ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maxim Muzafarov <mmu...@apache.org>
Subject Re: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
Date Thu, 09 Jan 2020 16:38:37 GMT
Folks,


Let me remind you that we are working on the 2.8 release branch
stabilization currently (please, keep it in mind).


Do we have a really STRONG reason for adding such a change [1] to the
ignite-2.8 branch? This PR [2] doesn't look a very simple +5,517
−2,038, 111 files changed.
Do we have customer requests for this feature or maybe users who are
waiting for exactly that ENUM values exactly in 2.8 release (not the
2.8.1 for instance)?
Can we just simply remove IgniteCluster#readOnly to eliminate any
backward compatibility issues between 2.8 and 2.9 releases?
Do we have extended test results report (on just only TC.Bot green
visa) on this feature to be sure that we will not add any blocker
issues to the release? For instance, on pre-production environment.

I'd like to notice that we also have more than enough the release
blocker issues [3] which are still `in progress` and such a release
run becomes endless. Such changes without strong reasons looks too
scary for me a special after scope and code freeze dates.

Please, dispel my doubts.

[1] https://issues.apache.org/jira/browse/IGNITE-12225
[2] https://github.com/apache/ignite/pull/7194
[3] https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Unresolvedissues(notrelatedtodocumentation)

On Thu, 9 Jan 2020 at 19:01, Alexey Zinoviev <zaleslaw.sin@gmail.com> wrote:
>
> +1
>
> чт, 9 янв. 2020 г. в 18:52, Sergey Antonov <antonovsergey93@gmail.com>:
>
> > +1
> >
> > I'm preparing patch for 2.8 branch now. TC Bot visa for 2.8 branch will be
> > at 13 Jan
> >
> > чт, 9 янв. 2020 г., 21:06 Ivan Pavlukhin <vololo100@gmail.com>:
> >
> > > +1
> > >
> > > чт, 9 янв. 2020 г. в 16:38, Ivan Rakov <ivan.glukos@gmail.com>:
> > > >
> > > > Maxim M. and anyone who is interested,
> > > >
> > > > I suggest to include this fix to 2.8 release:
> > > > https://issues.apache.org/jira/browse/IGNITE-12225
> > > > Basically, it's a result of the following discussion:
> > > >
> > >
> > http://apache-ignite-developers.2346864.n4.nabble.com/DISCUSSION-Single-point-in-API-for-changing-cluster-state-td43665.html
> > > >
> > > > The fix affects public API: IgniteCluster#readOnly methods that work
> > with
> > > > boolean are replaced with ones that work with enum.
> > > > If we include it, we won't be obliged to keep deprecated boolean
> > version
> > > of
> > > > API in the code (which is currently present in 2.8 branch) as it wasn't
> > > > published in any release.
> > > >
> > > > On Tue, Dec 31, 2019 at 3:54 PM Ilya Kasnacheev <
> > > ilya.kasnacheev@gmail.com>
> > > > wrote:
> > > >
> > > > > Hello!
