Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
Mike, I sent out the VOTE for rc1, I staged the artifacts on dist.apache.org Enrico Il giorno gio 24 feb 2022 alle ore 08:58 Enrico Olivelli ha scritto: > > Mike, > > Il giorno gio 10 feb 2022 alle ore 19:51 Mike Drob > ha scritto: > > > > > > > > On 2022/02/04 11:07:34 Enrico Olivelli wrote: > > > > > > Source files: > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > > > > > > > > > > The staging version of the website is: > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > > > > > > > Is there a reason that these are staged on your personal space on > > people.apache instead of the svn dev space at > > https://dist.apache.org/repos/dist/dev/zookeeper/ > > I guess it is only a "tradition" of the project. > There is no reason. > > we can change > > for reference > https://cwiki.apache.org/confluence/display/ZOOKEEPER/HowToRelease+using+maven+release+plugin > > other thoughts ? > > Enrico > > > > > > > I see that there are older RCs still hanging about there. > > > > Mike
Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
Mike, Il giorno gio 10 feb 2022 alle ore 19:51 Mike Drob ha scritto: > > > > On 2022/02/04 11:07:34 Enrico Olivelli wrote: > > > > Source files: > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > > > > > > The staging version of the website is: > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > > > > Is there a reason that these are staged on your personal space on > people.apache instead of the svn dev space at > https://dist.apache.org/repos/dist/dev/zookeeper/ I guess it is only a "tradition" of the project. There is no reason. we can change for reference https://cwiki.apache.org/confluence/display/ZOOKEEPER/HowToRelease+using+maven+release+plugin other thoughts ? Enrico > > I see that there are older RCs still hanging about there. > > Mike
Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
FYI today OWASP started to fail again while I was preparing a new RC :-( please anyone help with a review of https://github.com/apache/zookeeper/pull/1824 Enrico Il giorno gio 10 feb 2022 alle ore 19:51 Mike Drob ha scritto: > > > > On 2022/02/04 11:07:34 Enrico Olivelli wrote: > > > > Source files: > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > > > > > > The staging version of the website is: > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > > > > Is there a reason that these are staged on your personal space on > people.apache instead of the svn dev space at > https://dist.apache.org/repos/dist/dev/zookeeper/ > > I see that there are older RCs still hanging about there. > > Mike
Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
On 2022/02/04 11:07:34 Enrico Olivelli wrote: > > Source files: > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > > The staging version of the website is: > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > Is there a reason that these are staged on your personal space on people.apache instead of the svn dev space at https://dist.apache.org/repos/dist/dev/zookeeper/ I see that there are older RCs still hanging about there. Mike
Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
-1 (binding) Let me add the exclusion and prepare a new RC. I am cancelling this VOTE Thanks to everyone Enrico Il Gio 10 Feb 2022, 17:47 Andor Molnar ha scritto: > I agree with Pat. Though adding exclusions doesn’t make any difference in > the quality of our code, but a build is a build. It’s either green or red > (not green). No excuse. > > Andor > > > > > On 2022. Feb 10., at 16:51, Patrick Hunt wrote: > > > > On Thu, Feb 10, 2022 at 12:22 AM Enrico Olivelli > > wrote: > > > >> Patrick, > >> If you prefer I can send a patch for. the exclusion of > >> [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, > >> CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, > >> CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, > >> CVE-2021-21290 > >> > >> That said, this won't affect the goodness of the RC. > >> > >> Our code is safe and the dependencies we use are safe: > >> - to me it looks like those are false positive or at least not related > >> to ZooKeeper > >> - we are not using Netty TC Native features, it is a dependency we > >> inherit, and probably ZooKeeper works well without it > >> > >> Thank you all of taking time to test the release > >> > >> > > NP. My concern is highlighted by this (your) response. You had to say all > > this to explain why the build is failing on a simple security check. > > Post-log4shell folks are really sensitive to security issues, as they > > should be, as we all should be. Its very important that we take security > > seriously. If I download the release, and run the