not sure how you want to handle those: -rw-r--r-- 1 phunt staff11366 Jan 23 05:25 netty-common-4.1.76.Final.LICENSE.txt -rw-r--r-- 1 phunt staff 654571 Dec 16 05:34 netty-common-4.1.86.Final.jar -rw-r--r-- 1 phunt staff11366 Jan 23 05:25 netty-transport-4.1.76.Final.LICENSE.txt -rw-r--r-- 1 phunt staff 488341 Dec 16 05:34 netty-transport-4.1.86.Final.jar Should I continue verification or are you going to address/respin? Patrick On Mon, Jan 23, 2023 at 5:51 AM Enrico Olivelli wrote: > This is a release candidate for 3.8.1. > > This is a bugfix release. The full release notes is available at: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12351398=Html=12310801 > > *** Please download, test and vote by Thursday 26th 2023, 23:59 UTC+0. *** > > Source files: > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.8.1-candidate-0/ > > Maven staging repo: > https://repository.apache.org/content/repositories/orgapachezookeeper-1085/ > > The release candidate tag in git to be voted upon: release-3.8.1-0 > https://github.com/apache/zookeeper/tree/release-3.8.1-0 > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > https://www.apache.org/dist/zookeeper/KEYS > > The staging version of the website is: > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.8.1-candidate-0/website/index.html > > > Should we release this candidate? > > > Enrico Olivelli >
[VOTE] Apache ZooKeeper release 3.8.1 candidate 0
This is a release candidate for 3.8.1. This is a bugfix release. The full release notes is available at: https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12351398=Html=12310801 *** Please download, test and vote by Thursday 26th 2023, 23:59 UTC+0. *** Source files: https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.8.1-candidate-0/ Maven staging repo: https://repository.apache.org/content/repositories/orgapachezookeeper-1085/ The release candidate tag in git to be voted upon: release-3.8.1-0 https://github.com/apache/zookeeper/tree/release-3.8.1-0 ZooKeeper's KEYS file containing PGP keys we use to sign the release: https://www.apache.org/dist/zookeeper/KEYS The staging version of the website is: https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.8.1-candidate-0/website/index.html Should we release this candidate? Enrico Olivelli
Re: Cutting Apache ZooKeeper 3.8.1 release
Il giorno lun 23 gen 2023 alle ore 13:54 Enrico Olivelli ha scritto: > > Actually I think that I am falling into a rabbit hole. > > The Contrib packages have many CVEs against third party libraries > > https://issues.apache.org/jira/browse/ZOOKEEPER-4663 - OWASP is > failing on loggraph due to yui-min.js: CVE-2013-4940, CVE-2013-4939 > https://issues.apache.org/jira/browse/ZOOKEEPER-4664 - OWASP is > failing on zookeeper zookeeper-contrib-rest due to some third party > dependencies > https://issues.apache.org/jira/browse/ZOOKEEPER-4665 - OWASP is > failing on zooinspector due to some third party dependencies > > There is too much work to do at the moment, and we can't blindly > upgrade dependencies without proper testing. > > I am leaning towards creating the RC and ignoring all these problems. > They don't affect the core code package, and they are optional > modules, not deployed to Maven central or releases as binaries During the release I have found that we actually stage the artifacts in Maven central but they are not supposed to be consumed from there. This is a minor release, I think it is better to not change the layout. We could improve the list of stuff that we send to Maven central in a next major release Enrico > > Enrico > > Il giorno lun 23 gen 2023 alle ore 13:30 Enrico Olivelli > ha scritto: > > > > Unfortunately I missed these OWASP failures on the contrib packages > > > > [ERROR] Failed to execute goal > > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project > > zookeeper-it: > > [ERROR] > > [ERROR] One or more dependencies were identified with vulnerabilities > > that have a CVSS score greater than or equal to '0.0': > > [ERROR] > > [ERROR] junit-4.13.jar: CVE-2020-15250(5.5) > > [ERROR] junit-platform-engine-1.6.2.jar: CVE-2022-31514(9.3) > > [ERROR] > > [ERROR] See the dependency-check report for more details. > > > > I will send other PRs > > > > Enrico > > > > Il giorno gio 19 gen 2023 alle ore 12:07 Enrico Olivelli > > ha scritto: > > > > > > I have opened a few PRs, > > > please help me review > > > > > > https://github.com/apache/zookeeper/pull/1972 > > > https://github.com/apache/zookeeper/pull/1971 > > > https://github.com/apache/zookeeper/pull/1970 > > > > > > Enrico > > > > > > Il giorno gio 19 gen 2023 alle ore 11:43 Enrico Olivelli > > > ha scritto: > > > > > > > > Unfortunately OWASP check is failing on branch-3.8 > > > > > > > > [ERROR] Failed to execute goal > > > > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project > > > > zookeeper: > > > > [ERROR] > > > > [ERROR] One or more dependencies were identified with