> > > > >
> > > > > I have ran dependency checker plugin and quote the following:
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-urideploy:
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-spring:
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-spring-data:
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-aop:
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-visor-console:
> > > > >
> > > > > spring-core-4.3.18.RELEASE.jar
> > > > > (pkg:maven/org.springframework/spring-core@4.3.18.RELEASE,
> > > > >
> > > cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*)
> > :
> > > > > CVE-2018-15756
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-spring-data_2.0:
> > > > >
> > > > > spring-core-5.0.8.RELEASE.jar
> > > > > (pkg:maven/org.springframework/spring-core@5.0.8.RELEASE,
> > > > >
> > > cpe:2.3:a:pivotal_software:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:springsource:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:vmware:springsource_spring_framework:5.0.8:*:*:*:*:*:*:*)
:
> > > > > CVE-2018-15756
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-rest-http:
> > > > >
> > > > > jetty-server-9.4.11.v20180605.jar
> > > > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > > > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > > > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > > > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > > > > jackson-databind-2.9.6.jar
> > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-kubernetes:
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-aws:
> > > > >
> > > > > jackson-databind-2.9.6.jar
> > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > > bcprov-ext-jdk15on-1.54.jar
> > > > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.54) :
> > CVE-2015-6644,
> > > > > CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340,
> > CVE-2016-1000341,
> > > > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344,
> > CVE-2016-1000345,
> > > > > CVE-2016-1000346, CVE-2016-1000352, CVE-2016-2427, CVE-2017-13098,
> > > > > CVE-2018-1000180, CVE-2018-1000613
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-gce:
> > > > >
> > > > > httpclient-4.0.1.jar
> > > (pkg:maven/org.apache.httpcomponents/httpclient@4.0.1
> > > > > ,
> > > > > cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*) : CVE-2011-1498,
> > > > > CVE-2014-3577, CVE-2015-5262
> > > > > guava-jdk5-17.0.jar (pkg:maven/com.google.guava/guava-jdk5@17.0,
> > > > > cpe:2.3:a:google:guava:17.0:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-cloud:
> > > > >
> > > > > openstack-keystone-2.0.0.jar
> > > > > (pkg:maven/org.apache.jclouds.api/openstack-keystone@2.0.0,
> > > > > cpe:2.3:a:openstack:keystone:2.0.0:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:openstack:openstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2014,
> > > > > CVE-2013-4222, CVE-2013-6391, CVE-2014-0204, CVE-2014-3476,
> > > CVE-2014-3520,
> > > > > CVE-2014-3621, CVE-2015-3646, CVE-2015-7546, CVE-2018-14432,
> > > CVE-2018-20170
> > > > > cloudstack-2.0.0.jar
> > (pkg:maven/org.apache.jclouds.api/cloudstack@2.0.0
> > > ,
> > > > > cpe:2.3:a:apache:cloudstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2136,
> > > > > CVE-2013-6398, CVE-2014-0031, CVE-2014-9593, CVE-2015-3252
> > > > > docker-2.0.0.jar (pkg:maven/org.apache.jclouds.api/docker@2.0.0,
> > > > > cpe:2.3:a:docker:docker:2.0.0:*:*:*:*:*:*:*) : CVE-2018-10892,
> > > > > CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884,
> > > > > CVE-2019-5736
> > > > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > docker-1.9.3.jar (pkg:maven/org.apache.jclouds.labs/docker@1.9.3,
> > > > > cpe:2.3:a:docker:docker:1.9.3:*:*:*:*:*:*:*) : CVE-2016-3697,
> > > > > CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752,
> > > > > CVE-2019-16884, CVE-2019-5736
> > > > > jsch.agentproxy.core-0.0.8.jar
> > > > > (pkg:maven/com.jcraft/jsch.agentproxy.core@0.0.8,
> > > > > cpe:2.3:a:jcraft:jsch:0.0.8:*:*:*:*:*:*:*) : CVE-2016-5725
> > > > > bcprov-ext-jdk15on-1.49.jar
> > > > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.49) :
> > CVE-2015-6644,
> > > > > CVE-2015-7940, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000341,
> > > > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344,
> > CVE-2016-1000345,
> > > > > CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000613
> > > > > okhttp-2.2.0.jar (pkg:maven/com.squareup.okhttp/okhttp@2.2.0,
> > > > > cpe:2.3:a:squareup:okhttp:2.2.0:*:*:*:*:*:*:*) : CVE-2016-2402
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-mesos:
> > > > >
> > > > > mesos-1.5.0.jar (pkg:maven/org.apache.mesos/mesos@1.5.0,
> > > > > cpe:2.3:a:apache:mesos:1.5.0:*:*:*:*:*:*:*) : CVE-2018-11793,
> > > > > CVE-2018-1330, CVE-2018-8023, CVE-2019-0204, CVE-2019-5736
> > > > > jetty-server-9.4.11.v20180605.jar
> > > > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > > > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > > > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > > > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > > > > jackson-databind-2.9.6.jar
> > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-kafka:
> > > > >
> > > > > kafka-clients-2.0.1.jar
> > (pkg:maven/org.apache.kafka/kafka-clients@2.0.1
> > > ,
> > > > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > > > > connect-api-2.0.1.jar (pkg:maven/org.apache.kafka/connect-api@2.0.1,
> > > > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-flume:
> > > > >
> > > > > guava-11.0.2.jar (pkg:maven/com.google.guava/guava@11.0.2,
> > > > > cpe:2.3:a:google:guava:11.0.2:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > jackson-core-asl-1.8.8.jar
> > > > > (pkg:maven/org.codehaus.jackson/jackson-core-asl@1.8.8,
> > > > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*) : CVE-2017-15095,
> > > > > CVE-2017-17485, CVE-2017-7525
> > > > > jackson-mapper-asl-1.8.8.jar
> > > > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.8.8,
> > > > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*) :
> > > > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > > > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-14540,
> > > > > CVE-2019-16335, CVE-2019-17267
> > > > > commons-collections-3.2.1.jar
> > > > > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > > > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) :
> > > CVE-2015-6420,
> > > > > CVE-2017-15708, Remote code execution
> > > > > netty-3.9.4.Final.jar (pkg:maven/io.netty/netty@3.9.4.Final,
> > > > > cpe:2.3:a:netty:netty:3.9.4:*:*:*:*:*:*:*) : CVE-2015-2156,
> > > CVE-2019-16869,
> > > > > POODLE vulnerability in SSLv3.0 support
> > > > > servlet-api-2.5-20110124.jar
> > > > > (pkg:maven/org.mortbay.jetty/servlet-api@2.5-20110124,
> > > > > cpe:2.3:a:jetty:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay_jetty:jetty:2.5.20110124:*:*:*:*:*:*:*) :
> > > CVE-2005-3747,
> > > > > CVE-2007-5615, CVE-2009-1523, CVE-2009-1524, CVE-2009-5048,
> > > CVE-2009-5049,
> > > > > CVE-2011-4461
> > > > > jetty-util-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty-util@6.1.26
> > ,
> > > > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> > > > > CVE-2011-4461
> > > > > jetty-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty@6.1.26,
> > > > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> > > > > CVE-2011-4461, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658,
> > > CVE-2017-9735,
> > > > > CVE-2019-10241, CVE-2019-10247
> > > > > libthrift-0.9.0.jar (pkg:maven/org.apache.thrift/libthrift@0.9.0)
:
> > > > > CVE-2015-3254, CVE-2016-5397, CVE-2018-1320, CVE-2019-0205
> > > > > httpclient-4.1.3.jar
> > > (pkg:maven/org.apache.httpcomponents/httpclient@4.1.3
> > > > > ,
> > > > > cpe:2.3:a:apache:httpclient:4.1.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > > CVE-2015-5262
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-twitter:
> > > > >
> > > > > httpclient-4.2.5.jar
> > > (pkg:maven/org.apache.httpcomponents/httpclient@4.2.5
> > > > > ,
> > > > > cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > > CVE-2015-5262
> > > > > guava-14.0.1.jar (pkg:maven/com.google.guava/guava@14.0.1,
> > > > > cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-zookeeper:
> > > > >
> > > > > jackson-databind-2.9.8.jar
> > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,
> > > > > cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*) :
> > > CVE-2019-12086,
> > > > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > > > > CVE-2019-17267, CVE-2019-17531
> > > > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > jackson-mapper-asl-1.9.13.jar
> > > > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13,
> > > > > cpe:2.3:a:fasterxml:jackson:1.9.13:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*) :
> > > > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > > > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-10172,
> > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-17267
> > > > > netty-all-4.1.29.Final.jar (pkg:maven/io.netty/netty-all@4.1.29.Final
> > ,
> > > > > cpe:2.3:a:netty:netty:4.1.29:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-camel:
> > > > >
> > > > > camel-core-2.22.0.jar (pkg:maven/org.apache.camel/camel-core@2.22.0,
> > > > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > > > > CVE-2019-0188, CVE-2019-0194
> > > > >
> > > > >
> > >
> > camel-core-2.22.0.jar/META-INF/maven/org.apache.camel/spi-annotations/pom.xml
> > > > > (pkg:maven/org.apache.camel/spi-annotations@2.22.0,
> > > > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > > > > CVE-2019-0188, CVE-2019-0194
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-storm:
> > > > >
> > > > > storm-core-1.1.1.jar (pkg:maven/org.apache.storm/storm-core@1.1.1,
> > > > > cpe:2.3:a:apache:storm:1.1.1:*:*:*:*:*:*:*) : CVE-2018-11779,
> > > > > CVE-2018-1331, CVE-2018-1332, CVE-2018-8008, CVE-2019-0202
> > > > >
> > >
> > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
> > > > > (pkg:maven/org.eclipse.jetty/jetty-servlet@7.6.13.v20130916,
> > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> > CVE-2019-10247
> > > > >
> > > > >
> > >
> > storm-core-1.1.1.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml
> > > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.3.3,
> > > > > cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > > CVE-2015-5262
> > > > > storm-core-1.1.1.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > > > > (pkg:maven/com.google.guava/guava@16.0.1,
> > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > storm-core-1.1.1.jar/META-INF/maven/io.netty/netty/pom.xml
> > > > > (pkg:maven/io.netty/netty@3.9.0.Final,
> > > > > cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*) : CVE-2014-0193,
> > > CVE-2014-3488,
> > > > > CVE-2015-2156, CVE-2019-16869, POODLE vulnerability in SSLv3.0
> > support
> > > > >
> > >
> > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
> > > > > (pkg:maven/org.eclipse.jetty/jetty-server@7.6.13.v20130916,
> > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> > CVE-2011-4461,
> > > > > CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735,
> > > CVE-2019-10241,
> > > > > CVE-2019-10247
> > > > >
> > > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
> > > > > (pkg:maven/org.eclipse.jetty/jetty-util@7.6.13.v20130916,
> > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> > CVE-2011-4461,
> > > > > CVE-2019-10247
> > > > >
> > > > >
> > >
> > storm-core-1.1.1.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom.xml
> > > > > (pkg:maven/commons-fileupload/commons-fileupload@1.3.2,
> > > > > cpe:2.3:a:apache:commons_fileupload:1.3.2:*:*:*:*:*:*:*) :
> > > CVE-2016-1000031
> > > > >
> > > storm-core-1.1.1.jar/META-INF/maven/org.apache.hadoop/hadoop-auth/pom.xml
> > > > > (pkg:maven/org.apache.hadoop/hadoop-auth@2.6.1,
> > > > > cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*) : CVE-2015-1776,
> > > > > CVE-2016-3086, CVE-2016-5001, CVE-2016-5393, CVE-2016-6811,
> > > CVE-2017-15713,
> > > > > CVE-2017-3161, CVE-2017-3162, CVE-2017-3166, CVE-2018-11768,
> > > CVE-2018-1296,
> > > > > CVE-2018-8009, CVE-2018-8029
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-cassandra-store:
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-cassandra-serializers:
> > > > >
> > > > > commons-beanutils-1.9.2.jar
> > > > > (pkg:maven/commons-beanutils/commons-beanutils@1.9.2,
> > > > > cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*) :
> > > CVE-2019-10086
> > > > > commons-collections-3.2.1.jar
> > > > > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > > > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) :
> > > CVE-2015-6420,
> > > > > CVE-2017-15708, Remote code execution
> > > > > spring-core-4.3.18.RELEASE.jar
> > > > > (pkg:maven/org.springframework/spring-core@4.3.18.RELEASE,
> > > > >
> > > cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*)
> > :
> > > > > CVE-2018-15756
> > > > > netty-transport-4.1.27.Final.jar
> > > > > (pkg:maven/io.netty/netty-transport@4.1.27.Final,
> > > > > cpe:2.3:a:netty:netty:4.1.27:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-flink:
> > > > >
> > > > > flink-hadoop-fs-1.5.0.jar
> > > (pkg:maven/org.apache.flink/flink-hadoop-fs@1.5.0
> > > > > ,
> > > > > cpe:2.3:a:apache:hadoop:1.5.0:*:*:*:*:*:*:*) : CVE-2016-5001,
> > > > > CVE-2017-3161, CVE-2017-3162
> > > > >
> > > > >
> > >
> > flink-shaded-netty-4.0.27.Final-2.0.jar/META-INF/maven/io.netty/netty-all/pom.xml
> > > > > (pkg:maven/io.netty/netty-all@4.0.27.Final,
> > > > > cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*) : CVE-2015-2156,
> > > CVE-2016-4970,
> > > > > CVE-2019-16869
> > > > >
> > > > >
> > >
> > flink-shaded-jackson-2.7.9-3.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9,
> > > > > cpe:2.3:a:fasterxml:jackson:2.7.9:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*) :
> > > CVE-2017-15095,
> > > > > CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, CVE-2018-11307,
> > > > > CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719,
> > > > > CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361,
> > > > > CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086,
> > > > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > > > > CVE-2019-17267, CVE-2019-17531
> > > > >
> > > > >
> > >
> > flink-shaded-guava-18.0-2.0.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > > > > (pkg:maven/com.google.guava/guava@18.0,
> > > > > cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-rocketmq:
> > > > >
> > > > > netty-all-4.0.42.Final.jar (pkg:maven/io.netty/netty-all@4.0.42.Final
> > ,
> > > > > cpe:2.3:a:netty:netty:4.0.42:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > > netty-tcnative-boringssl-static-1.1.33.Fork26.jar
> > > > > (pkg:maven/io.netty/netty-tcnative-boringssl-static@1.1.33.Fork26,
> > > > > cpe:2.3:a:apache:tomcat:1.1.33:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:apache:tomcat_native:1.1.33:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:apache_software_foundation:tomcat:1.1.33:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:apache_tomcat:apache_tomcat:1.1.33:*:*:*:*:*:*:*) :
> > > > > CVE-2000-1210, CVE-2001-0590, CVE-2002-0493, CVE-2005-4838,
> > > CVE-2006-7196,
> > > > > CVE-2007-1358, CVE-2007-2449, CVE-2008-0128, CVE-2009-2696,
> > > CVE-2012-5568,
> > > > > CVE-2013-2185, CVE-2013-4286, CVE-2013-4322, CVE-2013-4444,
> > > CVE-2013-4590,
> > > > > CVE-2013-6357, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099,
> > > CVE-2014-0119,
> > > > > CVE-2016-5425, CVE-2017-15698, CVE-2018-8019, CVE-2018-8020
> > > > >
> > > > > Main offenders seem to be "jackson-databind" and old maintenance
> > > releases
> > > > > of Spring. I think we can bump most of that.
> > > > >
> > > > > Some integrations also clearly suffer, through it's a problem of
> > their
> > > > > users, since they need to declare their own libraries' versions by
> > > > > convention.
> > > > >
> > > > > Regards,
> > > > > --
> > > > > Ilya Kasnacheev
> > > > >
> > > > >
> > > > > пт, 27 дек. 2019 г. в 23:59, Denis Magda <dmagda@apache.org>:
> > > > >
> > > > > > Ilya, no I see, thanks for the explanation. Agree with you,
let's
> > > update
> > > > > > the versions of the dependencies to the latest.
> > > > > >
> > > > > > -
> > > > > > Denis
> > > > > >
> > > > > >
> > > > > > On Thu, Dec 26, 2019 at 10:50 PM Ilya Kasnacheev <
> > > > > > ilya.kasnacheev@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > Hello!
> > > > > > >
> > > > > > > I have committed ignite-spring-data_2.2 to ignite-2.8.