owasp check it fails. I > > then have questions in my mind why. All that you explained here, while > > perfectly reasonable, it won't be available to me at that point. I think > > rather we should ensure that releases are solid/clean before we push > them. > > This is a simple thing to fix before we go through the entire process of > > verifying/releasing a new version. > > > > Hopefully this explains my concerns. > > > > Regards, > > > > Patrick > > > > > >> Enrico > >> > >> Il giorno gio 10 feb 2022 alle ore 09:13 Szalay-Bekő Máté > >> ha scritto: > >>> > >>> Thanks Enrico for working on the release candidate! > >>> > >>> The RC looks good to me if we are sure that the OWASP problem is a > false > >>> positive and we can skip this netty-tcnative jar check. However, these > >> CVEs > >>> are old... Is it possible that we just added this jar by accident with > >> the > >>> recent netty upgrade? If we don't need it, should we exclude it? > >>> > >>> I wouldn't vote with +1 until we clarify the state of these CVEs. > >>> > >>> My RC check: > >>> > >>> - apache-rat passed > >>> - I built the source code (-Pfull-build) on dockerized Ubuntu 18.04.6 > >> using > >>> OpenJDK 11.0.13 and maven 3.6.0. > >>> - all the java unit tests passed eventually. I had 4-8 tests failing in > >>> each run, but after 4 runs all tests passed at least once. (I used > >>> -Dsurefire-forkcount=1) We should somehow fix these flakies. There are > >>> flakies on the CI, but not this many. I executed in docker, maybe this > is > >>> the reason or the CI is using a different java version? > >>> - checkstyle and spotbugs passed > >>> - OWASP (CVE check) failed with the mentioned > >>> netty-tcnative-2.0.48.Final.jar failures. > >>> - I built the fatjar > >>> - I executed C client tests. Two of these failed constantly for me: > >>> Zookeeper_simpleSystem::testIPV6 and > >>> Zookeeper_SASLAuth::testClientSASLOverIPv6. (I think these fail for me > >>> because I execute C unit tests on docker, there might be some issues > with > >>> the IPv6 interface) I see these passed on CI running on the > >> branch-3.8.0. ( > >>> > >> > https://github.com/apache/zookeeper/runs/5048875668?check_suite_focus=true > >> ) > >>> - I also built and executed unit tests for zkpython > >>> - I executed quick rolling-upgrade tests (using > >>> https://github.com/symat/zk-rolling-upgrade-test): > >>> - rolling upgrade from 3.5.9 to 3.8.0 > >>> - rolling upgrade from 3.6.3 to 3.8.0 > >>> - rolling upgrade from 3.7.0 to 3.8.0 > >>> - The web page looks OK > >>> > >>> Best regards, > >>> Máté > >>> > >>> On Wed, Feb 9, 2022 at 8:04 PM Chris Nauroth > >> wrote: > >>> > Enrico, thank you for putting together a release candidate. > > I briefly looked at the OWASP check failure. It's flagging multiple > old > CVEs against netty-tcnative-2.0.48.Final.jar. I can't imagine how > >> these are > still applicable. This is the newest version of the dependency, so we > >> don't > have another upgrade path we can try. > > I don't understand it. Unfortunately, I haven't found a solution yet. > > Chris Nauroth > > > On Wed, Feb 9, 2022 at 2:05 AM Szalay-Bekő Máté < > szalay.beko.m...@gmail.com> > wrote: > > > I started to test it. apache-rat passed for me, but owasp first > >> failed > due > > to some environment issue: > > > >
Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
I agree with Pat. Though adding exclusions doesn’t make any difference in the quality of our code, but a build is a build. It’s either green or red (not green). No excuse. Andor > On 2022. Feb 10., at 16:51, Patrick Hunt wrote: > > On Thu, Feb 10, 2022 at 12:22 AM Enrico Olivelli > wrote: > >> Patrick, >> If you prefer I can send a patch for. the exclusion of >> [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, >> CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, >> CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, >> CVE-2021-21290 >> >> That said, this won't affect the goodness of the RC. >> >> Our code is safe and the dependencies we use are safe: >> - to me it looks like those are false positive or at least not related >> to ZooKeeper >> - we are not using Netty TC Native features, it is a dependency we >> inherit, and probably ZooKeeper works well without it >> >> Thank you all of taking time to test the release >> >> > NP. My concern is highlighted by this (your) response. You had to say all > this to explain why the build is failing on a simple security check. > Post-log4shell folks are really sensitive to security issues, as they > should be, as we all should be. Its very important that we take security > seriously. If I download the release, and run the owasp check it fails. I > then have questions