vulnerabilities > > > > that have a CVSS score greater than or equal to '0.0': > > > > [ERROR] > > > > [ERROR] commons-cli-1.4.jar: CVE-2021-37533(6.5) > > > > [ERROR] commons-io-2.11.0.jar: CVE-2021-37533(6.5) > > > > [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), > > > > CVE-2022-42004(7.5) > > > > [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-41915(6.5), > > > > CVE-2022-24823(5.5), CVE-2022-41881(7.5) > > > > [ERROR] > > > > [ERROR] See the dependency-check report for more details. > > > > [ERROR] > > > > > > > > I will take a look if there are already patches to be cherry-picked. > > > > > > > > I guess it will take some time, I hoped to cut the release candidate > > > > today :-( > > > > > > > > Enrico > > > > > > > > Il giorno mar 17 gen 2023 alle ore 23:06 Chris Nauroth > > > > ha scritto: > > > > > > > > > > +1 > > > > > > > > > > Thank you for taking this up, Enrico! > > > > > > > > > > Chris Nauroth > > > > > > > > > > > > > > > On Tue, Jan 17, 2023 at 9:24 AM Enrico Olivelli > > > > > wrote: > > > > > > > > > > > Hello ZooKeepers, > > > > > > We have received a few requests to cut a 3.8.1 release. > > > > > > > > > > > > I will start the release procedure by the end of this week, > > > > > > if there anything that blocks the release or that you would like to > > > > > > cherry-pick please let me know > > > > > > > > > > > > Best regards > > > > > > Enrico > > > > > >
[jira] [Created] (ZOOKEEPER-4665) OWASP is failing on zooinspector due to some third party dependencies
Enrico Olivelli created ZOOKEEPER-4665: -- Summary: OWASP is failing on zooinspector due to some third party dependencies Key: ZOOKEEPER-4665 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4665 Project: ZooKeeper Issue Type: Task Reporter: Enrico Olivelli {code:java} [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] apache-rat-tasks-0.6.jar: CVE-2020-22475(6.8), CVE-2022-39349(5.5) [ERROR] commons-collections-3.2.jar: CVE-2015-6420(7.5) [ERROR] guava-18.0.jar: CVE-2020-8908(3.3), CVE-2018-10237(5.9) [ERROR] [ERROR] See the dependency-check report for more details. {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: Cutting Apache ZooKeeper 3.8.1 release
Actually I think that I am falling into a rabbit hole. The Contrib packages have many CVEs against third party libraries https://issues.apache.org/jira/browse/ZOOKEEPER-4663 - OWASP is failing on loggraph due to yui-min.js: CVE-2013-4940, CVE-2013-4939 https://issues.apache.org/jira/browse/ZOOKEEPER-4664 - OWASP is failing on zookeeper zookeeper-contrib-rest due to some third party dependencies https://issues.apache.org/jira/browse/ZOOKEEPER-4665 - OWASP is failing on zooinspector due to some third party dependencies There is too much work to do at the moment, and we can't blindly upgrade dependencies without proper testing. I am leaning towards creating the RC and ignoring all these problems. They don't affect the core code package, and they are optional modules, not deployed to Maven central or releases as binaries Enrico Il giorno lun 23 gen 2023 alle ore 13:30 Enrico Olivelli ha scritto: > > Unfortunately I missed these OWASP failures on the contrib packages > > [ERROR] Failed to execute goal > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project > zookeeper-it: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities > that have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] junit-4.13.jar: CVE-2020-15250(5.5) > [ERROR] junit-platform-engine-1.6.2.jar: CVE-2022-31514(9.3) > [ERROR] > [ERROR] See the dependency-check report for more details. > > I will send other PRs > > Enrico > > Il giorno gio 19 gen 2023 alle ore 12:07 Enrico Olivelli > ha scritto: > > > > I have opened a few PRs, > > please help me review > > > > https://github.com/apache/zookeeper/pull/1972 > > https://github.com/apache/zookeeper/pull/1971 > > https://github.com/apache/zookeeper/pull/1970 > > > > Enrico > > > > Il giorno gio 19 gen 2023 alle ore 11:43 Enrico Olivelli > > ha scritto: > > > > > > Unfortunately OWASP check is failing on branch-3.8 > > > > > > [ERROR] Failed to execute goal > > > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project > > > zookeeper: > > > [ERROR] > > > [ERROR] One or more dependencies were identified with vulnerabilities > > > that have a CVSS score greater than or equal to '0.0': > > > [ERROR] > > > [ERROR] commons-cli-1.4.jar: CVE-2021-37533(6.5) > > > [ERROR] commons-io-2.11.0.jar: CVE-2021-37533(6.5) > > > [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), > > > CVE-2022-42004(7.5) > > > [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-41915(6.5), > > > CVE-2022-24823(5.5), CVE-2022-41881(7.5) > > > [ERROR] > > > [ERROR] See the dependency-check report for more details. > > > [ERROR] > > > > > > I will take a look if there are already patches to be cherry-picked. > > > > > > I guess it will take some time, I hoped to cut the release candidate > > > today :-( > > > > > > Enrico > > > > > > Il giorno mar 17 gen 2023 alle ore 23:06 Chris Nauroth > > > ha scritto: > > > > > > > > +1 > > > > > > > > Thank you for taking this up, Enrico! > > > > > > > > Chris Nauroth > > > > > > > > > > > > On Tue, Jan 17, 2023 at 9:24 AM Enrico Olivelli > > > > wrote: > > > > > > > > > Hello ZooKeepers, > > > > > We have received a few requests to cut a 3.8.1 release. > > > > > > > > > > I will start the release procedure by the end of this week, > > > > > if there anything that blocks the release or that you would like to > > > > > cherry-pick please let me know > > > > > > > > > > Best regards > > > > > Enrico > > > > >
