Apache Ignite 2.8 RELEASE [Time, Scope, Manager]

>
> Hello!
>
> I propose to add the following ticket to the scope:
> https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be careful
> with release version)
>
> Adding tickets to scope surely seems crazy now, but I will provide the
> following considerations:
> * This is Spring Data 2.2 integration, which we currently do not have,
> leading to lots of confused questions on stack overflow and mailing list.
> Spring Data is important to our public image since many people may learn
> about out project by starting with Spring Data.
>
> * It has zero code impact outside of its own module (just 2 POM file
> touched and that's all).
>
> * The core was ready since early November but, due to gmail quirk, we did
> not react to it in time.
>
> WDYT?
>
> Another semi-related question. *Should we bump our dependencies' versions
> before releasing 2.8?* I talk mainly about spring and hibernate
> dependencies. We could switch them to their latest maintenance versions to
> avoid shipping default links to outdated packages.
>
> I think this is one of things that are very hard to do between releases, so
> I think this dependencies bumping should be a part of a formal
> release/testing cycle, and then be backported to master.
>
> I could volunteer to do that myself, if we agree to merge these version
> upgrades to ignite-2.8 and then re-test.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky <[hidden email]
> >:
>
> >
> > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570 96Gb 512GB
> > SSD 2048GB HDD 10GB/s
> > 1 for  client (driver) and 3 for servers.
> > this mappings for graphs and real yardstick tests:
> >
> > atomic-put: IgnitePutBenchmark
> > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > atomic-get: IgniteGetBenchmark
> > tx-get: IgniteGetTxBenchmark
> > tx-put: IgnitePutTxBenchmark
> > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> >
> > cacheMode — partitioned
> > CacheWriteSynchronizationMode.FULL_SYNC
> > 1 backup
> >
> > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > Thanks Maxim for wiki page [1]
> >
> >
> > [1]
> > https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> >
> > do we need some bisect or other work here ?
> >
> > >
> > >
> > >------- Forwarded message -------
> > >From: "Maxim Muzafarov" < [hidden email] >
> > >To:  [hidden email]
> > >Cc:
> > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > >
> > >Igniters,
> > >
> > >
> > >It's almost a year has passed since the last major Apache Ignite 2.7
> > >has been released. We've accumulated a lot of performance improvements
> > >and a lot of new features which are waiting for their release date.
> > >Here is my list of the most interesting things from my point since the
> > >last major release:
> > >
> > >Service Grid,
> > >Monitoring,
> > >Recovery Read
> > >BLT auto-adjust,
> > >PDS compression,
> > >WAL page compression,
> > >Thin client: best effort affinity,
> > >Thin client: transactions support (not yet)
> > >SQL query history
> > >SQL statistics
> > >
> > >I think we should no longer wait and freeze the master branch anymore
> > >and prepare the next major release by the end of the year.
> > >
> > >
> > >I propose to discuss Time, Scope of Apache Ignite 2.8 release and also
> > >I want to propose myself to be the release manager of the planning
> > >release.
> > >
> > >Scope Freeze: November 4, 2019
> > >Code Freeze: November 18, 2019
> > >Voting Date: December 10, 2019
> > >Release Date: December 17, 2019
> > >
> > >
> > >WDYT?
> >
> >
> >
> >

> Hello!
>
> I propose to add the following ticket to the scope:
> https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be careful
> with release version)
>
> Adding tickets to scope surely seems crazy now, but I will provide the
> following considerations:
> * This is Spring Data 2.2 integration, which we currently do not have,
> leading to lots of confused questions on stack overflow and mailing list.
> Spring Data is important to our public image since many people may learn
> about out project by starting with Spring Data.
>
> * It has zero code impact outside of its own module (just 2 POM file
> touched and that's all).
>
> * The core was ready since early November but, due to gmail quirk, we did
> not react to it in time.
>
> WDYT?
>
> Another semi-related question. *Should we bump our dependencies' versions
> before releasing 2.8?* I talk mainly about spring and hibernate
> dependencies. We could switch them to their latest maintenance versions to
> avoid shipping default links to outdated packages.
>
> I think this is one of things that are very hard to do between releases, so
> I think this dependencies bumping should be a part of a formal
> release/testing cycle, and then be backported to master.
>
> I could volunteer to do that myself, if we agree to merge these version
> upgrades to ignite-2.8 and then re-test.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky <[hidden email]
> >:
>
> >
> > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570 96Gb
> 512GB
> > SSD 2048GB HDD 10GB/s
> > 1 for  client (driver) and 3 for servers.
> > this mappings for graphs and real yardstick tests:
> >
> > atomic-put: IgnitePutBenchmark
> > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > atomic-get: IgniteGetBenchmark
> > tx-get: IgniteGetTxBenchmark
> > tx-put: IgnitePutTxBenchmark
> > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> >
> > cacheMode — partitioned
> > CacheWriteSynchronizationMode.FULL_SYNC
> > 1 backup
> >
> > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > Thanks Maxim for wiki page [1]
> >
> >
> > [1]
> >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> >
> > do we need some bisect or other work here ?
> >
> > >
> > >
> > >------- Forwarded message -------
> > >From: "Maxim Muzafarov" < [hidden email] >
> > >To:  [hidden email]
> > >Cc:
> > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > >
> > >Igniters,
> > >
> > >
> > >It's almost a year has passed since the last major Apache Ignite 2.7
> > >has been released. We've accumulated a lot of performance improvements
> > >and a lot of new features which are waiting for their release date.
> > >Here is my list of the most interesting things from my point since the
> > >last major release:
> > >
> > >Service Grid,
> > >Monitoring,
> > >Recovery Read
> > >BLT auto-adjust,
> > >PDS compression,
> > >WAL page compression,
> > >Thin client: best effort affinity,
> > >Thin client: transactions support (not yet)
> > >SQL query history
> > >SQL statistics
> > >
> > >I think we should no longer wait and freeze the master branch anymore
> > >and prepare the next major release by the end of the year.
> > >
> > >
> > >I propose to discuss Time, Scope of Apache Ignite 2.8 release and also
> > >I want to propose myself to be the release manager of the planning
> > >release.
> > >
> > >Scope Freeze: November 4, 2019
> > >Code Freeze: November 18, 2019
> > >Voting Date: December 10, 2019
> > >Release Date: December 17, 2019
> > >
> > >
> > >WDYT?
> >
> >
> >
> >
>

> A huge +1 for adding Spring Data related fixes/improvements. Ilya is right
> that Spring Data related questions sparked last time due to missing support
> of 2.2 version.
>
> Ilya, could you elaborate on what you mean under "bumping the versions"? Do
> you suggest performing a straightforward upgrade of "ignite-spring-data" to
> version 2.2 and introducing "ignite-spring-data-{old-version"} for the
> previous versions? If it's so, I fully agree with the proposal.
>
> -
> Denis
>
>
> On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <[hidden email]
> >
> wrote:
>
> > Hello!
> >
> > I propose to add the following ticket to the scope:
> > https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be
> careful
> > with release version)
> >
> > Adding tickets to scope surely seems crazy now, but I will provide the
> > following considerations:
> > * This is Spring Data 2.2 integration, which we currently do not have,
> > leading to lots of confused questions on stack overflow and mailing list.
> > Spring Data is important to our public image since many people may learn
> > about out project by starting with Spring Data.
> >
> > * It has zero code impact outside of its own module (just 2 POM file
> > touched and that's all).
> >
> > * The core was ready since early November but, due to gmail quirk, we did
> > not react to it in time.
> >
> > WDYT?
> >
> > Another semi-related question. *Should we bump our dependencies' versions
> > before releasing 2.8?* I talk mainly about spring and hibernate
> > dependencies. We could switch them to their latest maintenance versions
> to
> > avoid shipping default links to outdated packages.
> >
> > I think this is one of things that are very hard to do between releases,
> so
> > I think this dependencies bumping should be a part of a formal
> > release/testing cycle, and then be backported to master.
> >
> > I could volunteer to do that myself, if we agree to merge these version
> > upgrades to ignite-2.8 and then re-test.
> >
> > Regards,
> > --
> > Ilya Kasnacheev
> >
> >
> > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> <[hidden email]
> > >:
> >
> > >
> > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570 96Gb
> > 512GB
> > > SSD 2048GB HDD 10GB/s
> > > 1 for  client (driver) and 3 for servers.
> > > this mappings for graphs and real yardstick tests:
> > >
> > > atomic-put: IgnitePutBenchmark
> > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > atomic-get: IgniteGetBenchmark
> > > tx-get: IgniteGetTxBenchmark
> > > tx-put: IgnitePutTxBenchmark
> > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > >
> > > cacheMode — partitioned
> > > CacheWriteSynchronizationMode.FULL_SYNC
> > > 1 backup
> > >
> > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > Thanks Maxim for wiki page [1]
> > >
> > >
> > > [1]
> > >
> >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > >
> > > do we need some bisect or other work here ?
> > >
> > > >
> > > >
> > > >------- Forwarded message -------
> > > >From: "Maxim Muzafarov" < [hidden email] >
> > > >To:  [hidden email]
> > > >Cc:
> > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > >
> > > >Igniters,
> > > >
> > > >
> > > >It's almost a year has passed since the last major Apache Ignite 2.7
> > > >has been released. We've accumulated a lot of performance improvements
> > > >and a lot of new features which are waiting for their release date.
> > > >Here is my list of the most interesting things from my point since the
> > > >last major release:
> > > >
> > > >Service Grid,
> > > >Monitoring,
> > > >Recovery Read
> > > >BLT auto-adjust,
> > > >PDS compression,
> > > >WAL page compression,
> > > >Thin client: best effort affinity,
> > > >Thin client: transactions support (not yet)
> > > >SQL query history
> > > >SQL statistics
> > > >
> > > >I think we should no longer wait and freeze the master branch anymore
> > > >and prepare the next major release by the end of the year.
> > > >
> > > >
> > > >I propose to discuss Time, Scope of Apache Ignite 2.8 release and also
> > > >I want to propose myself to be the release manager of the planning
> > > >release.
> > > >
> > > >Scope Freeze: November 4, 2019
> > > >Code Freeze: November 18, 2019
> > > >Voting Date: December 10, 2019
> > > >Release Date: December 17, 2019
> > > >
> > > >
> > > >WDYT?
> > >
> > >
> > >
> > >
> >
>

> Ilya,
>
>
> I agree with you that there is no risk and spring-data-2.2 can be
> safely cherry-picked to the ignite-2.8 branch. I'm OK with it. Will
> you do such merge or I should do it by myself?
>
>
> As for the second part of your email, you are proposing to bump up a
> minor dependencies version (no API changes) for the whole components
> mentioned in the parent/pom.xml file, right? From a point of the
> release view, it seems not a good thing since a scope test of the
> release becomes too wider. I don't think we will simplify thus the
> year-long release test scope, so as for me, this sounds not good but
> I'd like to hear thoughts of other community members on this point.
>
> As an alternative, for instance, we can bump minor versions only for
> those components which have security vulnerabilities. To find such
> dependencies, I've run some local test with a maven
> dependency-check-maven [1] an open-source dependency check tool. Here
> is a brief report (only a few modules tested):
>
> spring-core-4.3.18.RELEASE.jar : CVE-2018-15756 [2]
> h2-1.4.197.jar : CVE-2018-10054, CVE-2018-14335 (discussed also [3])
> ignite-shmem-1.0.0.jar : CVE-2017-14614
>
>
> [1] https://jeremylong.github.io/DependencyCheck/index.html
> [2] https://nvd.nist.gov/vuln/detail/CVE-2018-15756
> [3] https://issues.apache.org/jira/browse/IGNITE-10801
>
>
>
> On Thu, 26 Dec 2019 at 15:52, Ilya Kasnacheev <[hidden email]>
> wrote:
> >
> > Hello!
> >
> > I propose to add the following ticket to the scope:
> > https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be
> careful
> > with release version)
> >
> > Adding tickets to scope surely seems crazy now, but I will provide the
> > following considerations:
> > * This is Spring Data 2.2 integration, which we currently do not have,
> > leading to lots of confused questions on stack overflow and mailing list.
> > Spring Data is important to our public image since many people may learn
> > about out project by starting with Spring Data.
> >
> > * It has zero code impact outside of its own module (just 2 POM file
> > touched and that's all).
> >
> > * The core was ready since early November but, due to gmail quirk, we did
> > not react to it in time.
> >
> > WDYT?
> >
> > Another semi-related question. *Should we bump our dependencies' versions
> > before releasing 2.8?* I talk mainly about spring and hibernate
> > dependencies. We could switch them to their latest maintenance versions
> to
> > avoid shipping default links to outdated packages.
> >
> > I think this is one of things that are very hard to do between releases,
> so
> > I think this dependencies bumping should be a part of a formal
> > release/testing cycle, and then be backported to master.
> >
> > I could volunteer to do that myself, if we agree to merge these version
> > upgrades to ignite-2.8 and then re-test.
> >
> > Regards,
> > --
> > Ilya Kasnacheev
> >
> >
> > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> <[hidden email]
> > >:
> >
> > >
> > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570 96Gb
> 512GB
> > > SSD 2048GB HDD 10GB/s
> > > 1 for  client (driver) and 3 for servers.
> > > this mappings for graphs and real yardstick tests:
> > >
> > > atomic-put: IgnitePutBenchmark
> > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > atomic-get: IgniteGetBenchmark
> > > tx-get: IgniteGetTxBenchmark
> > > tx-put: IgnitePutTxBenchmark
> > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > >
> > > cacheMode — partitioned
> > > CacheWriteSynchronizationMode.FULL_SYNC
> > > 1 backup
> > >
> > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > Thanks Maxim for wiki page [1]
> > >
> > >
> > > [1]
> > >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > >
> > > do we need some bisect or other work here ?
> > >
> > > >
> > > >
> > > >------- Forwarded message -------
> > > >From: "Maxim Muzafarov" < [hidden email] >
> > > >To:  [hidden email]
> > > >Cc:
> > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > >
> > > >Igniters,
> > > >
> > > >
> > > >It's almost a year has passed since the last major Apache Ignite 2.7
> > > >has been released. We've accumulated a lot of performance improvements
> > > >and a lot of new features which are waiting for their release date.
> > > >Here is my list of the most interesting things from my point since the
> > > >last major release:
> > > >
> > > >Service Grid,
> > > >Monitoring,
> > > >Recovery Read
> > > >BLT auto-adjust,
> > > >PDS compression,
> > > >WAL page compression,
> > > >Thin client: best effort affinity,
> > > >Thin client: transactions support (not yet)
> > > >SQL query history
> > > >SQL statistics
> > > >
> > > >I think we should no longer wait and freeze the master branch anymore
> > > >and prepare the next major release by the end of the year.
> > > >
> > > >
> > > >I propose to discuss Time, Scope of Apache Ignite 2.8 release and also
> > > >I want to propose myself to be the release manager of the planning
> > > >release.
> > > >
> > > >Scope Freeze: November 4, 2019
> > > >Code Freeze: November 18, 2019
> > > >Voting Date: December 10, 2019
> > > >Release Date: December 17, 2019
> > > >
> > > >
> > > >WDYT?
> > >
> > >
> > >
> > >
>

> Hello!
> Task IGNITE-12470 is ready.
> https://issues.apache.org/jira/browse/IGNITE-12470
> Please check this API.
>
>
> Regards,
> Ryzhov Sergei.
>
> чт, 26 дек. 2019 г. в 18:50, Maxim Muzafarov <[hidden email]>:
>
> > Ilya,
> >
> >
> > I agree with you that there is no risk and spring-data-2.2 can be
> > safely cherry-picked to the ignite-2.8 branch. I'm OK with it. Will
> > you do such merge or I should do it by myself?
> >
> >
> > As for the second part of your email, you are proposing to bump up a
> > minor dependencies version (no API changes) for the whole components
> > mentioned in the parent/pom.xml file, right? From a point of the
> > release view, it seems not a good thing since a scope test of the
> > release becomes too wider. I don't think we will simplify thus the
> > year-long release test scope, so as for me, this sounds not good but
> > I'd like to hear thoughts of other community members on this point.