in my mind why. All that you explained here, while > perfectly reasonable, it won't be available to me at that point. I think > rather we should ensure that releases are solid/clean before we push them. > This is a simple thing to fix before we go through the entire process of > verifying/releasing a new version. > > Hopefully this explains my concerns. > > Regards, > > Patrick > > >> Enrico >> >> Il giorno gio 10 feb 2022 alle ore 09:13 Szalay-Bekő Máté >> ha scritto: >>> >>> Thanks Enrico for working on the release candidate! >>> >>> The RC looks good to me if we are sure that the OWASP problem is a false >>> positive and we can skip this netty-tcnative jar check. However, these >> CVEs >>> are old... Is it possible that we just added this jar by accident with >> the >>> recent netty upgrade? If we don't need it, should we exclude it? >>> >>> I wouldn't vote with +1 until we clarify the state of these CVEs. >>> >>> My RC check: >>> >>> - apache-rat passed >>> - I built the source code (-Pfull-build) on dockerized Ubuntu 18.04.6 >> using >>> OpenJDK 11.0.13 and maven 3.6.0. >>> - all the java unit tests passed eventually. I had 4-8 tests failing in >>> each run, but after 4 runs all tests passed at least once. (I used >>> -Dsurefire-forkcount=1) We should somehow fix these flakies. There are >>> flakies on the CI, but not this many. I executed in docker, maybe this is >>> the reason or the CI is using a different java version? >>> - checkstyle and spotbugs passed >>> - OWASP (CVE check) failed with the mentioned >>> netty-tcnative-2.0.48.Final.jar failures. >>> - I built the fatjar >>> - I executed C client tests. Two of these failed constantly for me: >>> Zookeeper_simpleSystem::testIPV6 and >>> Zookeeper_SASLAuth::testClientSASLOverIPv6. (I think these fail for me >>> because I execute C unit tests on docker, there might be some issues with >>> the IPv6 interface) I see these passed on CI running on the >> branch-3.8.0. ( >>> >> https://github.com/apache/zookeeper/runs/5048875668?check_suite_focus=true >> ) >>> - I also built and executed unit tests for zkpython >>> - I executed quick rolling-upgrade tests (using >>> https://github.com/symat/zk-rolling-upgrade-test): >>> - rolling upgrade from 3.5.9 to 3.8.0 >>> - rolling upgrade from 3.6.3 to 3.8.0 >>> - rolling upgrade from 3.7.0 to 3.8.0 >>> - The web page looks OK >>> >>> Best regards, >>> Máté >>> >>> On Wed, Feb 9, 2022 at 8:04 PM Chris Nauroth >> wrote: >>> Enrico, thank you for putting together a release candidate. I briefly looked at the OWASP check failure. It's flagging multiple old CVEs against netty-tcnative-2.0.48.Final.jar. I can't imagine how >> these are still applicable. This is the newest version of the dependency, so we >> don't have another upgrade path we can try. I don't understand it. Unfortunately, I haven't found a solution yet. Chris Nauroth On Wed, Feb 9, 2022 at 2:05 AM Szalay-Bekő Máté < szalay.beko.m...@gmail.com> wrote: > I started to test it. apache-rat passed for me, but owasp first >> failed due > to some environment issue: > > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check > (default-cli) on project parent: Fatal exception(s) analyzing Apache > ZooKeeper: One or more exceptions occurred during analysis: > [ERROR] Unable to download meta file: > https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta > [ERROR] No documents exist > [ERROR] -> [Help 1] > >
Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
On Thu, Feb 10, 2022 at 12:22 AM Enrico Olivelli wrote: > Patrick, > If you prefer I can send a patch for. the exclusion of > [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, > CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, > CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, > CVE-2021-21290 > > That said, this won't affect the goodness of the RC. > > Our code is safe and the dependencies we use are safe: > - to me it looks like those are false positive or at least not related > to ZooKeeper > - we are not using Netty TC Native features, it is a dependency we > inherit, and probably ZooKeeper works well without it > > Thank you all of taking time to test the release > > NP. My concern is highlighted by this (your) response. You had to say all this to explain why the build is failing on a simple security check. Post-log4shell folks are really sensitive to security issues, as they should be, as we all should be. Its very important that we take security seriously. If I download the release, and run the owasp check it fails. I then have questions in my mind why. All that you explained here, while perfectly reasonable, it won't be available to me at that point. I think rather we should ensure that releases are solid/clean before we push them. This is a simple thing to fix before we go through the entire process of verifying/releasing a new version. Hopefully this explains my concerns. Regards, Patrick > Enrico > > Il giorno gio 10 feb 2022 alle ore 09:13 Szalay-Bekő Máté > ha scritto: > > > > Thanks Enrico for working on the release candidate! > > > > The RC looks good to me if we are sure that the OWASP problem is a false > > positive and we can skip this netty-tcnative jar check. However, these > CVEs > > are old... Is it possible that we just added this jar by accident with > the > > recent netty upgrade? If we don't need it, should we exclude it? > > > > I wouldn't vote with +1 until we clarify the state of these CVEs. > > > > My RC check: > > > > - apache-rat passed > > - I built the source code (-Pfull-build) on dockerized Ubuntu 18.04.6 > using > > OpenJDK 11.0.13 and maven 3.6.0. > > - all the java unit tests passed eventually. I had 4-8 tests failing in > > each run, but after 4 runs all tests passed at least once. (I used > > -Dsurefire-forkcount=1) We should somehow fix these flakies. There are > > flakies on the CI, but not this many. I executed in docker, maybe this is > > the reason or the CI is using a different java version? > > - checkstyle and spotbugs passed > > - OWASP (CVE check) failed with the mentioned > > netty-tcnative-2.0.48.Final.jar failures. > > - I built the fatjar > > - I executed C client tests. Two of these failed constantly for me: > > Zookeeper_simpleSystem::testIPV6 and > > Zookeeper_SASLAuth::testClientSASLOverIPv6. (I think these fail for me > > because I execute C unit tests on docker, there might be some issues with > > the IPv6 interface) I see these passed on CI running on the > branch-3.8.0. ( > > > https://github.com/apache/zookeeper/runs/5048875668?check_suite_focus=true > ) > > - I also built and executed unit tests for zkpython > > - I executed quick rolling-upgrade tests (using > > https://github.com/symat/zk-rolling-upgrade-test): > > - rolling upgrade from 3.5.9 to 3.8.0 > > - rolling upgrade from 3.6.3 to 3.8.0 > > - rolling upgrade from 3.7.0 to 3.8.0 > > - The web page looks OK > > > > Best regards, > > Máté > > > > On Wed, Feb 9, 2022 at 8:04 PM Chris Nauroth > wrote: > > > > > Enrico, thank you for putting together a release candidate. > > > > > > I briefly looked at the OWASP check failure. It's flagging multiple old > > > CVEs against netty-tcnative-2.0.48.Final.jar. I can't imagine how > these are > > > still applicable. This is the newest version of the dependency, so we > don't > > > have another upgrade path we can try. > > > > > > I don't understand it. Unfortunately, I haven't found a solution yet. > > > > > > Chris Nauroth > > > > > > > > > On Wed, Feb 9, 2022 at 2:05 AM Szalay-Bekő Máté < > > > szalay.beko.m...@gmail.com> > > > wrote: > > > > > > > I started to test it. apache-rat passed for me, but owasp first > failed > > > due > > > > to some environment issue: > > > > > > > > [ERROR] Failed to execute goal > > > org.owasp:dependency-check-maven:5.3.0:check > > > > (default-cli) on project parent: Fatal exception(s) analyzing Apache > > > > ZooKeeper: One or more exceptions occurred during analysis: > > > > [ERROR] Unable to download meta file: > > > > https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta > > > > [ERROR] No documents exist > > > > [ERROR] -> [Help 1] > > > > > > > > Now I just re-run and this error disappeared, I assume nvd.nist.gov > was > > > > down for a while. > > > > Now the owasp is failing for me with this error: > > > > > > > > [ERROR] Failed to execute goal > > > org.owasp:dependency-check-maven:5.3.0:check > > > > (default-cli) on project
Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
Patrick, If you prefer I can send a patch for. the exclusion of [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, CVE-2021-21290 That said, this won't affect the goodness of the RC. Our code is safe and the dependencies we use are safe: - to me it looks like those are false positive or at least not related to ZooKeeper - we are not using Netty TC Native features, it is a dependency we inherit, and probably ZooKeeper works well without it Thank you all of taking time to test the release Enrico Il giorno gio 10 feb 2022 alle ore 09:13 Szalay-Bekő Máté ha scritto: > > Thanks Enrico for working on the release candidate! > > The RC looks good to me if we are sure that the OWASP problem is a false > positive and we can skip this netty-tcnative jar check. However, these CVEs > are old... Is it possible that we just added this jar by accident with the > recent netty upgrade? If we don't need it, should we exclude it? > > I wouldn't