Goodness. Two RC build release processes have failed a couple hours into it due to apparent network/availability issues while sending artifacts to repository.apache.org. I can only assume they're getting hit with a lot of projects trying to do a lot of uploads and such. Will try again in a bit/first thing in AM. Once we can get a successful build up I might suggest we do what log4j has done and simply open the vote long enough to get enough binding +1 votes and get this out there.
Thanks On Mon, Dec 13, 2021 at 10:04 AM Joe Witt <[email protected]> wrote: > > Thanks - will roll with that > > On Mon, Dec 13, 2021 at 10:03 AM David Handermann > <[email protected]> wrote: > > > > PR 5598 for NIFI-9474 is now merged into the main branch, which streamlines > > version updates to Log4j 2 dependencies. It also excludes log4j-core older > > than 2.15.0 from build artifacts, so this should provide a good basis for a > > patch release. > > > > https://github.com/apache/nifi/pull/5598 > > > > Regards, > > David Handermann > > > > On Mon, Dec 13, 2021 at 10:44 AM Chris Sampson > > <[email protected]> wrote: > > > > > I'd agree. The discussions in Slack and separate user mailing list thread > > > are a reassurance for users (who read them), but a patch for the current > > > 1.15 branch would seem sensible for people to pick up and assuage any > > > remaining security concerns they may have around the library. > > > > > > That leaves 1.16 a little longer to get more good stuff merged in for the > > > next feature release. > > > > > > > > > Cheers, > > > > > > Chris Sampson > > > > > > On Mon, 13 Dec 2021, 14:19 David Handermann, <[email protected]> > > > wrote: > > > > > > > Joe, > > > > > > > > Thanks for starting this discussion. Moving forward with a 1.15.1 patch > > > > release sounds like the best path forward. > > > > > > > > Regards, > > > > David Handermann > > > > > > > > On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <[email protected]> wrote: > > > > > > > > > Team > > > > > > > > > > We still dont think we are vulnerable but this now highly risky > > > > > library > > > > is > > > > > present. We have PRs to eliminate it/main is fixed. I think we > > > should > > > > do > > > > > a 24 hour 1.15.1 release/vote for it. It will eliminate concerns for > > > > > users. We are frankly pretty close to a 1.16 release at this point > > > > > as > > > > > well it seems but can circle back. > > > > > > > > > > > > > > > Any different views on 1.15.1? > > > > > > > > > > Thanks > > > > > > > > > > > >