> >
> > As an alternative, for instance, we can bump minor versions only for
> > those components which have security vulnerabilities. To find such
> > dependencies, I've run some local test with a maven
> > dependency-check-maven [1] an open-source dependency check tool. Here
> > is a brief report (only a few modules tested):
> >
> > spring-core-4.3.18.RELEASE.jar : CVE-2018-15756 [2]
> > h2-1.4.197.jar : CVE-2018-10054, CVE-2018-14335 (discussed also [3])
> > ignite-shmem-1.0.0.jar : CVE-2017-14614
> >
> >
> > [1] https://jeremylong.github.io/DependencyCheck/index.html
> > [2] https://nvd.nist.gov/vuln/detail/CVE-2018-15756
> > [3] https://issues.apache.org/jira/browse/IGNITE-10801
> >
> >
> >
> > On Thu, 26 Dec 2019 at 15:52, Ilya Kasnacheev <[hidden email]
> >
> > wrote:
> > >
> > > Hello!
> > >
> > > I propose to add the following ticket to the scope:
> > > https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be
> > careful
> > > with release version)
> > >
> > > Adding tickets to scope surely seems crazy now, but I will provide the
> > > following considerations:
> > > * This is Spring Data 2.2 integration, which we currently do not have,
> > > leading to lots of confused questions on stack overflow and mailing
> list.
> > > Spring Data is important to our public image since many people may
> learn
> > > about out project by starting with Spring Data.
> > >
> > > * It has zero code impact outside of its own module (just 2 POM file
> > > touched and that's all).
> > >
> > > * The core was ready since early November but, due to gmail quirk, we
> did
> > > not react to it in time.
> > >
> > > WDYT?
> > >
> > > Another semi-related question. *Should we bump our dependencies'
> versions
> > > before releasing 2.8?* I talk mainly about spring and hibernate
> > > dependencies. We could switch them to their latest maintenance versions
> > to
> > > avoid shipping default links to outdated packages.
> > >
> > > I think this is one of things that are very hard to do between
> releases,
> > so
> > > I think this dependencies bumping should be a part of a formal
> > > release/testing cycle, and then be backported to master.
> > >
> > > I could volunteer to do that myself, if we agree to merge these version
> > > upgrades to ignite-2.8 and then re-test.
> > >
> > > Regards,
> > > --
> > > Ilya Kasnacheev
> > >
> > >
> > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > <[hidden email]
> > > >:
> > >
> > > >
> > > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570 96Gb
> > 512GB
> > > > SSD 2048GB HDD 10GB/s
> > > > 1 for  client (driver) and 3 for servers.
> > > > this mappings for graphs and real yardstick tests:
> > > >
> > > > atomic-put: IgnitePutBenchmark
> > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > atomic-get: IgniteGetBenchmark
> > > > tx-get: IgniteGetTxBenchmark
> > > > tx-put: IgnitePutTxBenchmark
> > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > >
> > > > cacheMode — partitioned
> > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > 1 backup
> > > >
> > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > > Thanks Maxim for wiki page [1]
> > > >
> > > >
> > > > [1]
> > > >
> >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > >
> > > > do we need some bisect or other work here ?
> > > >
> > > > >
> > > > >
> > > > >------- Forwarded message -------
> > > > >From: "Maxim Muzafarov" < [hidden email] >
> > > > >To:  [hidden email]
> > > > >Cc:
> > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > >
> > > > >Igniters,
> > > > >
> > > > >
> > > > >It's almost a year has passed since the last major Apache Ignite 2.7
> > > > >has been released. We've accumulated a lot of performance
> improvements
> > > > >and a lot of new features which are waiting for their release date.
> > > > >Here is my list of the most interesting things from my point since
> the
> > > > >last major release:
> > > > >
> > > > >Service Grid,
> > > > >Monitoring,
> > > > >Recovery Read
> > > > >BLT auto-adjust,
> > > > >PDS compression,
> > > > >WAL page compression,
> > > > >Thin client: best effort affinity,
> > > > >Thin client: transactions support (not yet)
> > > > >SQL query history
> > > > >SQL statistics
> > > > >
> > > > >I think we should no longer wait and freeze the master branch
> anymore
> > > > >and prepare the next major release by the end of the year.
> > > > >
> > > > >
> > > > >I propose to discuss Time, Scope of Apache Ignite 2.8 release and
> also
> > > > >I want to propose myself to be the release manager of the planning
> > > > >release.
> > > > >
> > > > >Scope Freeze: November 4, 2019
> > > > >Code Freeze: November 18, 2019
> > > > >Voting Date: December 10, 2019
> > > > >Release Date: December 17, 2019
> > > > >
> > > > >
> > > > >WDYT?
> > > >
> > > >
> > > >
> > > >
> >
>

>
> Hello!
>
> I have also noticed that we have baseline auto-adjust enabled by default in
> 2.8 builds, and it breaks existing code in runtime:
> https://issues.apache.org/jira/browse/IGNITE-12504
>
> I propose to turn auto-adjust off by default in 2.8 release. What do you
> think?
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> пт, 27 дек. 2019 г. в 12:40, Sergei Ryzhov <[hidden email]>:
>
> > Hello!
> > Task IGNITE-12470 is ready.
> > https://issues.apache.org/jira/browse/IGNITE-12470
> > Please check this API.
> >
> >
> > Regards,
> > Ryzhov Sergei.
> >
> > чт, 26 дек. 2019 г. в 18:50, Maxim Muzafarov <[hidden email]>:
> >
> > > Ilya,
> > >
> > >
> > > I agree with you that there is no risk and spring-data-2.2 can be
> > > safely cherry-picked to the ignite-2.8 branch. I'm OK with it. Will
> > > you do such merge or I should do it by myself?
> > >
> > >
> > > As for the second part of your email, you are proposing to bump up a
> > > minor dependencies version (no API changes) for the whole components
> > > mentioned in the parent/pom.xml file, right? From a point of the
> > > release view, it seems not a good thing since a scope test of the
> > > release becomes too wider. I don't think we will simplify thus the
> > > year-long release test scope, so as for me, this sounds not good but
> > > I'd like to hear thoughts of other community members on this point.
> > >
> > > As an alternative, for instance, we can bump minor versions only for
> > > those components which have security vulnerabilities. To find such
> > > dependencies, I've run some local test with a maven
> > > dependency-check-maven [1] an open-source dependency check tool. Here
> > > is a brief report (only a few modules tested):
> > >
> > > spring-core-4.3.18.RELEASE.jar : CVE-2018-15756 [2]
> > > h2-1.4.197.jar : CVE-2018-10054, CVE-2018-14335 (discussed also [3])
> > > ignite-shmem-1.0.0.jar : CVE-2017-14614
> > >
> > >
> > > [1] https://jeremylong.github.io/DependencyCheck/index.html
> > > [2] https://nvd.nist.gov/vuln/detail/CVE-2018-15756
> > > [3] https://issues.apache.org/jira/browse/IGNITE-10801
> > >
> > >
> > >
> > > On Thu, 26 Dec 2019 at 15:52, Ilya Kasnacheev <[hidden email]
> > >
> > > wrote:
> > > >
> > > > Hello!
> > > >
> > > > I propose to add the following ticket to the scope:
> > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be
> > > careful
> > > > with release version)
> > > >
> > > > Adding tickets to scope surely seems crazy now, but I will provide the
> > > > following considerations:
> > > > * This is Spring Data 2.2 integration, which we currently do not have,
> > > > leading to lots of confused questions on stack overflow and mailing
> > list.
> > > > Spring Data is important to our public image since many people may
> > learn
> > > > about out project by starting with Spring Data.
> > > >
> > > > * It has zero code impact outside of its own module (just 2 POM file
> > > > touched and that's all).
> > > >
> > > > * The core was ready since early November but, due to gmail quirk, we
> > did
> > > > not react to it in time.
> > > >
> > > > WDYT?
> > > >
> > > > Another semi-related question. *Should we bump our dependencies'
> > versions
> > > > before releasing 2.8?* I talk mainly about spring and hibernate
> > > > dependencies. We could switch them to their latest maintenance versions
> > > to
> > > > avoid shipping default links to outdated packages.
> > > >
> > > > I think this is one of things that are very hard to do between
> > releases,
> > > so
> > > > I think this dependencies bumping should be a part of a formal
> > > > release/testing cycle, and then be backported to master.
> > > >
> > > > I could volunteer to do that myself, if we agree to merge these version
> > > > upgrades to ignite-2.8 and then re-test.
> > > >
> > > > Regards,
> > > > --
> > > > Ilya Kasnacheev
> > > >
> > > >
> > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > > <[hidden email]
> > > > >:
> > > >
> > > > >
> > > > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570 96Gb
> > > 512GB
> > > > > SSD 2048GB HDD 10GB/s
> > > > > 1 for  client (driver) and 3 for servers.
> > > > > this mappings for graphs and real yardstick tests:
> > > > >
> > > > > atomic-put: IgnitePutBenchmark
> > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > > atomic-get: IgniteGetBenchmark
> > > > > tx-get: IgniteGetTxBenchmark
> > > > > tx-put: IgnitePutTxBenchmark
> > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > > >
> > > > > cacheMode — partitioned
> > > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > > 1 backup
> > > > >
> > > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > > > Thanks Maxim for wiki page [1]
> > > > >
> > > > >
> > > > > [1]
> > > > >
> > >
> > https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > > >
> > > > > do we need some bisect or other work here ?
> > > > >
> > > > > >
> > > > > >
> > > > > >------- Forwarded message -------
> > > > > >From: "Maxim Muzafarov" < [hidden email] >
> > > > > >To:  [hidden email]
> > > > > >Cc:
> > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > > >
> > > > > >Igniters,
> > > > > >
> > > > > >
> > > > > >It's almost a year has passed since the last major Apache Ignite 2.7
> > > > > >has been released. We've accumulated a lot of performance
> > improvements
> > > > > >and a lot of new features which are waiting for their release date.
> > > > > >Here is my list of the most interesting things from my point since
> > the
> > > > > >last major release:
> > > > > >
> > > > > >Service Grid,
> > > > > >Monitoring,
> > > > > >Recovery Read
> > > > > >BLT auto-adjust,
> > > > > >PDS compression,
> > > > > >WAL page compression,
> > > > > >Thin client: best effort affinity,
> > > > > >Thin client: transactions support (not yet)
> > > > > >SQL query history
> > > > > >SQL statistics
> > > > > >
> > > > > >I think we should no longer wait and freeze the master branch
> > anymore
> > > > > >and prepare the next major release by the end of the year.
> > > > > >
> > > > > >
> > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8 release and
> > also
> > > > > >I want to propose myself to be the release manager of the planning
> > > > > >release.
> > > > > >
> > > > > >Scope Freeze: November 4, 2019
> > > > > >Code Freeze: November 18, 2019
> > > > > >Voting Date: December 10, 2019
> > > > > >Release Date: December 17, 2019
> > > > > >
> > > > > >
> > > > > >WDYT?
> > > > >
> > > > >
> > > > >
> > > > >
> > >
> >

> Ilya,
>
> +1 from my side.
>
> On Fri, 27 Dec 2019 at 14:36, Ilya Kasnacheev <[hidden email]>
> wrote:
> >
> > Hello!
> >
> > I have also noticed that we have baseline auto-adjust enabled by default
> in
> > 2.8 builds, and it breaks existing code in runtime:
> > https://issues.apache.org/jira/browse/IGNITE-12504
> >
> > I propose to turn auto-adjust off by default in 2.8 release. What do you
> > think?
> >
> > Regards,
> > --
> > Ilya Kasnacheev
> >
> >
> > пт, 27 дек. 2019 г. в 12:40, Sergei Ryzhov <[hidden email]>:
> >
> > > Hello!
> > > Task IGNITE-12470 is ready.
> > > https://issues.apache.org/jira/browse/IGNITE-12470
> > > Please check this API.
> > >
> > >
> > > Regards,
> > > Ryzhov Sergei.
> > >
> > > чт, 26 дек. 2019 г. в 18:50, Maxim Muzafarov <[hidden email]>:
> > >
> > > > Ilya,
> > > >
> > > >
> > > > I agree with you that there is no risk and spring-data-2.2 can be
> > > > safely cherry-picked to the ignite-2.8 branch. I'm OK with it. Will
> > > > you do such merge or I should do it by myself?
> > > >
> > > >
> > > > As for the second part of your email, you are proposing to bump up a
> > > > minor dependencies version (no API changes) for the whole components
> > > > mentioned in the parent/pom.xml file, right? From a point of the
> > > > release view, it seems not a good thing since a scope test of the
> > > > release becomes too wider. I don't think we will simplify thus the
> > > > year-long release test scope, so as for me, this sounds not good but
> > > > I'd like to hear thoughts of other community members on this point.
> > > >
> > > > As an alternative, for instance, we can bump minor versions only for
> > > > those components which have security vulnerabilities. To find such
> > > > dependencies, I've run some local test with a maven
> > > > dependency-check-maven [1] an open-source dependency check tool. Here
> > > > is a brief report (only a few modules tested):
> > > >
> > > > spring-core-4.3.18.RELEASE.jar : CVE-2018-15756 [2]
> > > > h2-1.4.197.jar : CVE-2018-10054, CVE-2018-14335 (discussed also [3])
> > > > ignite-shmem-1.0.0.jar : CVE-2017-14614
> > > >
> > > >
> > > > [1] https://jeremylong.github.io/DependencyCheck/index.html
> > > > [2] https://nvd.nist.gov/vuln/detail/CVE-2018-15756
> > > > [3] https://issues.apache.org/jira/browse/IGNITE-10801
> > > >
> > > >
> > > >
> > > > On Thu, 26 Dec 2019 at 15:52, Ilya Kasnacheev <
> [hidden email]
> > > >
> > > > wrote:
> > > > >
> > > > > Hello!
> > > > >
> > > > > I propose to add the following ticket to the scope:
> > > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be
> > > > careful
> > > > > with release version)
> > > > >
> > > > > Adding tickets to scope surely seems crazy now, but I will provide
> the
> > > > > following considerations:
> > > > > * This is Spring Data 2.2 integration, which we currently do not
> have,
> > > > > leading to lots of confused questions on stack overflow and mailing
> > > list.
> > > > > Spring Data is important to our public image since many people may
> > > learn
> > > > > about out project by starting with Spring Data.
> > > > >
> > > > > * It has zero code impact outside of its own module (just 2 POM
> file
> > > > > touched and that's all).
> > > > >
> > > > > * The core was ready since early November but, due to gmail quirk,
> we
> > > did
> > > > > not react to it in time.
> > > > >
> > > > > WDYT?
> > > > >
> > > > > Another semi-related question. *Should we bump our dependencies'
> > > versions
> > > > > before releasing 2.8?* I talk mainly about spring and hibernate
> > > > > dependencies. We could switch them to their latest maintenance
> versions
> > > > to
> > > > > avoid shipping default links to outdated packages.
> > > > >
> > > > > I think this is one of things that are very hard to do between
> > > releases,
> > > > so
> > > > > I think this dependencies bumping should be a part of a formal
> > > > > release/testing cycle, and then be backported to master.
> > > > >
> > > > > I could volunteer to do that myself, if we agree to merge these
> version
> > > > > upgrades to ignite-2.8 and then re-test.
> > > > >
> > > > > Regards,
> > > > > --
> > > > > Ilya Kasnacheev
> > > > >
> > > > >
> > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > > > <[hidden email]
> > > > > >:
> > > > >
> > > > > >
> > > > > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570
> 96Gb
> > > > 512GB
> > > > > > SSD 2048GB HDD 10GB/s
> > > > > > 1 for  client (driver) and 3 for servers.
