Hello Apache Pulsar Community,
Due to the security issue pointed out by Enrico, I will start a new
release candidate to include the following Pr to fix the security bug.
https://github.com/apache/pulsar/pull/11852
https://github.com/apache/pulsar/pull/11912
I close this vote, and I will start candidate 3 soon.
Thanks,
Hang
PengHui Li <peng...@apache.org> 于2021年9月3日周五 上午11:54写道:
> Enrico,
>
> Ok, I now have no objection to the new vote preparation. Follow your
> comment on the PR
> https://github.com/apache/pulsar/pull/11852#discussion_r700763721,
> it needs another fix PR and I think we should also push a PR to fix the
> managed-ledger part to make sure the managed-ledger can only access the
> data that it has.
>
> Thanks for the great work @hang, and please make sure the new RC contains
> the above fixes.
>
> Penghui
>
>
> On Thu, Sep 2, 2021 at 9:28 PM Enrico Olivelli <eolive...@gmail.com>
> wrote:
>
> > PengHui,
> > I agree, this is not a regression in 2.8.1.
> >
> > These are my tests, all passed
> > - built from sources and run the tests, on JDK8 + Ubuntu
> > - verified source package, apache-rat/header files
> > - run some smoke tests on Pulsar standalone
> > - verified checksums and signatures
> >
> > I am not casting a +1 because if we release 2.8.1 in this form we will
> have
> > to follow up with a new release.
> > It would have been more efficient to have prepared a new RC.
> > There is never a hurry to cut a release only to provide bug fixes.
> > But we are in a hurry if some security bug has been disclosed to the
> > public.
> >
> > Enrico
> >
> >
> > Il giorno gio 2 set 2021 alle ore 15:12 PengHui Li <peng...@apache.org>
> ha
> > scritto:
> >
> > > @hang Interesting, I'm not why the issue happens before but not able to
> > > reproduce it for now :). I will continue to verify the RC2.
> > >
> > > it is not a regression, but it is something that we have to fix ASAP.
> > > > So if we do not include it in 2.8.1 we will follow up with a 2.8.2
> > > > immediately.
> > > > So overall it is better to include it and spend time only once to
> > > validate
> > > > the RC.
> > > >
> > >
> > > @enrico
> > > I agree with we should have it ASAP, but if not a regression in 2.8.1,
> we
> > > should promote the 2.8.2 release as soon as possible,
> > > and we have more than 40+ commits in the 2.8.2. We are following the
> > > time-based release plan (
> > >
> https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan)
> > > It has been postponed for a long time now, many users are waiting for
> the
> > > fixes in 2.8.1.
> > >
> > > During sending out the next RC(RC3), we might find other
> issues(security
> > > issues, bugs),
> > > so my suggestion is if the issue is not a regression in 2.8.1, we
> should
> > > continue the release.
> > >
> > > Thanks,
> > > Penghui
> > >
> > > On Thu, Sep 2, 2021 at 8:12 PM Hang Chen <chenh...@apache.org> wrote:
> > >
> > > > Hi Penghui,
> > > > I followed your steps to test the pulsar sql with jdk11, but I
> > > cannot
> > > > reproduce your situation. Would you please help verify your steps?
> > > >
> > > > Thanks,
> > > > Hang
> > > >
> > > > Enrico Olivelli <eolive...@gmail.com> 于2021年9月2日周四 下午7:41写道:
> > > >
> > > > > PengHui,
> > > > >
> > > > > Il giorno gio 2 set 2021 alle ore 08:59 PengHui Li <
> > peng...@apache.org
> > > >
> > > > ha
> > > > > scritto:
> > > > >
> > > > > > Hi @enrico, any reason for
> > > https://github.com/apache/pulsar/pull/11852
> > > > > be
> > > > > > a
> > > > > > blocker for 2.8.1? It's not a regression introduced in 2.8.1
> right?
> > > > > >
> > > > >
> > > > > it is not a regression, but it is something that we have to fix
> ASAP.
> > > > > So if we do not include it in 2.8.1 we will follow up with a 2.8.2
> > > > > immediately.
> > > > > So overall it is better to include it and spend time only once to
> > > > validate
> > > > > the RC.
> > > > >
> > > > > Enrico
> > > > >
> > > > >
> > > > > >
> > > > > > Thanks,
> > > > > > Penghui
> > > > > >
> > > > > > On Thu, Sep 2, 2021 at 2:36 PM Enrico Olivelli <
> > eolive...@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > Hang,
> > > > > > > I am not able to reproduce Massimiliano's problem
> > > > > > >
> > > > > > > These commands pass on the stages sources unpacked by the
> source
> > > > > tarball,
> > > > > > > on Ubuntu:
> > > > > > > mvn clean install -DskipTests
> > > > > > > mvn package -Pdocker -f docker/pom-xml
> > > > > > >
> > > > > > > I have performed other tests and everything passed (apart from
> > some
> > > > > flaky
> > > > > > > test), but given this recent finding
> > > > > > > https://github.com/apache/pulsar/pull/11852
> > > > > > > I believe it is better to add that commit to 2.8.x branch and
> > > > prepare a
> > > > > > new
> > > > > > > release candidate
> > > > > > >
> > > > > > > The final decision to CANCEL this RC is up to you Hang
> > > > > > >
> > > > > > > Enrico
> > > > > > >
> > > > > > > Il giorno mer 1 set 2021 alle ore 14:21 Massimiliano Mirelli <
> > > > > > > massimilianomirelli...@gmail.com> ha scritto:
> > > > > > >
> > > > > > > > The chmod command solved the previously reported issue.
