Re: Cutting 2.6.4 release to address CVE-2021-22160

+1 Regards, Shivji Kumar Jha http://www.shivjijha.com/ +91 8884075512 On Fri, 28 May 2021 at 10:45, Enrico Olivelli wrote: > +1 > > Thanks > > Enrico > > Il Ven 28 Mag 2021, 05:37 r...@apache.org ha > scritto: > > > LGTM +1 > > -- > > Thanks > > Xiaolong Ran > > > > Lari Hotari 于2021年5月28日周五

[GitHub] [pulsar-helm-chart] michaeljmarshall commented on pull request #123: WIP: Prevent breaking changes when using non-root container image for 2.8.0

michaeljmarshall commented on pull request #123: URL: https://github.com/apache/pulsar-helm-chart/pull/123#issuecomment-850162187 @eolivelli and @addisonj - please take a look. I still have some questions, so I titled this PR as a WIP for now. Thanks. -- This is an automated message from

[GitHub] [pulsar-helm-chart] michaeljmarshall opened a new pull request #123: WIP: Prevent breaking changes when using non-root container image for 2.8.0

michaeljmarshall opened a new pull request #123: URL: https://github.com/apache/pulsar-helm-chart/pull/123 Fixes #110 ### Motivation The 2.8.0 pulsar docker image defaults to run as user id `1`. This will break end user deployments unless we modify the helm chart. N

[GitHub] [pulsar-dotpulsar] blankensteiner commented on issue #74: Support - Multi-broker connection

blankensteiner commented on issue #74: URL: https://github.com/apache/pulsar-dotpulsar/issues/74#issuecomment-850151871 Hi @eneshoxha Personally, I think that problem is better solved via DNS / Service discovery. Otherwise, you'll have X number of deployable units you have to reconfigu

Re: Cutting 2.6.4 release to address CVE-2021-22160

+1 Thanks Enrico Il Ven 28 Mag 2021, 05:37 r...@apache.org ha scritto: > LGTM +1 > -- > Thanks > Xiaolong Ran > > Lari Hotari 于2021年5月28日周五 上午2:40写道： > > > Dear Pulsar community members, > > > > I'd like to propose cutting a 2.6.4 release so that we can > > address CVE-2021-22160 [1] also in

Re: Cutting 2.6.4 release to address CVE-2021-22160

LGTM +1 -- Thanks Xiaolong Ran Lari Hotari 于2021年5月28日周五 上午2:40写道： > Dear Pulsar community members, > > I'd like to propose cutting a 2.6.4 release so that we can > address CVE-2021-22160 [1] also in 2.6.x. The fix for CVE-2021-22160 is > included in 2.7.1 . > > Here [2] you can find the list of

Re: Connectors package registry

It sounds like you're envisioning an "Apple Store" model where every submission is rigorously tested and vetted. That is certainly an option, but since the PMC gets to define what the rules are, it's also an option to say, "this index is provided as a community service with no guarantees of qualit

Re: Join US Now - SF Bay Area Apache Pulsar Meetup - Pulsar without Zookeeper - Matteo

Hi all, Thank you very much for your interest in the meetup. About 100 people signed up and 60+ attended the meetup. It is believed as "the super important info you can get nowhere else" (comment from attendees). In case you miss the live session, here is the recording

Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions

> On May 27, 2021, at 2:49 PM, Michael Marshall wrote: > > Hi Pulsar Community, > > > I would like to discuss defining and documenting a process for an official > Pulsar version EOL policy. This process will help users know when the > version they are running will no longer be supported with

[DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions

Hi Pulsar Community, I would like to discuss defining and documenting a process for an official Pulsar version EOL policy. This process will help users know when the version they are running will no longer be supported with security patches. After the recent announcement of CVE-2021-22160, I loo

Re: Connectors package registry

On Thu, May 27, 2021 at 1:17 PM Jonathan Ellis wrote: > On Thu, May 27, 2021 at 2:38 PM Sijie Guo wrote: > > > Agreed that the main problem is about discovering the existing pre-built > > Pulsar connectors. I don't think the PMC should involve hosting and > > managing external connectors because

Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm

For people who are following this thread, I want to make a clarification about this issue (and apologized for not making it clear at the beginning) This issue will ONLY happen to users who are using the JWT authentication provider. If you are using other authentication providers, you are NOT impac

Re: Connectors package registry

On Thu, May 27, 2021 at 2:38 PM Sijie Guo wrote: > Agreed that the main problem is about discovering the existing pre-built > Pulsar connectors. I don't think the PMC should involve hosting and > managing external connectors because it will put the PMC in the situation > in handling licensing iss

Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm

Jonathan, Providing guides to Pulsar users on how to build a 2.6 image rather than promoting a vendor image is much better. - Sijie On Thu, May 27, 2021 at 12:40 PM Jonathan Ellis wrote: > Hi Sijie, > > Given the serious nature of this vulnerability, we thought it was best to > provide Apache

Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm

Hi Sijie, Given the serious nature of this vulnerability, we thought it was best to provide Apache Pulsar users with a 2.6 build as quickly as possible, in parallel with helping out on an official 2.6.4 release. On Thu, May 27, 2021 at 2:24 PM Sijie Guo wrote: > Chris - I don't think it is appr

Re: Connectors package registry

Agreed that the main problem is about discovering the existing pre-built Pulsar connectors. I don't think the PMC should involve hosting and managing external connectors because it will put the PMC in the situation in handling licensing issues that I think we should avoid. All the ASF accepted con

Re: Cutting 2.6.4 release to address CVE-2021-22160

+1 On Thu, May 27, 2021 at 11:40 AM Lari Hotari wrote: > Dear Pulsar community members, > > I'd like to propose cutting a 2.6.4 release so that we can > address CVE-2021-22160 [1] also in 2.6.x. The fix for CVE-2021-22160 is > included in 2.7.1 . > > Here [2] you can find the list of commits che

Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm

Chris - I don't think it is appropriate to promote a vendor image here from a vendor perspective. A better approach is to point out the change has been cherry-picked to branch-2.6 and an ongoing discussion for getting a new bugfix release for branch 2.6. is out. - Sijie On Thu, May 27, 2021 at 1

Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm

For folks on Pulsar 2.6 using token-based authentication, since there is no 2.6 version with the CVE fix yet available, you are welcome to use our Pulsar Docker images which contain the fix and which we have confirmed resolves the CVE: - datastax/pulsar:2.6.2_1.0.1

Re: Cutting 2.6.4 release to address CVE-2021-22160

+1 for releasing 2.6.4 with the fix for the CVE, as this is still an active branch that should receive security patches. I’ll be following up with an email to the ML to discuss creating a process to more formally let our users know which versions will receive security patches. Thanks, Michael

Cutting 2.6.4 release to address CVE-2021-22160

Dear Pulsar community members, I'd like to propose cutting a 2.6.4 release so that we can address CVE-2021-22160 [1] also in 2.6.x. The fix for CVE-2021-22160 is included in 2.7.1 . Here [2] you can find the list of commits cherry-picked to branch-2.6 since 2.6.3 release. I would like to volunte

Re: Join US Now - SF Bay Area Apache Pulsar Meetup - Pulsar without Zookeeper - Matteo

Very interesting indeed. Looking forward to the recording. Very late in India time zone. Regards, Shivji Kumar Jha http://www.shivjijha.com/ +91 8884075512 On Thu, 27 May 2021 at 16:26, Jinfeng Huang wrote: > Sure, see you next time~ > > Best Regards, > Jennifer > > > On Thu, May 27, 2021 at 6

Re: Join US Now - SF Bay Area Apache Pulsar Meetup - Pulsar without Zookeeper - Matteo

Sure, see you next time~ Best Regards, Jennifer On Thu, May 27, 2021 at 6:12 PM Rob Shepherd wrote: > Thank you, > > And yes - attending live would best... next time... ;) > > Thanks > > Rob > > Rob Shepherd BEng PhD > > > > On Thu, 27 May 2021 at 11:09, Jinfeng Huang wrote: > >> Hi Bob, >> T

Re: Join US Now - SF Bay Area Apache Pulsar Meetup - Pulsar without Zookeeper - Matteo

Hi Bob, Thanks for your interest in the meetup, we'll record it and share it with you after the meetup. It's better to attend the meetup, and you can interact with Matteo and other attendees directly. Best Regards, Jennifer On Thu, May 27, 2021 at 5:15 PM Rob Shepherd wrote: > Thank you, > > T

Re: Join US Now - SF Bay Area Apache Pulsar Meetup - Pulsar without Zookeeper - Matteo

Cool, see you at the meetup. -- Thanks XiaolongRan Jinfeng Huang 于2021年5月27日周四 上午12:17写道： > Dear Pulsar community members: > This Thursday, Matteo Merli will give a talk on "Pulsar without Zookeeper: > Introducing the Metadata Access Layer in Pulsar". > > Join us >