> > > > > > this mappings for graphs and real yardstick tests:
> > > > > >
> > > > > > atomic-put: IgnitePutBenchmark
> > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > > > atomic-get: IgniteGetBenchmark
> > > > > > tx-get: IgniteGetTxBenchmark
> > > > > > tx-put: IgnitePutTxBenchmark
> > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > > > >
> > > > > > cacheMode — partitioned
> > > > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > > > 1 backup
> > > > > >
> > > > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > > > > Thanks Maxim for wiki page [1]
> > > > > >
> > > > > >
> > > > > > [1]
> > > > > >
> > > >
> > >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > > > >
> > > > > > do we need some bisect or other work here ?
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > >------- Forwarded message -------
> > > > > > >From: "Maxim Muzafarov" < [hidden email] >
> > > > > > >To:  [hidden email]
> > > > > > >Cc:
> > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > > > >
> > > > > > >Igniters,
> > > > > > >
> > > > > > >
> > > > > > >It's almost a year has passed since the last major Apache
> Ignite 2.7
> > > > > > >has been released. We've accumulated a lot of performance
> > > improvements
> > > > > > >and a lot of new features which are waiting for their release
> date.
> > > > > > >Here is my list of the most interesting things from my point
> since
> > > the
> > > > > > >last major release:
> > > > > > >
> > > > > > >Service Grid,
> > > > > > >Monitoring,
> > > > > > >Recovery Read
> > > > > > >BLT auto-adjust,
> > > > > > >PDS compression,
> > > > > > >WAL page compression,
> > > > > > >Thin client: best effort affinity,
> > > > > > >Thin client: transactions support (not yet)
> > > > > > >SQL query history
> > > > > > >SQL statistics
> > > > > > >
> > > > > > >I think we should no longer wait and freeze the master branch
> > > anymore
> > > > > > >and prepare the next major release by the end of the year.
> > > > > > >
> > > > > > >
> > > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8 release
> and
> > > also
> > > > > > >I want to propose myself to be the release manager of the
> planning
> > > > > > >release.
> > > > > > >
> > > > > > >Scope Freeze: November 4, 2019
> > > > > > >Code Freeze: November 18, 2019
> > > > > > >Voting Date: December 10, 2019
> > > > > > >Release Date: December 17, 2019
> > > > > > >
> > > > > > >
> > > > > > >WDYT?
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > >
> > >
>

> Hello,
>
> "baseline auto-adjust" is disabled by default if you start your node on
> existing PDS.
> It's enabled on new clusters only.
>
> Existing installations should not be affected by the update. Is that ok?
>
> пт, 27 дек. 2019 г. в 14:46, Maxim Muzafarov <[hidden email]>:
>
>>  Ilya,
>>
>>  +1 from my side.
>>
>>  On Fri, 27 Dec 2019 at 14:36, Ilya Kasnacheev <[hidden email]>
>>  wrote:
>>  >
>>  > Hello!
>>  >
>>  > I have also noticed that we have baseline auto-adjust enabled by default
>>  in
>>  > 2.8 builds, and it breaks existing code in runtime:
>>  > https://issues.apache.org/jira/browse/IGNITE-12504
>>  >
>>  > I propose to turn auto-adjust off by default in 2.8 release. What do you
>>  > think?
>>  >
>>  > Regards,
>>  > --
>>  > Ilya Kasnacheev
>>  >
>>  >
>>  > пт, 27 дек. 2019 г. в 12:40, Sergei Ryzhov <[hidden email]>:
>>  >
>>  > > Hello!
>>  > > Task IGNITE-12470 is ready.
>>  > > https://issues.apache.org/jira/browse/IGNITE-12470
>>  > > Please check this API.
>>  > >
>>  > >
>>  > > Regards,
>>  > > Ryzhov Sergei.
>>  > >
>>  > > чт, 26 дек. 2019 г. в 18:50, Maxim Muzafarov <[hidden email]>:
>>  > >
>>  > > > Ilya,
>>  > > >
>>  > > >
>>  > > > I agree with you that there is no risk and spring-data-2.2 can be
>>  > > > safely cherry-picked to the ignite-2.8 branch. I'm OK with it. Will
>>  > > > you do such merge or I should do it by myself?
>>  > > >
>>  > > >
>>  > > > As for the second part of your email, you are proposing to bump up a
>>  > > > minor dependencies version (no API changes) for the whole components
>>  > > > mentioned in the parent/pom.xml file, right? From a point of the
>>  > > > release view, it seems not a good thing since a scope test of the
>>  > > > release becomes too wider. I don't think we will simplify thus the
>>  > > > year-long release test scope, so as for me, this sounds not good but
>>  > > > I'd like to hear thoughts of other community members on this point.
>>  > > >
>>  > > > As an alternative, for instance, we can bump minor versions only for
>>  > > > those components which have security vulnerabilities. To find such
>>  > > > dependencies, I've run some local test with a maven
>>  > > > dependency-check-maven [1] an open-source dependency check tool. Here
>>  > > > is a brief report (only a few modules tested):
>>  > > >
>>  > > > spring-core-4.3.18.RELEASE.jar : CVE-2018-15756 [2]
>>  > > > h2-1.4.197.jar : CVE-2018-10054, CVE-2018-14335 (discussed also [3])
>>  > > > ignite-shmem-1.0.0.jar : CVE-2017-14614
>>  > > >
>>  > > >
>>  > > > [1] https://jeremylong.github.io/DependencyCheck/index.html
>>  > > > [2] https://nvd.nist.gov/vuln/detail/CVE-2018-15756
>>  > > > [3] https://issues.apache.org/jira/browse/IGNITE-10801
>>  > > >
>>  > > >
>>  > > >
>>  > > > On Thu, 26 Dec 2019 at 15:52, Ilya Kasnacheev <
>>  [hidden email]
>>  > > >
>>  > > > wrote:
>>  > > > >
>>  > > > > Hello!
>>  > > > >
>>  > > > > I propose to add the following ticket to the scope:
>>  > > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be
>>  > > > careful
>>  > > > > with release version)
>>  > > > >
>>  > > > > Adding tickets to scope surely seems crazy now, but I will provide
>>  the
>>  > > > > following considerations:
>>  > > > > * This is Spring Data 2.2 integration, which we currently do not
>>  have,
>>  > > > > leading to lots of confused questions on stack overflow and mailing
>>  > > list.
>>  > > > > Spring Data is important to our public image since many people may
>>  > > learn
>>  > > > > about out project by starting with Spring Data.
>>  > > > >
>>  > > > > * It has zero code impact outside of its own module (just 2 POM
>>  file
>>  > > > > touched and that's all).
>>  > > > >
>>  > > > > * The core was ready since early November but, due to gmail quirk,
>>  we
>>  > > did
>>  > > > > not react to it in time.
>>  > > > >
>>  > > > > WDYT?
>>  > > > >
>>  > > > > Another semi-related question. *Should we bump our dependencies'
>>  > > versions
>>  > > > > before releasing 2.8?* I talk mainly about spring and hibernate
>>  > > > > dependencies. We could switch them to their latest maintenance
>>  versions
>>  > > > to
>>  > > > > avoid shipping default links to outdated packages.
>>  > > > >
>>  > > > > I think this is one of things that are very hard to do between
>>  > > releases,
>>  > > > so
>>  > > > > I think this dependencies bumping should be a part of a formal
>>  > > > > release/testing cycle, and then be backported to master.
>>  > > > >
>>  > > > > I could volunteer to do that myself, if we agree to merge these
>>  version
>>  > > > > upgrades to ignite-2.8 and then re-test.
>>  > > > >
>>  > > > > Regards,
>>  > > > > --
>>  > > > > Ilya Kasnacheev
>>  > > > >
>>  > > > >
>>  > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
>>  > > > <[hidden email]
>>  > > > > >:
>>  > > > >
>>  > > > > >
>>  > > > > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
>>  > > > > > last sha 2.8 was build from : 9d114f3137f92aebc2562a
>>  > > > > > i use yardstick benchmarks, 4 bare machine with: 2x Xeon X5570
>>  96Gb
>>  > > > 512GB
>>  > > > > > SSD 2048GB HDD 10GB/s
>>  > > > > > 1 for client (driver) and 3 for servers.