> > > > > > > >
> > > > > > > > However, I got a failure in one of the fallout tests which I
> > > would
> > > > > > still
> > > > > > > > need time to better investigate. The test creates a topic,
> > > spawns a
> > > > > > > > function injecting 10000 messages from a data-generator into
> > the
> > > > > topic
> > > > > > > > which is then read by a consumer. There seems to be some
> issues
> > > at
> > > > > the
> > > > > > > > function level, but I still need to look into it.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, 1 Sept 2021 at 11:50, Massimiliano Mirelli <
> > > > > > > > massimilianomirelli...@gmail.com> wrote:
> > > > > > > >
> > > > > > > > > Found at least one problem: pulsar docker image doesn't
> seem
> > to
> > > > be
> > > > > > > > > deployed properly due to a permission problem.
> > > > > > > > >
> > > > > > > > > Running:
> > > > > > > > >
> > > > > > > > > chmod +x docker/pulsar/scripts/*
> > > > > > > > >
> > > > > > > > > Might solve it, I am verifying that now.
> > > > > > > > >
> > > > > > > > > On Wed, 1 Sept 2021 at 11:08, Massimiliano Mirelli <
> > > > > > > > > massimilianomirelli...@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > >> Thank you for sharing this rc.
> > > > > > > > >>
> > > > > > > > >> I am running a suite of fallout tests on it, let's see how
> > it
> > > > > goes!
> > > > > > > > >>
> > > > > > > > >> Massimiliano
> > > > > > > > >>
> > > > > > > > >> On Tue, 31 Aug 2021 at 18:33, Hang Chen <
> > chenh...@apache.org>
> > > > > > wrote:
> > > > > > > > >>
> > > > > > > > >>> This is the second release candidate for Apache Pulsar,
> > > version
> > > > > > > 2.8.1.
> > > > > > > > >>>
> > > > > > > > >>> It fixes the following issues:
> > > > > > > > >>>
> > > > > > > > >>>
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/apache/pulsar/pulls?q=is%3Apr+label%3Arelease%2F2.8.1+is%3Aclosed
> > > > > > > > >>>
> > > > > > > > >>> *** Please download, test and vote on this release. This
> > vote
> > > > > will
> > > > > > > stay
> > > > > > > > >>> open
> > > > > > > > >>> for at least 72 hours ***
> > > > > > > > >>>
> > > > > > > > >>> Note that we are voting upon the source (tag), binaries
> are
> > > > > > provided
> > > > > > > > for
> > > > > > > > >>> convenience.
> > > > > > > > >>>
> > > > > > > > >>> Source and binary files:
> > > > > > > > >>>
> > > > > > > >
> > > > > >
> > > >
> > https://dist.apache.org/repos/dist/dev/pulsar/pulsar-2.8.1-candidate-2/
> > > > > > > > >>>
> > > > > > > > >>> SHA-512 checksums:
> > > > > > > > >>> 91feb8885f82c2e76f61679eb15f1ebf7a8b5ad4
> > > > > > > > apache-pulsar-2.8.1-src.tar.gz
> > > > > > > > >>> 55af5d767ddc208d49f7cf02a054fe1af0b9120d
> > > > > > > > apache-pulsar-2.8.1-bin.tar.gz
> > > > > > > > >>>
> > > > > > > > >>> Maven staging repo:
> > > > > > > > >>>
> > > > > > > >
> > > > > >
> > > >
> > https://repository.apache.org/content/repositories/orgapachepulsar-1098
> > > > > > > > >>>
> > > > > > > > >>> The tag to be voted upon:
> > > > > > > > >>> v2.8.1-candidate-2
> > (6bc1e0d330524235ac83d55ccfecf680c7da0503)
> > > > > > > > >>>
> > > > https://github.com/apache/pulsar/releases/tag/v2.8.1-candidate-2
> > > > > > > > >>>
> > > > > > > > >>> Pulsar's KEYS file containing PGP keys we use to sign the
> > > > > release:
> > > > > > > > >>> https://dist.apache.org/repos/dist/dev/pulsar/KEYS
> > > > > > > > >>>
> > > > > > > > >>> Please download the source package, and follow the README
> > to
> > > > > build
> > > > > > > > >>> and run the Pulsar standalone service.
> > > > > > > > >>>
> > > > > > > > >>
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