[jira] [Created] (ZOOKEEPER-4664) OWASP is failing on zookeeper zookeeper-contrib-rest due to some third party deopendencies
Enrico Olivelli created ZOOKEEPER-4664: -- Summary: OWASP is failing on zookeeper zookeeper-contrib-rest due to some third party deopendencies Key: ZOOKEEPER-4664 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4664 Project: ZooKeeper Issue Type: Task Reporter: Enrico Olivelli {code:java} [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] grizzly-utils-1.9.8.jar: CVE-2014-0099(4.3), CVE-2021-4277(5.3) [ERROR] jersey-core-1.1.5.1.jar: CVE-2014-3643(7.5) [ERROR] jettison-1.1.jar: CVE-2022-40149(7.5), CVE-2022-45693(7.5), CVE-2022-40150(7.5), CVE-2022-45685(7.5) [ERROR] [ERROR] See the dependency-check report for more details. {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (ZOOKEEPER-4663) OWASP is failing on loggraph due to yui-min.js: CVE-2013-4940, CVE-2013-4939
Enrico Olivelli created ZOOKEEPER-4663: -- Summary: OWASP is failing on loggraph due to yui-min.js: CVE-2013-4940, CVE-2013-4939 Key: ZOOKEEPER-4663 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4663 Project: ZooKeeper Issue Type: Task Components: contrib Reporter: Enrico Olivelli https://nvd.nist.gov/vuln/detail/CVE-2013-4939 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (ZOOKEEPER-4662) OWASP is failing on the zookeeper-it module due to JUnit CVEs
Enrico Olivelli created ZOOKEEPER-4662: -- Summary: OWASP is failing on the zookeeper-it module due to JUnit CVEs Key: ZOOKEEPER-4662 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4662 Project: ZooKeeper Issue Type: Test Components: tests Affects Versions: 3.8.0 Reporter: Enrico Olivelli Fix For: 3.9.0, 3.8.1, 3.7.2 {code:java} [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] junit-4.13.jar: CVE-2020-15250(5.5) [ERROR] junit-platform-engine-1.6.2.jar: CVE-2022-31514(9.3) [ERROR] [ERROR] See the dependency-check report for more details. {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: Cutting Apache ZooKeeper 3.8.1 release
Unfortunately I missed these OWASP failures on the contrib packages [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project zookeeper-it: [ERROR] [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] junit-4.13.jar: CVE-2020-15250(5.5) [ERROR] junit-platform-engine-1.6.2.jar: CVE-2022-31514(9.3) [ERROR] [ERROR] See the dependency-check report for more details. I will send other PRs Enrico Il giorno gio 19 gen 2023 alle ore 12:07 Enrico Olivelli ha scritto: > > I have opened a few PRs, > please help me review > > https://github.com/apache/zookeeper/pull/1972 > https://github.com/apache/zookeeper/pull/1971 > https://github.com/apache/zookeeper/pull/1970 > > Enrico > > Il giorno gio 19 gen 2023 alle ore 11:43 Enrico Olivelli > ha scritto: > > > > Unfortunately OWASP check is failing on branch-3.8 > > > > [ERROR] Failed to execute goal > > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project > > zookeeper: > > [ERROR] > > [ERROR] One or more dependencies were identified with vulnerabilities > > that have a CVSS score greater than or equal to '0.0': > > [ERROR] > > [ERROR] commons-cli-1.4.jar: CVE-2021-37533(6.5) > > [ERROR] commons-io-2.11.0.jar: CVE-2021-37533(6.5) > > [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), > > CVE-2022-42004(7.5) > > [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-41915(6.5), > > CVE-2022-24823(5.5), CVE-2022-41881(7.5) > > [ERROR] > > [ERROR] See the dependency-check report for more details. > > [ERROR] > > > > I will take a look if there are already patches to be cherry-picked. > > > > I guess it will take some time, I hoped to cut the release candidate today > > :-( > > > > Enrico > > > > Il giorno mar 17 gen 2023 alle ore 23:06 Chris Nauroth > > ha scritto: > > > > > > +1 > > > > > > Thank you for taking this up, Enrico! > > > > > > Chris Nauroth > > > > > > > > > On Tue, Jan 17, 2023 at 9:24 AM Enrico Olivelli > > > wrote: > > > > > > > Hello ZooKeepers, > > > > We have received a few requests to cut a 3.8.1 release. > > > > > > > > I will start the release procedure by the end of this week, > > > > if there anything that blocks the release or that you would like to > > > > cherry-pick please let me know > > > > > > > > Best regards > > > > Enrico > > > >