Il Mer 26 Feb 2025, 22:00 Lari Hotari <lhot...@apache.org> ha scritto:
> The releases continue to be blocked by a lack of binding votes. > > Regarding the semi-automated validation with > https://github.com/lhotari/pulsar-release-validation in a Docker > container, the solution now uses a persistent Docker volume to cache Maven > dependency downloads across multiple runs. This prevents the "downloading > the internet" problem, and you will only need to do the download once (or > after you delete the Docker volume). I have also added instructions for > using a personal cloud VM for validation on GCP. The README in the > repository contains the details. The validation script is also extensively > tested across the supported platforms. > > Are there remaining obstacles preventing release votes from our PMC > members? > I am sorry, I will try to cast my vote tomorrow Enrico > Please note that our users are waiting for the critical severity > CVE-2025-24970 fix (details in the thread). > > -Lari > > On 2025/02/26 00:04:39 Lari Hotari wrote: > > Bumping this thread again to remind Pulsar PMC members that we urgently > need binding votes to publish releases containing a critical severity > CVE-2025-24970 fix (details in the thread). > > > > These are the active release voting threads: > > * [VOTE] Release Apache Pulsar 3.0.10 based on 3.0.10-candidate-1 > > - https://lists.apache.org/thread/62jh7sj666mq2plr1rmlj7qrfx4zdj4x > > * [VOTE] Release Apache Pulsar 3.3.5 based on 3.3.5-candidate-2 > > - https://lists.apache.org/thread/vwgzdqybtrd4vny87c9qz1t6yqo4v6kz > > * [VOTE] Release Apache Pulsar 4.0.3 based on 4.0.3-candidate-2 > > - https://lists.apache.org/thread/81ownrk38w692wfvhpp5f689dvo8vs5n > > > > Understanding that the effort required for Pulsar release validation may > be causing the lack of binding votes, I have enhanced the semi-automated > Pulsar Release candidate validation script. It can now run in a docker > container on Linux, MacOS, or Windows without requiring JVM or tooling > installation on the host environment. Everything is included in the docker > container. This script assists with Pulsar release candidate validation by > automating the steps described in "Validating release candidates." [1] > > > > Please visit https://github.com/lhotari/pulsar-release-validation to > check how to run validation steps with this solution, unless you already > have a preferred method for handling Pulsar release candidate validation. > > > > The primary goal is to lower the barrier to participation in the voting > process. This tool doesn't replace the need to review results, but it > should simplify the process. Currently, releases are delayed due to > insufficient binding votes. The 3.0.10-candidate-1 vote has been open since > February 19th—almost a week—and has received only one vote from Yike with > no binding votes from PMC members. > > > > -Lari > > > > 1 - https://pulsar.apache.org/contribute/validate-release-candidate/ > > > > On 2025/02/25 15:11:43 Lari Hotari wrote: > > > 3.3.5-candidate-2 and 4.0.3-candidate-2 have now been made ready for > voting. 3.0.10-candidate-1 voting continues. > > > > > > Please vote on the 3.0.10, 3.3.5 and 4.0.3 releases so that we get the > CVE fix published: > > > * [VOTE] Release Apache Pulsar 3.0.10 based on 3.0.10-candidate-1 > > > - https://lists.apache.org/thread/62jh7sj666mq2plr1rmlj7qrfx4zdj4x > > > * [VOTE] Release Apache Pulsar 3.3.5 based on 3.3.5-candidate-2 > > > - https://lists.apache.org/thread/vwgzdqybtrd4vny87c9qz1t6yqo4v6kz > > > * [VOTE] Release Apache Pulsar 4.0.3 based on 4.0.3-candidate-2 > > > - https://lists.apache.org/thread/81ownrk38w692wfvhpp5f689dvo8vs5n > > > > > > -Lari > > > > > > On 2025/02/12 08:52:50 Lari Hotari wrote: > > > > Hi all, > > > > > > > > I'd like to discuss initiating the next set of Pulsar releases > > > > (3.0.10, 3.3.5, and 4.0.3) due to a recently disclosed high-severity > > > > security vulnerability in Netty (CVE-2025-24970). Netty has released > > > > version 4.1.118.Final which contains the fix. > > > > > > > > The CVE-2025-24970 vulnerability details [1] summarized: > > > > - A specially crafted packet received via SslHandler can lead to a > > > > native crash when using native SSLEngine > > > > - Due to the crash behavior, this is categorized as a > > > > denial-of-service vulnerability > > > > - This impacts Pulsar brokers and proxies that use native SSL > > > > implementation (default setting) > > > > - CVSS Score: 7.5 (High) > > > > - Fixed in Netty 4.1.118.Final > > > > > > > > While this primarily affects broker and proxy components, many > > > > enterprise users will need an updated client due to vulnerability > > > > scanning and security policies that flag the vulnerable Netty > > > > dependency. > > > > > > > > Important reminder: As documented in the Apache Pulsar Helm chart > > > > ( > https://github.com/apache/pulsar-helm-chart?tab=readme-ov-file#pulsar-proxy-security-considerations > ), > > > > Pulsar components including the Pulsar Proxy are not designed for > > > > direct exposure to the public internet. Deployments should be > > > > protected by appropriate network perimeter security measures. This > > > > architectural assumption is particularly relevant given the nature of > > > > this vulnerability. > > > > > > > > I propose the following timeline: > > > > - Release candidates by February 14th, 2025 > > > > - Releases by February 21th, 2025 > > > > > > > > I'm volunteering to be the release manager for these releases. > > > > Please let me know if you have any concerns or feedback on this plan. > > > > > > > > Best regards, > > > > > > > > Lari Hotari > > > > > > > > 1 - For technical details on CVE-2025-24970, see: > > > > > https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw > > > > > > > > > >
