[DISCUSS] JanusGraph 0.6.1 release


Florian Hockmann
 

Hi,

 

we wanted to release patch versions shortly given the CVE in Log4j to mitigate it in the Elasticsearch version we distribute with the pre-packaged distribution: https://lists.lfaidata.foundation/g/janusgraph-dev/message/1554

 

I just merged a PR to the v0.6 branch with a simple mitigation: https://github.com/JanusGraph/janusgraph/pull/2892

 

As I explained in a comment in that PR, the mitigation now only landed in v0.6 and not in v0.5 as we don’t have any continuous integration for that branch and in general, I’m not sure it’s worth the effort to release a patch release for that branch, given that it only helps users who start JanusGraph together with ES from the `bin/janusgraph.sh` script.

 

So, we could release 0.6.1 now with the simple mitigation for ES. But if we want to release soon, then the release date would be in the middle of the holiday season. That would at least open the question whether someone is available over the holiday period to handle the release.

Since I will not be available myself, I personally suggest that we postpone the release to the beginning of January. If, however someone is willing to act as release manager during the holiday period, then we can still do the release soon. We would of course also need at least 3 TSC members for the VOTE, but I guess that should be possible if we could start the VOTE already in the beginning of next week.

 

Apart from the release date and who will be the release manager, are there any important issues still open that really need to be fixed for 0.6.1?

I think we should try to release 0.6.1 as soon as possible so new users don’t start with a vulnerable Elasticsearch installation and we can release 0.6.2 soon after, if necessary, but if you see any issues that we should really include, then we can discuss that of course.

 

Other questions that we could discuss for this release:

  • Should we also update Elasticsearch from 7.14.0 to 7.16.1 (the version that includes the JVM property as a mitigation already and some more changes as precautions [1]) for the 0.6.1 release? Note that this would mean that users of the pre-packaged distribution would then start version 7.16.1 with already existing data created by 7.14.0. The ES release notes mention no breaking changes, but I’m still not sure whether we want to do that.
  • Is everybody OK with only releasing a patch for 0.6, but not for 0.5, given my reasoning from a above (or a bit more detailed in the PR [2])?

 

Best regards,

Florian

 

[1]: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#elasticsearch-4

[2]: https://github.com/JanusGraph/janusgraph/pull/2892#issuecomment-993536460

Join janusgraph-dev@lists.lfaidata.foundation to automatically receive all group messages.