Re: [DISCUSS] Release Pulsar 2.7.4

Given the log4j CVE, we should work to release 2.7.4. I started preparing the release today by cherry-picking merged PRs that have the `release/2.7.4` label but have not yet been cherry-picked to `branch-2.7` [0]. There are still 37 PRs that have not been cherry picked. I think it will take too lo

Re: [Great News] Pulsar Hits 10,000 GitHub Stars Milestone!

Hi Joshua, Thanks for your response. Please allow me to clarify. First, I completely agree with you that SN != Pulsar. Although, I am also a bit wordless as to why you brought up such a salient point. In addition, I don't have any experience participating in the Kafka community, therefore I canno

Re: Status of Pulsar 2.9.0 and starting 2.9.1

At this point, if 2.9.0 is non stable, I think we should fast-forward to 2.9.1 which will include security fix. Though, we should start 2.9.1 right now. -- Matteo Merli On Fri, Dec 10, 2021 at 11:23 PM Michael Marshall wrote: > > +1 - thanks Enrico. > > - Michael > > On Sat, Dec 11, 2021 at 1:

Re: Status of Pulsar 2.9.0 and starting 2.9.1

+1 - thanks Enrico. - Michael On Sat, Dec 11, 2021 at 1:11 AM Lari Hotari wrote: > > +1 > > la 11. jouluk. 2021 klo 9.07 Enrico Olivelli > kirjoitti: > > > Hello folks, > > Yesterday we committed the release notes for 2.9.0. > > I just have to publish a couple of other artifacts and update the

Re: [Great News] Pulsar Hits 10,000 GitHub Stars Milestone!

Hi Chris, I understand your concern surrounding SN influence. Please first understand that there is no way to influence the PMC decision since all the decisions are carried out publicly and each PMC member can provide his/her thoughts. Secondly, the SN program merely provides the opportunity for t

Re: Status of Pulsar 2.9.0 and starting 2.9.1

+1 la 11. jouluk. 2021 klo 9.07 Enrico Olivelli kirjoitti: > Hello folks, > Yesterday we committed the release notes for 2.9.0. > I just have to publish a couple of other artifacts and update the website > before announcing 2.9.0. > My plan is to complete the procedure next week. > > In the mean

Status of Pulsar 2.9.0 and starting 2.9.1

Hello folks, Yesterday we committed the release notes for 2.9.0. I just have to publish a couple of other artifacts and update the website before announcing 2.9.0. My plan is to complete the procedure next week. In the meantime, early next week, I believe it is time to prepare the first RC of 2.9.

Re: [Great News] Pulsar Hits 10,000 GitHub Stars Milestone!

Hi Sijie, I am not claiming that StreamNative controls the Pulsar roadmap. I'm saying that the StreamNative tweet unequivocally makes the claim that StreamNative controls the Pulsar roadmap. The tweet specifically instructs people to join a StreamNative program to influence the open source Apache

Re: [Great News] Pulsar Hits 10,000 GitHub Stars Milestone!

I don’t think anyone is surprised that you, the CEO of SN, doesn’t see a problem with you conflating a program offered by your own commercial company, that in the exact same sentence, invites people to join a SN sponsored opportunity to work on the roadmap with the PMC. That is quite literally off

Re: [Great News] Pulsar Hits 10,000 GitHub Stars Milestone!

Chris and Dave, Thank you for bringing the concern up. However, I don’t think the concern of this tweet is valid, and also the complaint of “StreamNative controls the roadmap” sounds ridiculous to me. First of all, under the Apache Way, PMC controls the roadmap. Lots of StreamNative team members

Re: [Great News] Pulsar Hits 10,000 GitHub Stars Milestone!

I don't understand what is the problem with that email title. I thought that's Yu invited a co-worker to participate in the Pulsar community. There is no announcement. But I will let Yu clarify here. - Sijie On Fri, Dec 10, 2021 at 12:43 PM Dave Fisher wrote: > > > > On Dec 10, 2021, at 11:10

Re: [Great News] Pulsar Hits 10,000 GitHub Stars Milestone!

Saying that tweet implies that SN wants to control the roadmap is putting it mildly. It is very clearly stating that StreamNative controls the roadmap and that the way to get involved and help shape the technology is by engaging with SN via their Ambassador program. On Fri, Dec 10, 2021 at 1:47 PM

Re: [Great News] Pulsar Hits 10,000 GitHub Stars Milestone!

> On Dec 9, 2021, at 3:24 PM, Sijie Guo wrote: > > Dave - I don't think SN presents the community. We just shared out insights > on community progress. Also, if you looked into our past blog posts, we > have been pointing people to the Pulsar website and Slack channel. This tweet https://twitt

Re: [Great News] Pulsar Hits 10,000 GitHub Stars Milestone!