vote with +1 until we clarify the state of these CVEs. > > My RC check: > > - apache-rat passed > - I built the source code (-Pfull-build) on dockerized Ubuntu 18.04.6 using > OpenJDK 11.0.13 and maven 3.6.0. > - all the java unit tests passed eventually. I had 4-8 tests failing in > each run, but after 4 runs all tests passed at least once. (I used > -Dsurefire-forkcount=1) We should somehow fix these flakies. There are > flakies on the CI, but not this many. I executed in docker, maybe this is > the reason or the CI is using a different java version? > - checkstyle and spotbugs passed > - OWASP (CVE check) failed with the mentioned > netty-tcnative-2.0.48.Final.jar failures. > - I built the fatjar > - I executed C client tests. Two of these failed constantly for me: > Zookeeper_simpleSystem::testIPV6 and > Zookeeper_SASLAuth::testClientSASLOverIPv6. (I think these fail for me > because I execute C unit tests on docker, there might be some issues with > the IPv6 interface) I see these passed on CI running on the branch-3.8.0. ( > https://github.com/apache/zookeeper/runs/5048875668?check_suite_focus=true) > - I also built and executed unit tests for zkpython > - I executed quick rolling-upgrade tests (using > https://github.com/symat/zk-rolling-upgrade-test): > - rolling upgrade from 3.5.9 to 3.8.0 > - rolling upgrade from 3.6.3 to 3.8.0 > - rolling upgrade from 3.7.0 to 3.8.0 > - The web page looks OK > > Best regards, > Máté > > On Wed, Feb 9, 2022 at 8:04 PM Chris Nauroth wrote: > > > Enrico, thank you for putting together a release candidate. > > > > I briefly looked at the OWASP check failure. It's flagging multiple old > > CVEs against netty-tcnative-2.0.48.Final.jar. I can't imagine how these are > > still applicable. This is the newest version of the dependency, so we don't > > have another upgrade path we can try. > > > > I don't understand it. Unfortunately, I haven't found a solution yet. > > > > Chris Nauroth > > > > > > On Wed, Feb 9, 2022 at 2:05 AM Szalay-Bekő Máté < > > szalay.beko.m...@gmail.com> > > wrote: > > > > > I started to test it. apache-rat passed for me, but owasp first failed > > due > > > to some environment issue: > > > > > > [ERROR] Failed to execute goal > > org.owasp:dependency-check-maven:5.3.0:check > > > (default-cli) on project parent: Fatal exception(s) analyzing Apache > > > ZooKeeper: One or more exceptions occurred during analysis: > > > [ERROR] Unable to download meta file: > > > https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta > > > [ERROR] No documents exist > > > [ERROR] -> [Help 1] > > > > > > Now I just re-run and this error disappeared, I assume nvd.nist.gov was > > > down for a while. > > > Now the owasp is failing for me with this error: > > > > > > [ERROR] Failed to execute goal > > org.owasp:dependency-check-maven:5.3.0:check > > > (default-cli) on project zookeeper: > > > [ERROR] > > > [ERROR] One or more dependencies were identified with vulnerabilities > > that > > > have a CVSS score greater than or equal to '0.0': > > > [ERROR] > > > [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, > > > CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, > > > CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, > > > CVE-2021-21290 > > > [ERROR] > > > [ERROR] See the dependency-check report for more details. > > > > > > > > > I still continue to test the RC, let me know if it gets cancelled. > > > > > > > > > On Tue, Feb 8, 2022 at 9:52 PM Patrick Hunt wrote: > > > > > > > On Tue, Feb 8, 2022 at 12:36 PM Enrico Olivelli > > > > wrote: > > > > > > > > > Any comments? > > > > > > > > > > > > > owasp is still red - as such I assumed this release candidate is on > > hold > > > > until that's fixed. Is that not the case? > > > > > > > > Patrick > > > > > > > > > > > > > > > > > > Il Ven 4 Feb 2022, 12:07 Enrico Olivelli ha > > > >
Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
Thanks Enrico for working on the release candidate! The RC looks good to me if we are sure that the OWASP problem is a false positive and we can skip this netty-tcnative jar check. However, these CVEs are old... Is it possible that we just added this jar by accident with the recent netty upgrade? If we don't need it, should we exclude it? I wouldn't vote with +1 until we clarify the state of these CVEs. My RC check: - apache-rat passed - I built the source code (-Pfull-build) on dockerized Ubuntu 18.04.6 using OpenJDK 11.0.13 and maven 3.6.0. - all the java unit tests passed eventually. I had 4-8 tests failing in each run, but after 4 runs all tests passed at least once. (I used -Dsurefire-forkcount=1) We should somehow fix these flakies. There are flakies on the CI, but not this many. I