> > > > > > >
> > > > > > > By bumping versisons I mean the following:
> > > > > > >         <slf4j.version>1.7.*7*</slf4j.version>
> > > > > > >         <slf4j16.version>1.6.*4*</slf4j16.version>
> > > > > > >         <snappy.version>1.1.7.*2*</snappy.version>
> > > > > > >         <spark.hadoop.version>2.6.*5*</spark.hadoop.version>
> > > > > > >         <spark.version>2.3.*0*</spark.version>
> > > > > > >
> > >  <spring.data.version>1.13.*14*.RELEASE</spring.data.version>
> > > > > <!--
> > > > > > > don't forget to update spring version -->
> > > > > > >         <spring.version>4.3.*18*.RELEASE</spring.version><!--
> > don't
> > > > > > forget
> > > > > > > to update spring-data version -->
> > > > > > >
> > > > > >  <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version>
> > > > > > > <!-- don't forget to update spring-5.0 version -->
> > > > > > >
> > >  <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!--
> > > > > > don't
> > > > > > > forget to update spring-data-2.0 version -->
> > > > > > >
> > > > > > > All these libraries have maintenance release (such as our
> > 2.7.*6*)
> > > and
> > > > > I
> > > > > > > think it would be beneficial to upgrade these dependencies
to the
> > > > > latest
> > > > > > > maintenance version found in Maven Central.
> > > > > > > For example, there is spring.data-2.0 2.0.*14*.RELEASE.
> > > > > > >
> > > > > > > Regards,
> > > > > > > --
> > > > > > > Ilya Kasnacheev
> > > > > > >
> > > > > > >
> > > > > > > чт, 26 дек. 2019 г. в 19:32, Denis Magda <dmagda@apache.org>:
> > > > > > >
> > > > > > > > A huge +1 for adding Spring Data related fixes/improvements.
> > > Ilya is
> > > > > > > right
> > > > > > > > that Spring Data related questions sparked last time
due to
> > > missing
> > > > > > > support
> > > > > > > > of 2.2 version.
> > > > > > > >
> > > > > > > > Ilya, could you elaborate on what you mean under "bumping
the
> > > > > > versions"?
> > > > > > > Do
> > > > > > > > you suggest performing a straightforward upgrade of
> > > > > > "ignite-spring-data"
> > > > > > > to
> > > > > > > > version 2.2 and introducing "ignite-spring-data-{old-version"}
> > > for
> > > > > the
> > > > > > > > previous versions? If it's so, I fully agree with
the proposal.
> > > > > > > >
> > > > > > > > -
> > > > > > > > Denis
> > > > > > > >
> > > > > > > >
> > > > > > > > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <
> > > > > > > ilya.kasnacheev@gmail.com
> > > > > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Hello!
> > > > > > > > >
> > > > > > > > > I propose to add the following ticket to the
scope:
> > > > > > > > > https://issues.apache.org/jira/browse/IGNITE-12259
(3
> > > commits, be
> > > > > > > > careful
> > > > > > > > > with release version)
> > > > > > > > >
> > > > > > > > > Adding tickets to scope surely seems crazy now,
but I will
> > > provide
> > > > > > the
> > > > > > > > > following considerations:
> > > > > > > > > * This is Spring Data 2.2 integration, which
we currently do
> > > not
> > > > > > have,
> > > > > > > > > leading to lots of confused questions on stack
overflow and
> > > mailing
> > > > > > > list.
> > > > > > > > > Spring Data is important to our public image
since many
> > people
> > > may
> > > > > > > learn
> > > > > > > > > about out project by starting with Spring Data.
> > > > > > > > >
> > > > > > > > > * It has zero code impact outside of its own
module (just 2
> > POM
> > > > > file
> > > > > > > > > touched and that's all).
> > > > > > > > >
> > > > > > > > > * The core was ready since early November but,
due to gmail
> > > quirk,
> > > > > we
> > > > > > > did
> > > > > > > > > not react to it in time.
> > > > > > > > >
> > > > > > > > > WDYT?
> > > > > > > > >
> > > > > > > > > Another semi-related question. *Should we bump
our
> > > dependencies'
> > > > > > > versions
> > > > > > > > > before releasing 2.8?* I talk mainly about spring
and
> > hibernate
> > > > > > > > > dependencies. We could switch them to their latest
> > maintenance
> > > > > > versions
> > > > > > > > to
> > > > > > > > > avoid shipping default links to outdated packages.
> > > > > > > > >
> > > > > > > > > I think this is one of things that are very hard
to do
> > between
> > > > > > > releases,
> > > > > > > > so
> > > > > > > > > I think this dependencies bumping should be a
part of a
> > formal
> > > > > > > > > release/testing cycle, and then be backported
to master.
> > > > > > > > >
> > > > > > > > > I could volunteer to do that myself, if we agree
to merge
> > these
> > > > > > version
> > > > > > > > > upgrades to ignite-2.8 and then re-test.
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > > --
> > > > > > > > > Ilya Kasnacheev
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > > > > > > > <arzamas123@mail.ru.invalid
> > > > > > > > > >:
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Igniters, i`l try to compare 2.8 release
candidate vs
> > 2.7.6,
> > > > > > > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > > > > > > > i use yardstick benchmarks, 4 bare machine
with:  2x Xeon
> > > X5570
> > > > > > 96Gb
> > > > > > > > > 512GB
> > > > > > > > > > SSD 2048GB HDD 10GB/s
> > > > > > > > > > 1 for  client (driver) and 3 for servers.
> > > > > > > > > > this mappings for graphs and real yardstick
tests:
> > > > > > > > > >
> > > > > > > > > > atomic-put: IgnitePutBenchmark
> > > > > > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > > > > > > > atomic-get: IgniteGetBenchmark
> > > > > > > > > > tx-get: IgniteGetTxBenchmark
> > > > > > > > > > tx-put: IgnitePutTxBenchmark
> > > > > > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > > > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > > > > > > > >
> > > > > > > > > > cacheMode — partitioned
> > > > > > > > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > > > > > > > 1 backup
> > > > > > > > > >
> > > > > > > > > > 1. wal = log_only 2. wal = none 3. persistence
disabled.
> > > > > > > > > > Thanks Maxim for wiki page [1]
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > [1]
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > >
> > https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > > > > > > > >
> > > > > > > > > > do we need some bisect or other work here
?
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >------- Forwarded message -------
> > > > > > > > > > >From: "Maxim Muzafarov" < mmuzaf@apache.org
>
> > > > > > > > > > >To:  dev@ignite.apache.org
> > > > > > > > > > >Cc:
> > > > > > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time,
Scope, Manager]
> > > > > > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > > > > > > > >
> > > > > > > > > > >Igniters,
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >It's almost a year has passed since
the last major Apache
> > > Ignite
> > > > > > 2.7
> > > > > > > > > > >has been released. We've accumulated
a lot of performance
> > > > > > > improvements
> > > > > > > > > > >and a lot of new features which are
waiting for their
> > > release
> > > > > > date.
> > > > > > > > > > >Here is my list of the most interesting
things from my
> > point
> > > > > since
> > > > > > > the
> > > > > > > > > > >last major release:
> > > > > > > > > > >
> > > > > > > > > > >Service Grid,
> > > > > > > > > > >Monitoring,
> > > > > > > > > > >Recovery Read
> > > > > > > > > > >BLT auto-adjust,
> > > > > > > > > > >PDS compression,
> > > > > > > > > > >WAL page compression,
> > > > > > > > > > >Thin client: best effort affinity,
> > > > > > > > > > >Thin client: transactions support (not
yet)
> > > > > > > > > > >SQL query history
> > > > > > > > > > >SQL statistics
> > > > > > > > > > >
> > > > > > > > > > >I think we should no longer wait and
freeze the master
> > > branch
> > > > > > > anymore
> > > > > > > > > > >and prepare the next major release by
the end of the year.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >I propose to discuss Time, Scope of
Apache Ignite 2.8
> > > release
> > > > > and
> > > > > > > also
> > > > > > > > > > >I want to propose myself to be the release
manager of the
> > > > > planning
> > > > > > > > > > >release.
> > > > > > > > > > >
> > > > > > > > > > >Scope Freeze: November 4, 2019
> > > > > > > > > > >Code Freeze: November 18, 2019
> > > > > > > > > > >Voting Date: December 10, 2019
> > > > > > > > > > >Release Date: December 17, 2019
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >WDYT?
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > >
> > >
> > >
> > > --
> > > Best regards,
> > > Ivan Pavlukhin
> > >
> >

Mime
View raw message