> On Dec 10, 2021, at 11:10 AM, Sijie Guo wrote: > >> I also think it is a misuse of the developer list to specifically announce > new community members that just so happen to be recent SN hires. > > What do you mean by "announce new community members"? The email with the subject: "Welcome Da

Re: [Great News] Pulsar Hits 10,000 GitHub Stars Milestone!

> I also think it is a misuse of the developer list to specifically announce new community members that just so happen to be recent SN hires. What do you mean by "announce new community members"? - Sijie On Fri, Dec 10, 2021 at 10:02 AM Joshua Eric wrote: > I agree with Dave. > > I also think

[OUTREACH] Log4Shell Apache Pulsar fix announced

Hello Apache Pulsar Neighbors, As you probably know by now there was a serious security issue around Log4J that was announced about 12 hours ago (10:00 pm EST) and within hours a number of our Neighbors had workarounds released and fixes ready for testing. Please read those emails on the dev@ list

Re: [Great News] Pulsar Hits 10,000 GitHub Stars Milestone!

I agree with Dave. I also think it is a misuse of the developer list to specifically announce new community members that just so happen to be recent SN hires. On Dec 9, 2021 at 3:24:29 PM, Sijie Guo wrote: > Dave - I don't think SN presents the community. We just shared out insights > on commu

Re: Revote: Pulsar website concepts

For record-keeping, we have added a new PIP that captures details for the website design/content project: https://github.com/apache/pulsar/issues/13235 Anonymitaet, it references we'll collaborate with you and others on the work being done for PIP 87. I plan to start a website channel in Slack to

[GitHub] [pulsar-helm-chart] Carmezim commented on pull request #130: Bump pulsar 2.8.0

Carmezim commented on pull request #130: URL: https://github.com/apache/pulsar-helm-chart/pull/130#issuecomment-991129203 Hey guys, like @mkoertgen pointed out BK `v4.12.2` has been added to pulsar `v2.8.0` release, is there any other blockers to merge that PR and upgrade the chart?

Re: [DISCUSS] release pulsar-helm-chart with workaround for CVE-2021-44228

The Helm chart got automatically released after merging the PR. https://pulsar.apache.org/charts/index.yaml shows the new chart version 2.7.6 which contains the fix. The Helm chart will now add -Dlog4j2.formatMsgNoLookups=true to Java options. This doesn't apply to Pulsar Functions. For Pulsar Fun

[GitHub] [pulsar-helm-chart] lhotari merged pull request #186: [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

lhotari merged pull request #186: URL: https://github.com/apache/pulsar-helm-chart/pull/186 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-un

[GitHub] [pulsar-helm-chart] michaeljmarshall commented on a change in pull request #186: [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

michaeljmarshall commented on a change in pull request #186: URL: https://github.com/apache/pulsar-helm-chart/pull/186#discussion_r766810762 ## File path: charts/pulsar/templates/autorecovery-statefulset.yaml ## @@ -139,7 +139,7 @@ spec: - > bin/apply-config

[GitHub] [pulsar-helm-chart] lhotari commented on pull request #186: [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

lhotari commented on pull request #186: URL: https://github.com/apache/pulsar-helm-chart/pull/186#issuecomment-991099453 Here's an additional workaround for patching existing Docker images with an additional overlay which upgrades Log4J to 2.15.0: https://github.com/lhotari/pulsar-docker-i

Re: [Security] CVE-2021-44228 severe RCE 0-day exploit found in Log4J - affects also Pulsar - mitigation instructions

Here's an additional workaround for patching existing Docker images with an additional overlay which upgrades Log4J to 2.15.0: https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228 . BR, Lari On Fri, Dec 10, 2021 at 2:23 PM Lari Hotari wrote: > > As many of you might have already

[GitHub] [pulsar-helm-chart] lhotari commented on pull request #186: [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

lhotari commented on pull request #186: URL: https://github.com/apache/pulsar-helm-chart/pull/186#issuecomment-991027940 It seems that Pulsar Functions cannot be covered with the Helm Chart changes alone when using Process Runtime or K8S Runtime. For Pulsar Functions, it's easier to patch

[GitHub] [pulsar-helm-chart] lhotari commented on pull request #186: [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

lhotari commented on pull request #186: URL: https://github.com/apache/pulsar-helm-chart/pull/186#issuecomment-991018790 I'm looking into ways how to also cover Pulsar Functions since the current changes in the PR don't cover that. Since it's hard to set the system property for a Pulsar Fu

[DISCUSS] release pulsar-helm-chart with workaround for CVE-2021-44228

I can confirm that Pulsar is exploitable with CVE-2021-44228 . I'd like to propose releasing apache/pulsar-helm-chart after the workaround for CVE-2021-44228, PR https://github.com/apache/pulsar-helm-chart/pull/186 has been merged. Is it possible to expedite the decision about releasing this? I'm