executed in docker, maybe this is the reason or the CI is using a different java version? - checkstyle and spotbugs passed - OWASP (CVE check) failed with the mentioned netty-tcnative-2.0.48.Final.jar failures. - I built the fatjar - I executed C client tests. Two of these failed constantly for me: Zookeeper_simpleSystem::testIPV6 and Zookeeper_SASLAuth::testClientSASLOverIPv6. (I think these fail for me because I execute C unit tests on docker, there might be some issues with the IPv6 interface) I see these passed on CI running on the branch-3.8.0. ( https://github.com/apache/zookeeper/runs/5048875668?check_suite_focus=true) - I also built and executed unit tests for zkpython - I executed quick rolling-upgrade tests (using https://github.com/symat/zk-rolling-upgrade-test): - rolling upgrade from 3.5.9 to 3.8.0 - rolling upgrade from 3.6.3 to 3.8.0 - rolling upgrade from 3.7.0 to 3.8.0 - The web page looks OK Best regards, Máté On Wed, Feb 9, 2022 at 8:04 PM Chris Nauroth wrote: > Enrico, thank you for putting together a release candidate. > > I briefly looked at the OWASP check failure. It's flagging multiple old > CVEs against netty-tcnative-2.0.48.Final.jar. I can't imagine how these are > still applicable. This is the newest version of the dependency, so we don't > have another upgrade path we can try. > > I don't understand it. Unfortunately, I haven't found a solution yet. > > Chris Nauroth > > > On Wed, Feb 9, 2022 at 2:05 AM Szalay-Bekő Máté < > szalay.beko.m...@gmail.com> > wrote: > > > I started to test it. apache-rat passed for me, but owasp first failed > due > > to some environment issue: > > > > [ERROR] Failed to execute goal > org.owasp:dependency-check-maven:5.3.0:check > > (default-cli) on project parent: Fatal exception(s) analyzing Apache > > ZooKeeper: One or more exceptions occurred during analysis: > > [ERROR] Unable to download meta file: > > https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta > > [ERROR] No documents exist > > [ERROR] -> [Help 1] > > > > Now I just re-run and this error disappeared, I assume nvd.nist.gov was > > down for a while. > > Now the owasp is failing for me with this error: > > > > [ERROR] Failed to execute goal > org.owasp:dependency-check-maven:5.3.0:check > > (default-cli) on project zookeeper: > > [ERROR] > > [ERROR] One or more dependencies were identified with vulnerabilities > that > > have a CVSS score greater than or equal to '0.0': > > [ERROR] > > [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, > > CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, > > CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, > > CVE-2021-21290 > > [ERROR] > > [ERROR] See the dependency-check report for more details. > > > > > > I still continue to test the RC, let me know if it gets cancelled. > > > > > > On Tue, Feb 8, 2022 at 9:52 PM Patrick Hunt wrote: > > > > > On Tue, Feb 8, 2022 at 12:36 PM Enrico Olivelli > > > wrote: > > > > > > > Any comments? > > > > > > > > > > owasp is still red - as such I assumed this release candidate is on > hold > > > until that's fixed. Is that not the case? > > > > > > Patrick > > > > > > > > > > > > > > Il Ven 4 Feb 2022, 12:07 Enrico Olivelli ha > > > > scritto: > > > > > > > > > This is a release candidate for 3.8.0. > > > > > > > > > > It is a major release and it introduces a lot of new features, most > > > > > notably: > > > > > - Migration of the logging framework from Apache Log4j1 to LogBack > > > > > - Read Key/trust store password from file (and other security > related > > > > > improvements) > > > > > - Restored support for OSGI > > > > > - Reduced the performance impact of Prometheus metrics > > > > > - Official support for JDK17 (all tests are passing) > > > > > - Updates to all the third party dependencies to get rid of every > > known > > > > > CVE. > > > > > > > > > > The full release notes is available at: > > > > > > > > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12349587 > > > > > > > > > > *** Please download, test and vote by February 7th 2022, 23:59 > UTC+0. > > > *** > > > > > > > > > >
Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
