6.6.6 Release

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

6.6.6 Release

Ishan Chattopadhyaya
Hi,
There is a severe memory leak bug, https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it to the 6x branch at the time of its resolution.

I propose a 6.6.6 release with that fix (and any others that might be low hanging, high severity issues). I am volunteering to be the RM for this.
Please let me know if there are any thoughts or objections.
Regards,
Ishan

Disclaimer: I am primarily interested in this release upon the request of one of my clients who are impacted by this bug, and I'm proposing to do this release on their request.
Reply | Threaded
Open this post in threaded view
|

Re: 6.6.6 Release

Jan Høydahl / Cominvent
Ok for me. But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
I'm not sure if we are also expected (by ASF) to upgrade dependencies with known vulnerabilities, e.g. Tika, commons-xxx etc, do you know?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya <[hidden email]>:

Hi,
There is a severe memory leak bug, https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it to the 6x branch at the time of its resolution.

I propose a 6.6.6 release with that fix (and any others that might be low hanging, high severity issues). I am volunteering to be the RM for this.
Please let me know if there are any thoughts or objections.
Regards,
Ishan

Disclaimer: I am primarily interested in this release upon the request of one of my clients who are impacted by this bug, and I'm proposing to do this release on their request.

Reply | Threaded
Open this post in threaded view
|

Re: 6.6.6 Release

Noble Paul നോബിള്‍  नोब्ळ्
As long as you are OK to be the RM it should be OK.
+1

On Mon, Mar 18, 2019 at 6:19 PM Jan Høydahl <[hidden email]> wrote:

>
> Ok for me. But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
> I'm not sure if we are also expected (by ASF) to upgrade dependencies with known vulnerabilities, e.g. Tika, commons-xxx etc, do you know?
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> 18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya <[hidden email]>:
>
> Hi,
> There is a severe memory leak bug, https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it to the 6x branch at the time of its resolution.
>
> I propose a 6.6.6 release with that fix (and any others that might be low hanging, high severity issues). I am volunteering to be the RM for this.
> Please let me know if there are any thoughts or objections.
> Regards,
> Ishan
>
> Disclaimer: I am primarily interested in this release upon the request of one of my clients who are impacted by this bug, and I'm proposing to do this release on their request.
>
>


--
-----------------------------------------------------
Noble Paul

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 6.6.6 Release

Ishan Chattopadhyaya
In reply to this post by Jan Høydahl / Cominvent
> But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
That's a good point. Wasn't originally my plan, but I can port as many CVEs that I reasonably can. :-)

I'm also now wondering if upgrading Tika and others in a bugfix release is a good idea. My thought is that if a user is stuck with 6x, these CVE fixes will help a lot. Hence, it makes sense to me to try to upgrade these components.

On Mon, Mar 18, 2019 at 12:49 PM Jan Høydahl <[hidden email]> wrote:
Ok for me. But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
I'm not sure if we are also expected (by ASF) to upgrade dependencies with known vulnerabilities, e.g. Tika, commons-xxx etc, do you know?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya <[hidden email]>:

Hi,
There is a severe memory leak bug, https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it to the 6x branch at the time of its resolution.

I propose a 6.6.6 release with that fix (and any others that might be low hanging, high severity issues). I am volunteering to be the RM for this.
Please let me know if there are any thoughts or objections.
Regards,
Ishan

Disclaimer: I am primarily interested in this release upon the request of one of my clients who are impacted by this bug, and I'm proposing to do this release on their request.

Reply | Threaded
Open this post in threaded view
|

Re: 6.6.6 Release

Ishan Chattopadhyaya
Hi,
I have backported the following:
SOLR-10506 (Memory leak)
SOLR-12770 ("shards" security fix)
SOLR-12514 (Authorization plugin skipped on nodes where collection not present)

I can see that Tika version in branch_6_6 is 1.16, and SOLR-10335 (upgrade to 1.16) already fixes CVE-2016-6809 (SOLR-11486). Hence, I'm not attempting to upgrade it further (to 1.19 or later, for example).