[GitHub] [pulsar-helm-chart] lhotari commented on pull request #186: [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

lhotari commented on pull request #186: URL: https://github.com/apache/pulsar-helm-chart/pull/186#issuecomment-990976799 Notice! This workaround doesn't apply for Pulsar Functions that use process runtime or k8s runtime. Pulsar Proxy, Broker, Bookie and Zookeeper components are covered, bu

[GitHub] [pulsar-helm-chart] lhotari commented on pull request #186: [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

lhotari commented on pull request #186: URL: https://github.com/apache/pulsar-helm-chart/pull/186#issuecomment-990971926 > I could be wrong but I think you will need to bump the Chart version https://github.com/apache/pulsar-helm-chart/blob/master/charts/pulsar/Chart.yaml#L24 ? Otherwise a

[GitHub] [pulsar-helm-chart] frankjkelly edited a comment on pull request #186: [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

frankjkelly edited a comment on pull request #186: URL: https://github.com/apache/pulsar-helm-chart/pull/186#issuecomment-990955257 I could be wrong but I think you will need to bump the Chart version https://github.com/apache/pulsar-helm-chart/blob/master/charts/pulsar/Chart.yaml#L24 ?

[GitHub] [pulsar-helm-chart] frankjkelly commented on pull request #186: [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

frankjkelly commented on pull request #186: URL: https://github.com/apache/pulsar-helm-chart/pull/186#issuecomment-990955257 I could be wrong but I think you will need to bump the Chart version https://github.com/apache/pulsar-helm-chart/blob/master/charts/pulsar/Chart.yaml#L24 ? --

Re: Detect unused variables in CI

Hi, >From what I read it can be used in Maven projects. Basically it needs a SonarScanner (different versions for multiple languages and build tools) for Maven as in [1]. Then the scanner forwards the result to SonarQube website for reports. It can be used with code test coverage tools as well.

[Security] CVE-2021-44228 severe RCE 0-day exploit found in Log4J - affects also Pulsar - mitigation instructions

As many of you might have already heard of this, there's a severe RCE 0-day exploit found in Log4J (2.0 <= Apache log4j <= 2.14.1). Blog post: https://www.lunasec.io/docs/blog/log4j-zero-day/ CVE-2021-44228 in GitHub Security Advisory: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q This also af

[GitHub] [pulsar-adapters] eolivelli merged pull request #30: Upgrade Log4J2 to 2.15.0 to mitigate CVE-2021-44228

eolivelli merged pull request #30: URL: https://github.com/apache/pulsar-adapters/pull/30 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsu

[GitHub] [pulsar-adapters] lhotari opened a new pull request #30: Upgrade Log4J2 to 2.15.0 to mitigate CVE-2021-44228

lhotari opened a new pull request #30: URL: https://github.com/apache/pulsar-adapters/pull/30 Upgrade Log4J2 to 2.15.0 to mitigate CVE-2021-44228 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to

Re: Detect unused variables in CI

Thanks for the suggestion. I just took a look at https://github.com/SonarSource/sonarqube . It looks like SonarQube can only be applied for Gradle projects? Thanks, Yunze > 2021年12月10日 下午6:11，Yufei Zhang 写道： > > Hi， > > My previous team used SonarQube

Re: Detect unused variables in CI

Hi， My previous team used SonarQube for detecting such issues. I saw a free version can be used. Also there is sonarlint for local checks which i found useful. Cheers Yufei On Fri, Dec 10, 2021 at 6:08 PM Yunze Xu wrote: > Hi, all > > Recently I found a bug that could be avoided if we have a C

Detect unused variables in CI

Hi, all Recently I found a bug that could be avoided if we have a CI to detect unused variables. See https://github.com/apache/pulsar/pull/13233 . We can see the private field `recycleHandle` was not used before this PR. Generally, we should avoid all

[GitHub] [pulsar-adapters] aditiwari01 commented on issue #29: Pulsar - Spark adapter for scala 2.11

aditiwari01 commented on issue #29: URL: https://github.com/apache/pulsar-adapters/issues/29#issuecomment-990748412 I'm exploring options as of now. If I end up writing a patch, would definitely send it. -- This is an automated message from the Apache Git Service. To respond to the mess

[GitHub] [pulsar-adapters] eolivelli commented on issue #29: Pulsar - Spark adapter for scala 2.11

eolivelli commented on issue #29: URL: https://github.com/apache/pulsar-adapters/issues/29#issuecomment-990740702 There is no much activity on the Spark adapter. Would you like to send a patch ? -- This is an automated message from the Apache Git Service. To respond to the message,

[GitHub] [pulsar-helm-chart] lhotari opened a new pull request #186: [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

lhotari opened a new pull request #186: URL: https://github.com/apache/pulsar-helm-chart/pull/186 ### Motivation CVE-2021-44228 , a severe RCE for Log4J. The workaround is to set `-Dlog4j2.formatMsgNoLookups=true` system property. CVE-2021-44228 is triggered if user provided