Enrico, thank you for putting together a release candidate. I briefly looked at the OWASP check failure. It's flagging multiple old CVEs against netty-tcnative-2.0.48.Final.jar. I can't imagine how these are still applicable. This is the newest version of the dependency, so we don't have another upgrade path we can try. I don't understand it. Unfortunately, I haven't found a solution yet. Chris Nauroth On Wed, Feb 9, 2022 at 2:05 AM Szalay-Bekő Máté wrote: > I started to test it. apache-rat passed for me, but owasp first failed due > to some environment issue: > > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check > (default-cli) on project parent: Fatal exception(s) analyzing Apache > ZooKeeper: One or more exceptions occurred during analysis: > [ERROR] Unable to download meta file: > https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta > [ERROR] No documents exist > [ERROR] -> [Help 1] > > Now I just re-run and this error disappeared, I assume nvd.nist.gov was > down for a while. > Now the owasp is failing for me with this error: > > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check > (default-cli) on project zookeeper: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, > CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, > CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, > CVE-2021-21290 > [ERROR] > [ERROR] See the dependency-check report for more details. > > > I still continue to test the RC, let me know if it gets cancelled. > > > On Tue, Feb 8, 2022 at 9:52 PM Patrick Hunt wrote: > > > On Tue, Feb 8, 2022 at 12:36 PM Enrico Olivelli > > wrote: > > > > > Any comments? > > > > > > > owasp is still red - as such I assumed this release candidate is on hold > > until that's fixed. Is that not the case? > > > > Patrick > > > > > > > > > > Il Ven 4 Feb 2022, 12:07 Enrico Olivelli ha > > > scritto: > > > > > > > This is a release candidate for 3.8.0. > > > > > > > > It is a major release and it introduces a lot of new features, most > > > > notably: > > > > - Migration of the logging framework from Apache Log4j1 to LogBack > > > > - Read Key/trust store password from file (and other security related > > > > improvements) > > > > - Restored support for OSGI > > > > - Reduced the performance impact of Prometheus metrics > > > > - Official support for JDK17 (all tests are passing) > > > > - Updates to all the third party dependencies to get rid of every > known > > > > CVE. > > > > > > > > The full release notes is available at: > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12349587 > > > > > > > > *** Please download, test and vote by February 7th 2022, 23:59 UTC+0. > > *** > > > > > > > > Source files: > > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > > > > > > > Maven staging repo: > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1072/ > > > > > > > > The release candidate tag in git to be voted upon: release-3.8.0-0 > > > > https://github.com/apache/zookeeper/tree/release-3.8.0-0 > > > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > > > The staging version of the website is: > > > > > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > > > > > > > > > > > > Should we release this candidate? > > > > Enrico Olivelli > > > > > > > > > >
Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
I started to test it. apache-rat passed for me, but owasp first failed due to some environment issue: [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project parent: Fatal exception(s) analyzing Apache ZooKeeper: One or more exceptions occurred during analysis: [ERROR] Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta [ERROR] No documents exist [ERROR] -> [Help 1] Now I just re-run and this error disappeared, I assume nvd.nist.gov was down for a while. Now the owasp is failing for me with this error: [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project zookeeper: [ERROR] [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, CVE-2021-21290 [ERROR] [ERROR] See the dependency-check report for more details. I still continue to test the RC, let me know if it gets cancelled. On Tue, Feb 8, 2022 at 9:52 PM Patrick Hunt wrote: > On Tue, Feb 8, 2022 at 12:36 PM Enrico Olivelli > wrote: > > > Any comments? > > > > owasp is still red - as such I assumed this release candidate is on hold > until that's fixed. Is that not the case? > > Patrick > > > > > > Il Ven 4 Feb 2022, 12:07 Enrico Olivelli ha > > scritto: > > > > > This is a release candidate for 3.8.0. > > > > > > It is a major release and it introduces a lot of new features, most > > > notably: > > > - Migration of the logging framework from Apache Log4j1 to LogBack > > > - Read Key/trust store password from file (and other security related > > > improvements) > > > - Restored support for OSGI > > > - Reduced the performance impact of Prometheus metrics > > > - Official support for JDK17 (all tests are passing) > > > - Updates to all the third party dependencies to get rid of every known > > > CVE. > > > > > > The full release notes is available at: > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12349587 > > > > > > *** Please download, test and vote by February 7th 2022, 23:59 UTC+0. > *** > > > > > > Source files: > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > > > > > Maven staging repo: > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1072/ > > > > > > The release candidate tag in git to be voted upon: release-3.8.0-0 > > > https://github.com/apache/zookeeper/tree/release-3.8.0-0 > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > The staging version of the website is: > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > > > > > > > > > Should we release this candidate? > > > Enrico Olivelli > > > > > >
Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
On Tue, Feb 8, 2022 at 12:36 PM Enrico Olivelli wrote: > Any comments? > owasp is still red - as such I assumed this release candidate is on hold until that's fixed. Is that not the case? Patrick > > Il Ven 4 Feb 2022, 12:07 Enrico Olivelli ha > scritto: > > > This is a release candidate for 3.8.0. > > > > It is a major release and it introduces a lot of new features, most > > notably: > > - Migration of the logging framework from Apache Log4j1 to LogBack > > - Read Key/trust store password from file (and other security related > > improvements) > > - Restored support for OSGI > > - Reduced the performance impact of Prometheus metrics > > - Official support for JDK17 (all tests are passing) > > - Updates to all the third party dependencies to get rid of every known > > CVE. > > > > The full release notes is available at: > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12349587 > > > > *** Please download, test and vote by February 7th 2022, 23:59 UTC+0. *** > > > > Source files: > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > > > Maven staging repo: > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1072/ > > > > The release candidate tag in git to be voted upon: release-3.8.0-0 > > https://github.com/apache/zookeeper/tree/release-3.8.0-0 > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > https://www.apache.org/dist/zookeeper/KEYS > > > > The staging version of the website is: > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > > > > > > Should we release this candidate? > > Enrico Olivelli > > >
Re: [VOTE] Apache ZooKeeper release 3.8.0 candidate 0
Any comments? Il Ven 4 Feb 2022, 12:07 Enrico Olivelli ha scritto: > This is a release candidate for 3.8.0. > > It is a major release and it introduces a lot of new features, most > notably: > - Migration of the logging framework from Apache Log4j1 to LogBack > - Read Key/trust store password from file (and other security related > improvements) > - Restored support for OSGI > - Reduced the performance impact of Prometheus metrics > - Official support for JDK17 (all tests are passing) > - Updates to all the third party dependencies to get rid of every known > CVE. > > The full release notes is available at: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12349587 > > *** Please download, test and vote by February 7th 2022, 23:59 UTC+0. *** > > Source files: > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > Maven staging repo: > https://repository.apache.org/content/repositories/orgapachezookeeper-1072/ > > The release candidate tag in git to be voted upon: release-3.8.0-0 > https://github.com/apache/zookeeper/tree/release-3.8.0-0 > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > https://www.apache.org/dist/zookeeper/KEYS > > The staging version of the website is: > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > > > Should we release this candidate? > Enrico Olivelli >
[VOTE] Apache ZooKeeper release 3.8.0 candidate 0
This is a release candidate for 3.8.0. It is a major release and it introduces a lot of new features, most notably: - Migration of the logging framework from Apache Log4j1 to LogBack - Read Key/trust store password from file (and other security related improvements) - Restored support for OSGI - Reduced the performance impact of Prometheus metrics - Official support for JDK17 (all tests are passing) - Updates to all the third party dependencies to get rid of every known CVE. The full release notes is available at: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12349587 *** Please download, test and vote by February 7th 2022, 23:59 UTC+0. *** Source files: https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ Maven staging repo: https://repository.apache.org/content/repositories/orgapachezookeeper-1072/ The release candidate tag in git to be voted upon: release-3.8.0-0 https://github.com/apache/zookeeper/tree/release-3.8.0-0 ZooKeeper's KEYS file containing PGP keys we use to sign the release: https://www.apache.org/dist/zookeeper/KEYS The staging version of the website is: https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ Should we release this candidate? Enrico Olivelli