After backporting SOLR-12770 I am running the tests, and I've not encountered any reproducible failures yet. However, there are some flakey tests and I'm not very sure if my backporting introduced that flakiness or not (the logs don't seem to indicate that), since some of those tests failed even before my backporting. I'm planning to run the tests a bit more to see if any reproducible failures are encountered. If all well, then I'm planning to start the release process tomorrow. If there are more fixes that should be backported, please let me know. Also, if someone can review the branch for the backported fixes, would be very welcome.

Thanks,
Ishan

On Mon, Mar 18, 2019 at 1:06 PM Ishan Chattopadhyaya <[hidden email]> wrote:
> But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
That's a good point. Wasn't originally my plan, but I can port as many CVEs that I reasonably can. :-)

I'm also now wondering if upgrading Tika and others in a bugfix release is a good idea. My thought is that if a user is stuck with 6x, these CVE fixes will help a lot. Hence, it makes sense to me to try to upgrade these components.

On Mon, Mar 18, 2019 at 12:49 PM Jan Høydahl <[hidden email]> wrote:
Ok for me. But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
I'm not sure if we are also expected (by ASF) to upgrade dependencies with known vulnerabilities, e.g. Tika, commons-xxx etc, do you know?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya <[hidden email]>:

Hi,
There is a severe memory leak bug, https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it to the 6x branch at the time of its resolution.

I propose a 6.6.6 release with that fix (and any others that might be low hanging, high severity issues). I am volunteering to be the RM for this.
Please let me know if there are any thoughts or objections.
Regards,
Ishan

Disclaimer: I am primarily interested in this release upon the request of one of my clients who are impacted by this bug, and I'm proposing to do this release on their request.

Reply | Threaded
Open this post in threaded view
|

Re: 6.6.6 Release

Tomás Fernández Löbbe
Thanks for working on this Ishan, I'll commit SOLR-13301 into the branch too.

On Mon, Mar 25, 2019 at 12:13 AM Ishan Chattopadhyaya <[hidden email]> wrote:
Hi,
I have backported the following:
SOLR-10506 (Memory leak)
SOLR-12770 ("shards" security fix)
SOLR-12514 (Authorization plugin skipped on nodes where collection not present)

I can see that Tika version in branch_6_6 is 1.16, and SOLR-10335 (upgrade to 1.16) already fixes CVE-2016-6809 (SOLR-11486). Hence, I'm not attempting to upgrade it further (to 1.19 or later, for example).

After backporting SOLR-12770 I am running the tests, and I've not encountered any reproducible failures yet. However, there are some flakey tests and I'm not very sure if my backporting introduced that flakiness or not (the logs don't seem to indicate that), since some of those tests failed even before my backporting. I'm planning to run the tests a bit more to see if any reproducible failures are encountered. If all well, then I'm planning to start the release process tomorrow. If there are more fixes that should be backported, please let me know. Also, if someone can review the branch for the backported fixes, would be very welcome.

Thanks,
Ishan

On Mon, Mar 18, 2019 at 1:06 PM Ishan Chattopadhyaya <[hidden email]> wrote:
> But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
That's a good point. Wasn't originally my plan, but I can port as many CVEs that I reasonably can. :-)

I'm also now wondering if upgrading Tika and others in a bugfix release is a good idea. My thought is that if a user is stuck with 6x, these CVE fixes will help a lot. Hence, it makes sense to me to try to upgrade these components.

On Mon, Mar 18, 2019 at 12:49 PM Jan Høydahl <[hidden email]> wrote:
Ok for me. But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
I'm not sure if we are also expected (by ASF) to upgrade dependencies with known vulnerabilities, e.g. Tika, commons-xxx etc, do you know?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya <[hidden email]>:

Hi,
There is a severe memory leak bug, https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it to the 6x branch at the time of its resolution.

I propose a 6.6.6 release with that fix (and any others that might be low hanging, high severity issues). I am volunteering to be the RM for this.
Please let me know if there are any thoughts or objections.
Regards,
Ishan

Disclaimer: I am primarily interested in this release upon the request of one of my clients who are impacted by this bug, and I'm proposing to do this release on their request.

Reply | Threaded
Open this post in threaded view
|

Re: 6.6.6 Release

Ishan Chattopadhyaya
I've setup a Jenkins for branch 6.6,

On Tue 26 Mar, 2019, 10:14 AM Tomás Fernández Löbbe, <[hidden email]> wrote:
Thanks for working on this Ishan, I'll commit SOLR-13301 into the branch too.

On Mon, Mar 25, 2019 at 12:13 AM Ishan Chattopadhyaya <[hidden email]> wrote:
Hi,
I have backported the following:
SOLR-10506 (Memory leak)
SOLR-12770 ("shards" security fix)
SOLR-12514 (Authorization plugin skipped on nodes where collection not present)

I can see that Tika version in branch_6_6 is 1.16, and SOLR-10335 (upgrade to 1.16) already fixes CVE-2016-6809 (SOLR-11486). Hence, I'm not attempting to upgrade it further (to 1.19 or later, for example).

After backporting SOLR-12770 I am running the tests, and I've not encountered any reproducible failures yet. However, there are some flakey tests and I'm not very sure if my backporting introduced that flakiness or not (the logs don't seem to indicate that), since some of those tests failed even before my backporting. I'm planning to run the tests a bit more to see if any reproducible failures are encountered. If all well, then I'm planning to start the release process tomorrow. If there are more fixes that should be backported, please let me know. Also, if someone can review the branch for the backported fixes, would be very welcome.

Thanks,
Ishan

On Mon, Mar 18, 2019 at 1:06 PM Ishan Chattopadhyaya <[hidden email]> wrote:
> But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
That's a good point. Wasn't originally my plan, but I can port as many CVEs that I reasonably can. :-)

I'm also now wondering if upgrading Tika and others in a bugfix release is a good idea. My thought is that if a user is stuck with 6x, these CVE fixes will help a lot. Hence, it makes sense to me to try to upgrade these components.

On Mon, Mar 18, 2019 at 12:49 PM Jan Høydahl <[hidden email]> wrote:
Ok for me. But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
I'm not sure if we are also expected (by ASF) to upgrade dependencies with known vulnerabilities, e.g. Tika, commons-xxx etc, do you know?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya <[hidden email]>:

Hi,
There is a severe memory leak bug, https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it to the 6x branch at the time of its resolution.

I propose a 6.6.6 release with that fix (and any others that might be low hanging, high severity issues). I am volunteering to be the RM for this.
Please let me know if there are any thoughts or objections.
Regards,
Ishan

Disclaimer: I am primarily interested in this release upon the request of one of my clients who are impacted by this bug, and I'm proposing to do this release on their request.

Reply | Threaded
Open this post in threaded view
|

Re: 6.6.6 Release

david.w.smiley@gmail.com
Is it documented somewhere how to set up a Jenkins config to run Lucene/Solr tests?  We have no Jenkinsfile.

~ David Smiley
Apache Lucene/Solr Search Developer


On Tue, Mar 26, 2019 at 6:13 AM Ishan Chattopadhyaya <[hidden email]> wrote:
I've setup a Jenkins for branch 6.6,

On Tue 26 Mar, 2019, 10:14 AM Tomás Fernández Löbbe, <[hidden email]> wrote:
Thanks for working on this Ishan, I'll commit SOLR-13301 into the branch too.

On Mon, Mar 25, 2019 at 12:13 AM Ishan Chattopadhyaya <[hidden email]> wrote:
Hi,
I have backported the following:
SOLR-10506 (Memory leak)
SOLR-12770 ("shards" security fix)
SOLR-12514 (Authorization plugin skipped on nodes where collection not present)

I can see that Tika version in branch_6_6 is 1.16, and SOLR-10335 (upgrade to 1.16) already fixes CVE-2016-6809 (SOLR-11486). Hence, I'm not attempting to upgrade it further (to 1.19 or later, for example).

After backporting SOLR-12770 I am running the tests, and I've not encountered any reproducible failures yet. However, there are some flakey tests and I'm not very sure if my backporting introduced that flakiness or not (the logs don't seem to indicate that), since some of those tests failed even before my backporting. I'm planning to run the tests a bit more to see if any reproducible failures are encountered. If all well, then I'm planning to start the release process tomorrow. If there are more fixes that should be backported, please let me know. Also, if someone can review the branch for the backported fixes, would be very welcome.

Thanks,
Ishan

On Mon, Mar 18, 2019 at 1:06 PM Ishan Chattopadhyaya <[hidden email]> wrote:
> But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
That's a good point. Wasn't originally my plan, but I can port as many CVEs that I reasonably can. :-)

I'm also now wondering if upgrading Tika and others in a bugfix release is a good idea. My thought is that if a user is stuck with 6x, these CVE fixes will help a lot. Hence, it makes sense to me to try to upgrade these components.

On Mon, Mar 18, 2019 at 12:49 PM Jan Høydahl <[hidden email]> wrote:
Ok for me. But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
I'm not sure if we are also expected (by ASF) to upgrade dependencies with known vulnerabilities, e.g. Tika, commons-xxx etc, do you know?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya <[hidden email]>:

Hi,
There is a severe memory leak bug, https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it to the 6x branch at the time of its resolution.

I propose a 6.6.6 release with that fix (and any others that might be low hanging, high severity issues). I am volunteering to be the RM for this.
Please let me know if there are any thoughts or objections.
Regards,
Ishan

Disclaimer: I am primarily interested in this release upon the request of one of my clients who are impacted by this bug, and I'm proposing to do this release on their request.

Reply | Threaded
Open this post in threaded view
|

Re: 6.6.6 Release

Ishan Chattopadhyaya
In reply to this post by Tomás Fernández Löbbe
> Thanks for working on this Ishan, I'll commit SOLR-13301 into the branch too.
Thanks Tomas!

Also, thanks Jan for backporting SOLR-12473.

On Tue, Mar 26, 2019 at 10:14 AM Tomás Fernández Löbbe <[hidden email]> wrote:
Thanks for working on this Ishan, I'll commit SOLR-13301 into the branch too.

On Mon, Mar 25, 2019 at 12:13 AM Ishan Chattopadhyaya <[hidden email]> wrote:
Hi,
I have backported the following:
SOLR-10506 (Memory leak)
SOLR-12770 ("shards" security fix)
SOLR-12514 (Authorization plugin skipped on nodes where collection not present)

I can see that Tika version in branch_6_6 is 1.16, and SOLR-10335 (upgrade to 1.16) already fixes CVE-2016-6809 (SOLR-11486). Hence, I'm not attempting to upgrade it further (to 1.19 or later, for example).

After backporting SOLR-12770 I am running the tests, and I've not encountered any reproducible failures yet. However, there are some flakey tests and I'm not very sure if my backporting introduced that flakiness or not (the logs don't seem to indicate that), since some of those tests failed even before my backporting. I'm planning to run the tests a bit more to see if any reproducible failures are encountered. If all well, then I'm planning to start the release process tomorrow. If there are more fixes that should be backported, please let me know. Also, if someone can review the branch for the backported fixes, would be very welcome.

Thanks,
Ishan

On Mon, Mar 18, 2019 at 1:06 PM Ishan Chattopadhyaya <[hidden email]> wrote:
> But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
That's a good point. Wasn't originally my plan, but I can port as many CVEs that I reasonably can. :-)

I'm also now wondering if upgrading Tika and others in a bugfix release is a good idea. My thought is that if a user is stuck with 6x, these CVE fixes will help a lot. Hence, it makes sense to me to try to upgrade these components.

On Mon, Mar 18, 2019 at 12:49 PM Jan Høydahl <[hidden email]> wrote:
Ok for me. But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
I'm not sure if we are also expected (by ASF) to upgrade dependencies with known vulnerabilities, e.g. Tika, commons-xxx etc, do you know?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya <[hidden email]>:

Hi,
There is a severe memory leak bug, https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it to the 6x branch at the time of its resolution.

I propose a 6.6.6 release with that fix (and any others that might be low hanging, high severity issues). I am volunteering to be the RM for this.
Please let me know if there are any thoughts or objections.
Regards,
Ishan

Disclaimer: I am primarily interested in this release upon the request of one of my clients who are impacted by this bug, and I'm proposing to do this release on their request.

Reply | Threaded
Open this post in threaded view
|

Re: 6.6.6 Release

Ishan Chattopadhyaya
In reply to this post by david.w.smiley@gmail.com
> Is it documented somewhere how to set up a Jenkins config to run Lucene/Solr tests?  We have no Jenkinsfile.
Not sure, but I just had a simple build step as follows in the Jenkins configuration:

ant ivy-bootstrap; cd solr/core; ant -Dtests.jvms=8 test

I remember Steve having a very good script that he runs on his Jenkins. I think we should have that and a Jenkinsfile in the repository. (Maybe even Mark's best ever beasting script should also make it into the repository?)

On Tue, Mar 26, 2019 at 6:04 PM David Smiley <[hidden email]> wrote:
Is it documented somewhere how to set up a Jenkins config to run Lucene/Solr tests?  We have no Jenkinsfile.

~ David Smiley
Apache Lucene/Solr Search Developer


On Tue, Mar 26, 2019 at 6:13 AM Ishan Chattopadhyaya <[hidden email]> wrote:
I've setup a Jenkins for branch 6.6,

On Tue 26 Mar, 2019, 10:14 AM Tomás Fernández Löbbe, <[hidden email]> wrote:
Thanks for working on this Ishan, I'll commit SOLR-13301 into the branch too.

On Mon, Mar 25, 2019 at 12:13 AM Ishan Chattopadhyaya <[hidden email]> wrote:
Hi,
I have backported the following:
SOLR-10506 (Memory leak)
SOLR-12770 ("shards" security fix)
SOLR-12514 (Authorization plugin skipped on nodes where collection not present)

I can see that Tika version in branch_6_6 is 1.16, and SOLR-10335 (upgrade to 1.16) already fixes CVE-2016-6809 (SOLR-11486). Hence, I'm not attempting to upgrade it further (to 1.19 or later, for example).

After backporting SOLR-12770 I am running the tests, and I've not encountered any reproducible failures yet. However, there are some flakey tests and I'm not very sure if my backporting introduced that flakiness or not (the logs don't seem to indicate that), since some of those tests failed even before my backporting. I'm planning to run the tests a bit more to see if any reproducible failures are encountered. If all well, then I'm planning to start the release process tomorrow. If there are more fixes that should be backported, please let me know. Also, if someone can review the branch for the backported fixes, would be very welcome.

Thanks,
Ishan

On Mon, Mar 18, 2019 at 1:06 PM Ishan Chattopadhyaya <[hidden email]> wrote:
> But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
That's a good point. Wasn't originally my plan, but I can port as many CVEs that I reasonably can. :-)

I'm also now wondering if upgrading Tika and others in a bugfix release is a good idea. My thought is that if a user is stuck with 6x, these CVE fixes will help a lot. Hence, it makes sense to me to try to upgrade these components.

On Mon, Mar 18, 2019 at 12:49 PM Jan Høydahl <[hidden email]> wrote:
Ok for me. But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan?
I'm not sure if we are also expected (by ASF) to upgrade dependencies with known vulnerabilities, e.g. Tika, commons-xxx etc, do you know?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya <[hidden email]>:

Hi,
There is a severe memory leak bug, https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it to the 6x branch at the time of its resolution.

I propose a 6.6.6 release with that fix (and any others that might be low hanging, high severity issues). I am volunteering to be the RM for this.
Please let me know if there are any thoughts or objections.
Regards,
Ishan

Disclaimer: I am primarily interested in this release upon the request of one of my clients who are impacted by this bug, and I'm proposing to do this release on their request.