>>  > > > > > this mappings for graphs and real yardstick tests:
>>  > > > > >
>>  > > > > > atomic-put: IgnitePutBenchmark
>>  > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
>>  > > > > > atomic-get: IgniteGetBenchmark
>>  > > > > > tx-get: IgniteGetTxBenchmark
>>  > > > > > tx-put: IgnitePutTxBenchmark
>>  > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
>>  > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
>>  > > > > >
>>  > > > > > cacheMode — partitioned
>>  > > > > > CacheWriteSynchronizationMode.FULL_SYNC
>>  > > > > > 1 backup
>>  > > > > >
>>  > > > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
>>  > > > > > Thanks Maxim for wiki page [1]
>>  > > > > >
>>  > > > > >
>>  > > > > > [1]
>>  > > > > >
>>  > > >
>>  > >
>>  https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
>>  > > > > >
>>  > > > > > do we need some bisect or other work here ?
>>  > > > > >
>>  > > > > > >
>>  > > > > > >
>>  > > > > > >------- Forwarded message -------
>>  > > > > > >From: "Maxim Muzafarov" < [hidden email] >
>>  > > > > > >To: [hidden email]
>>  > > > > > >Cc:
>>  > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
>>  > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
>>  > > > > > >
>>  > > > > > >Igniters,
>>  > > > > > >
>>  > > > > > >
>>  > > > > > >It's almost a year has passed since the last major Apache
>>  Ignite 2.7
>>  > > > > > >has been released. We've accumulated a lot of performance
>>  > > improvements
>>  > > > > > >and a lot of new features which are waiting for their release
>>  date.
>>  > > > > > >Here is my list of the most interesting things from my point
>>  since
>>  > > the
>>  > > > > > >last major release:
>>  > > > > > >
>>  > > > > > >Service Grid,
>>  > > > > > >Monitoring,
>>  > > > > > >Recovery Read
>>  > > > > > >BLT auto-adjust,
>>  > > > > > >PDS compression,
>>  > > > > > >WAL page compression,
>>  > > > > > >Thin client: best effort affinity,
>>  > > > > > >Thin client: transactions support (not yet)
>>  > > > > > >SQL query history
>>  > > > > > >SQL statistics
>>  > > > > > >
>>  > > > > > >I think we should no longer wait and freeze the master branch
>>  > > anymore
>>  > > > > > >and prepare the next major release by the end of the year.
>>  > > > > > >
>>  > > > > > >
>>  > > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8 release
>>  and
>>  > > also
>>  > > > > > >I want to propose myself to be the release manager of the
>>  planning
>>  > > > > > >release.
>>  > > > > > >
>>  > > > > > >Scope Freeze: November 4, 2019
>>  > > > > > >Code Freeze: November 18, 2019
>>  > > > > > >Voting Date: December 10, 2019
>>  > > > > > >Release Date: December 17, 2019
>>  > > > > > >
>>  > > > > > >
>>  > > > > > >WDYT?
>>  > > > > >
>>  > > > > >
>>  > > > > >
>>  > > > > >
>>  > > >
>>  > >
>
> --
> Sincerely yours,
> Ivan Bessonov

> Hello!
>
> I have committed ignite-spring-data_2.2 to ignite-2.8.
>
> By bumping versisons I mean the following:
>         <slf4j.version>1.7.*7*</slf4j.version>
>         <slf4j16.version>1.6.*4*</slf4j16.version>
>         <snappy.version>1.1.7.*2*</snappy.version>
>         <spark.hadoop.version>2.6.*5*</spark.hadoop.version>
>         <spark.version>2.3.*0*</spark.version>
>         <spring.data.version>1.13.*14*.RELEASE</spring.data.version> <!--
> don't forget to update spring version -->
>         <spring.version>4.3.*18*.RELEASE</spring.version><!-- don't forget
> to update spring-data version -->
>         <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version>
> <!-- don't forget to update spring-5.0 version -->
>         <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!-- don't
> forget to update spring-data-2.0 version -->
>
> All these libraries have maintenance release (such as our 2.7.*6*) and I
> think it would be beneficial to upgrade these dependencies to the latest
> maintenance version found in Maven Central.
> For example, there is spring.data-2.0 2.0.*14*.RELEASE.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> чт, 26 дек. 2019 г. в 19:32, Denis Magda <[hidden email]>:
>
> > A huge +1 for adding Spring Data related fixes/improvements. Ilya is
> right
> > that Spring Data related questions sparked last time due to missing
> support
> > of 2.2 version.
> >
> > Ilya, could you elaborate on what you mean under "bumping the versions"?
> Do
> > you suggest performing a straightforward upgrade of "ignite-spring-data"
> to
> > version 2.2 and introducing "ignite-spring-data-{old-version"} for the
> > previous versions? If it's so, I fully agree with the proposal.
> >
> > -
> > Denis
> >
> >
> > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <
> [hidden email]
> > >
> > wrote:
> >
> > > Hello!
> > >
> > > I propose to add the following ticket to the scope:
> > > https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be
> > careful
> > > with release version)
> > >
> > > Adding tickets to scope surely seems crazy now, but I will provide the
> > > following considerations:
> > > * This is Spring Data 2.2 integration, which we currently do not have,
> > > leading to lots of confused questions on stack overflow and mailing
> list.
> > > Spring Data is important to our public image since many people may
> learn
> > > about out project by starting with Spring Data.
> > >
> > > * It has zero code impact outside of its own module (just 2 POM file
> > > touched and that's all).
> > >
> > > * The core was ready since early November but, due to gmail quirk, we
> did
> > > not react to it in time.
> > >
> > > WDYT?
> > >
> > > Another semi-related question. *Should we bump our dependencies'
> versions
> > > before releasing 2.8?* I talk mainly about spring and hibernate
> > > dependencies. We could switch them to their latest maintenance versions
> > to
> > > avoid shipping default links to outdated packages.
> > >
> > > I think this is one of things that are very hard to do between
> releases,
> > so
> > > I think this dependencies bumping should be a part of a formal
> > > release/testing cycle, and then be backported to master.
> > >
> > > I could volunteer to do that myself, if we agree to merge these version
> > > upgrades to ignite-2.8 and then re-test.
> > >
> > > Regards,
> > > --
> > > Ilya Kasnacheev
> > >
> > >
> > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > <[hidden email]
> > > >:
> > >
> > > >
> > > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570 96Gb
> > > 512GB
> > > > SSD 2048GB HDD 10GB/s
> > > > 1 for  client (driver) and 3 for servers.
> > > > this mappings for graphs and real yardstick tests:
> > > >
> > > > atomic-put: IgnitePutBenchmark
> > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > atomic-get: IgniteGetBenchmark
> > > > tx-get: IgniteGetTxBenchmark
> > > > tx-put: IgnitePutTxBenchmark
> > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > >
> > > > cacheMode — partitioned
> > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > 1 backup
> > > >
> > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > > Thanks Maxim for wiki page [1]
> > > >
> > > >
> > > > [1]
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > >
> > > > do we need some bisect or other work here ?
> > > >
> > > > >
> > > > >
> > > > >------- Forwarded message -------
> > > > >From: "Maxim Muzafarov" < [hidden email] >
> > > > >To:  [hidden email]
> > > > >Cc:
> > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > >
> > > > >Igniters,
> > > > >
> > > > >
> > > > >It's almost a year has passed since the last major Apache Ignite 2.7
> > > > >has been released. We've accumulated a lot of performance
> improvements
> > > > >and a lot of new features which are waiting for their release date.
> > > > >Here is my list of the most interesting things from my point since
> the
> > > > >last major release:
> > > > >
> > > > >Service Grid,
> > > > >Monitoring,
> > > > >Recovery Read
> > > > >BLT auto-adjust,
> > > > >PDS compression,
> > > > >WAL page compression,
> > > > >Thin client: best effort affinity,
> > > > >Thin client: transactions support (not yet)
> > > > >SQL query history
> > > > >SQL statistics
> > > > >
> > > > >I think we should no longer wait and freeze the master branch
> anymore
> > > > >and prepare the next major release by the end of the year.
> > > > >
> > > > >
> > > > >I propose to discuss Time, Scope of Apache Ignite 2.8 release and
> also
> > > > >I want to propose myself to be the release manager of the planning
> > > > >release.
> > > > >
> > > > >Scope Freeze: November 4, 2019
> > > > >Code Freeze: November 18, 2019
> > > > >Voting Date: December 10, 2019
> > > > >Release Date: December 17, 2019
> > > > >
> > > > >
> > > > >WDYT?
> > > >
> > > >
> > > >
> > > >
> > >
> >
>

> Hello.
>
> Ivan is right that "baseline auto-adjust" is disabled by default if you
> start your node on
> existing PDS. But "baseline auto-adjust" is enabled by default for
> in-memory cluster due to in-memory nodes also have bound to baseline since
> 2.8 version.
>
> Also, I want to note that after this ticket(
> https://issues.apache.org/jira/projects/IGNITE/issues/IGNITE-12227).
> "baseline auto-adjust" would be disabled by default for any persistent
> cluster(empty and existed one) because current logic is a little confused
> and can lead to some problems which described in the ticket.
>
> --
> Best regards,
> Anton Kalashnikov
>
>
> 27.12.2019, 17:58, "Ivan Bessonov" <[hidden email]>:
> > Hello,
> >
> > "baseline auto-adjust" is disabled by default if you start your node on
> > existing PDS.
> > It's enabled on new clusters only.
> >
> > Existing installations should not be affected by the update. Is that ok?
> >
> > пт, 27 дек. 2019 г. в 14:46, Maxim Muzafarov <[hidden email]>:
> >
> >>  Ilya,
> >>
> >>  +1 from my side.
> >>
> >>  On Fri, 27 Dec 2019 at 14:36, Ilya Kasnacheev <
> [hidden email]>
> >>  wrote:
> >>  >
> >>  > Hello!
> >>  >
> >>  > I have also noticed that we have baseline auto-adjust enabled by
> default
> >>  in
> >>  > 2.8 builds, and it breaks existing code in runtime:
> >>  > https://issues.apache.org/jira/browse/IGNITE-12504
> >>  >
> >>  > I propose to turn auto-adjust off by default in 2.8 release. What do
> you
> >>  > think?
> >>  >
> >>  > Regards,
> >>  > --
> >>  > Ilya Kasnacheev
> >>  >
> >>  >
> >>  > пт, 27 дек. 2019 г. в 12:40, Sergei Ryzhov <[hidden email]>:
> >>  >
> >>  > > Hello!
> >>  > > Task IGNITE-12470 is ready.
> >>  > > https://issues.apache.org/jira/browse/IGNITE-12470
> >>  > > Please check this API.
> >>  > >
> >>  > >
> >>  > > Regards,
> >>  > > Ryzhov Sergei.
> >>  > >
> >>  > > чт, 26 дек. 2019 г. в 18:50, Maxim Muzafarov <[hidden email]>:
> >>  > >
> >>  > > > Ilya,
> >>  > > >
> >>  > > >
> >>  > > > I agree with you that there is no risk and spring-data-2.2 can be
> >>  > > > safely cherry-picked to the ignite-2.8 branch. I'm OK with it.
> Will
> >>  > > > you do such merge or I should do it by myself?
> >>  > > >
> >>  > > >
> >>  > > > As for the second part of your email, you are proposing to bump
> up a
> >>  > > > minor dependencies version (no API changes) for the whole
> components
> >>  > > > mentioned in the parent/pom.xml file, right? From a point of the
> >>  > > > release view, it seems not a good thing since a scope test of the
> >>  > > > release becomes too wider. I don't think we will simplify thus
> the
> >>  > > > year-long release test scope, so as for me, this sounds not good
> but
> >>  > > > I'd like to hear thoughts of other community members on this
> point.
> >>  > > >
> >>  > > > As an alternative, for instance, we can bump minor versions only
> for
> >>  > > > those components which have security vulnerabilities. To find
> such
> >>  > > > dependencies, I've run some local test with a maven
> >>  > > > dependency-check-maven [1] an open-source dependency check tool.
> Here
> >>  > > > is a brief report (only a few modules tested):
> >>  > > >
> >>  > > > spring-core-4.3.18.RELEASE.jar : CVE-2018-15756 [2]
> >>  > > > h2-1.4.197.jar : CVE-2018-10054, CVE-2018-14335 (discussed also
> [3])
> >>  > > > ignite-shmem-1.0.0.jar : CVE-2017-14614
> >>  > > >
> >>  > > >
> >>  > > > [1] https://jeremylong.github.io/DependencyCheck/index.html
> >>  > > > [2] https://nvd.nist.gov/vuln/detail/CVE-2018-15756
> >>  > > > [3] https://issues.apache.org/jira/browse/IGNITE-10801
> >>  > > >
> >>  > > >
> >>  > > >
> >>  > > > On Thu, 26 Dec 2019 at 15:52, Ilya Kasnacheev <
> >>  [hidden email]
> >>  > > >
> >>  > > > wrote:
> >>  > > > >
> >>  > > > > Hello!
> >>  > > > >
> >>  > > > > I propose to add the following ticket to the scope:
> >>  > > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3
> commits, be
> >>  > > > careful
> >>  > > > > with release version)
> >>  > > > >
> >>  > > > > Adding tickets to scope surely seems crazy now, but I will
> provide
> >>  the
> >>  > > > > following considerations:
> >>  > > > > * This is Spring Data 2.2 integration, which we currently do
> not
> >>  have,
> >>  > > > > leading to lots of confused questions on stack overflow and
> mailing
> >>  > > list.
> >>  > > > > Spring Data is important to our public image since many people
> may
> >>  > > learn
> >>  > > > > about out project by starting with Spring Data.
> >>  > > > >
> >>  > > > > * It has zero code impact outside of its own module (just 2 POM
> >>  file
> >>  > > > > touched and that's all).
> >>  > > > >
> >>  > > > > * The core was ready since early November but, due to gmail
> quirk,
> >>  we
> >>  > > did
> >>  > > > > not react to it in time.
> >>  > > > >
> >>  > > > > WDYT?
> >>  > > > >
> >>  > > > > Another semi-related question. *Should we bump our
> dependencies'
> >>  > > versions
> >>  > > > > before releasing 2.8?* I talk mainly about spring and hibernate
> >>  > > > > dependencies. We could switch them to their latest maintenance
> >>  versions
> >>  > > > to
> >>  > > > > avoid shipping default links to outdated packages.
> >>  > > > >
> >>  > > > > I think this is one of things that are very hard to do between
> >>  > > releases,
> >>  > > > so
> >>  > > > > I think this dependencies bumping should be a part of a formal
> >>  > > > > release/testing cycle, and then be backported to master.
> >>  > > > >
> >>  > > > > I could volunteer to do that myself, if we agree to merge these
> >>  version
> >>  > > > > upgrades to ignite-2.8 and then re-test.
> >>  > > > >
> >>  > > > > Regards,
> >>  > > > > --
> >>  > > > > Ilya Kasnacheev
> >>  > > > >
> >>  > > > >
> >>  > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> >>  > > > <[hidden email]
> >>  > > > > >:
> >>  > > > >
> >>  > > > > >
> >>  > > > > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> >>  > > > > > last sha 2.8 was build from : 9d114f3137f92aebc2562a
> >>  > > > > > i use yardstick benchmarks, 4 bare machine with: 2x Xeon
> X5570
> >>  96Gb
> >>  > > > 512GB
> >>  > > > > > SSD 2048GB HDD 10GB/s
> >>  > > > > > 1 for client (driver) and 3 for servers.
> >>  > > > > > this mappings for graphs and real yardstick tests:
> >>  > > > > >
> >>  > > > > > atomic-put: IgnitePutBenchmark
> >>  > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> >>  > > > > > atomic-get: IgniteGetBenchmark
> >>  > > > > > tx-get: IgniteGetTxBenchmark
> >>  > > > > > tx-put: IgnitePutTxBenchmark
> >>  > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> >>  > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> >>  > > > > >
> >>  > > > > > cacheMode — partitioned
> >>  > > > > > CacheWriteSynchronizationMode.FULL_SYNC
> >>  > > > > > 1 backup
> >>  > > > > >
> >>  > > > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> >>  > > > > > Thanks Maxim for wiki page [1]
> >>  > > > > >
> >>  > > > > >
> >>  > > > > > [1]
> >>  > > > > >
> >>  > > >
> >>  > >
> >>
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> >>  > > > > >
> >>  > > > > > do we need some bisect or other work here ?
> >>  > > > > >
> >>  > > > > > >
> >>  > > > > > >
> >>  > > > > > >------- Forwarded message -------
> >>  > > > > > >From: "Maxim Muzafarov" < [hidden email] >
> >>  > > > > > >To: [hidden email]
> >>  > > > > > >Cc:
> >>  > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> >>  > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> >>  > > > > > >
> >>  > > > > > >Igniters,
> >>  > > > > > >
> >>  > > > > > >
> >>  > > > > > >It's almost a year has passed since the last major Apache
> >>  Ignite 2.7
> >>  > > > > > >has been released. We've accumulated a lot of performance
> >>  > > improvements
> >>  > > > > > >and a lot of new features which are waiting for their
> release
> >>  date.
> >>  > > > > > >Here is my list of the most interesting things from my point
> >>  since
> >>  > > the
> >>  > > > > > >last major release:
> >>  > > > > > >
> >>  > > > > > >Service Grid,
> >>  > > > > > >Monitoring,
> >>  > > > > > >Recovery Read
> >>  > > > > > >BLT auto-adjust,
> >>  > > > > > >PDS compression,
> >>  > > > > > >WAL page compression,
> >>  > > > > > >Thin client: best effort affinity,
> >>  > > > > > >Thin client: transactions support (not yet)
> >>  > > > > > >SQL query history
> >>  > > > > > >SQL statistics
> >>  > > > > > >
> >>  > > > > > >I think we should no longer wait and freeze the master
> branch
> >>  > > anymore
> >>  > > > > > >and prepare the next major release by the end of the year.
> >>  > > > > > >
> >>  > > > > > >
> >>  > > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8
> release
> >>  and
> >>  > > also
> >>  > > > > > >I want to propose myself to be the release manager of the
> >>  planning
> >>  > > > > > >release.
> >>  > > > > > >
> >>  > > > > > >Scope Freeze: November 4, 2019
> >>  > > > > > >Code Freeze: November 18, 2019
> >>  > > > > > >Voting Date: December 10, 2019
> >>  > > > > > >Release Date: December 17, 2019
> >>  > > > > > >
> >>  > > > > > >
> >>  > > > > > >WDYT?
> >>  > > > > >
> >>  > > > > >
> >>  > > > > >
> >>  > > > > >
> >>  > > >
> >>  > >
> >
> > --
> > Sincerely yours,
> > Ivan Bessonov
>

> Ilya, no I see, thanks for the explanation. Agree with you, let's update
> the versions of the dependencies to the latest.
>
> -
> Denis
>
>
> On Thu, Dec 26, 2019 at 10:50 PM Ilya Kasnacheev <
> [hidden email]>
> wrote:
>
> > Hello!
> >
> > I have committed ignite-spring-data_2.2 to ignite-2.8.
> >
> > By bumping versisons I mean the following:
> >         <slf4j.version>1.7.*7*</slf4j.version>
> >         <slf4j16.version>1.6.*4*</slf4j16.version>
> >         <snappy.version>1.1.7.*2*</snappy.version>
> >         <spark.hadoop.version>2.6.*5*</spark.hadoop.version>
> >         <spark.version>2.3.*0*</spark.version>
> >         <spring.data.version>1.13.*14*.RELEASE</spring.data.version> <!--
> > don't forget to update spring version -->
> >         <spring.version>4.3.*18*.RELEASE</spring.version><!-- don't
> forget
> > to update spring-data version -->
> >
>  <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version>
> > <!-- don't forget to update spring-5.0 version -->
> >         <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!--
> don't
> > forget to update spring-data-2.0 version -->
> >
> > All these libraries have maintenance release (such as our 2.7.*6*) and I
> > think it would be beneficial to upgrade these dependencies to the latest
> > maintenance version found in Maven Central.
> > For example, there is spring.data-2.0 2.0.*14*.RELEASE.
> >
> > Regards,
> > --
> > Ilya Kasnacheev
> >
> >
> > чт, 26 дек. 2019 г. в 19:32, Denis Magda <[hidden email]>:
> >
> > > A huge +1 for adding Spring Data related fixes/improvements. Ilya is
> > right
> > > that Spring Data related questions sparked last time due to missing
> > support
> > > of 2.2 version.
> > >
> > > Ilya, could you elaborate on what you mean under "bumping the
> versions"?
> > Do
> > > you suggest performing a straightforward upgrade of
> "ignite-spring-data"
> > to
> > > version 2.2 and introducing "ignite-spring-data-{old-version"} for the
> > > previous versions? If it's so, I fully agree with the proposal.
> > >
> > > -
> > > Denis
> > >
> > >
> > > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <
> > [hidden email]
> > > >
> > > wrote:
> > >
> > > > Hello!
> > > >
> > > > I propose to add the following ticket to the scope:
> > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be
> > > careful
> > > > with release version)
> > > >
> > > > Adding tickets to scope surely seems crazy now, but I will provide
> the
> > > > following considerations:
> > > > * This is Spring Data 2.2 integration, which we currently do not
> have,
> > > > leading to lots of confused questions on stack overflow and mailing
> > list.
> > > > Spring Data is important to our public image since many people may
> > learn
> > > > about out project by starting with Spring Data.
> > > >
> > > > * It has zero code impact outside of its own module (just 2 POM file
> > > > touched and that's all).
> > > >
> > > > * The core was ready since early November but, due to gmail quirk, we
> > did
> > > > not react to it in time.
> > > >
> > > > WDYT?
> > > >
> > > > Another semi-related question. *Should we bump our dependencies'
> > versions
> > > > before releasing 2.8?* I talk mainly about spring and hibernate
> > > > dependencies. We could switch them to their latest maintenance
> versions
> > > to
> > > > avoid shipping default links to outdated packages.
> > > >
> > > > I think this is one of things that are very hard to do between
> > releases,
> > > so
> > > > I think this dependencies bumping should be a part of a formal
> > > > release/testing cycle, and then be backported to master.
> > > >
> > > > I could volunteer to do that myself, if we agree to merge these
> version
> > > > upgrades to ignite-2.8 and then re-test.
> > > >
> > > > Regards,
> > > > --
> > > > Ilya Kasnacheev
> > > >
> > > >
> > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > > <[hidden email]
> > > > >:
> > > >
> > > > >
> > > > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570
> 96Gb
> > > > 512GB
> > > > > SSD 2048GB HDD 10GB/s
> > > > > 1 for  client (driver) and 3 for servers.
> > > > > this mappings for graphs and real yardstick tests:
> > > > >
> > > > > atomic-put: IgnitePutBenchmark
> > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > > atomic-get: IgniteGetBenchmark
> > > > > tx-get: IgniteGetTxBenchmark
> > > > > tx-put: IgnitePutTxBenchmark
> > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > > >
> > > > > cacheMode — partitioned
> > > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > > 1 backup
> > > > >
> > > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > > > Thanks Maxim for wiki page [1]
> > > > >
> > > > >
> > > > > [1]
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > > >
> > > > > do we need some bisect or other work here ?
> > > > >
> > > > > >
> > > > > >
> > > > > >------- Forwarded message -------
> > > > > >From: "Maxim Muzafarov" < [hidden email] >
> > > > > >To:  [hidden email]
> > > > > >Cc:
> > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > > >
> > > > > >Igniters,
> > > > > >
> > > > > >
> > > > > >It's almost a year has passed since the last major Apache Ignite
> 2.7
> > > > > >has been released. We've accumulated a lot of performance
> > improvements
> > > > > >and a lot of new features which are waiting for their release
> date.
> > > > > >Here is my list of the most interesting things from my point since
> > the
> > > > > >last major release:
> > > > > >
> > > > > >Service Grid,
> > > > > >Monitoring,
> > > > > >Recovery Read
> > > > > >BLT auto-adjust,
> > > > > >PDS compression,
> > > > > >WAL page compression,
> > > > > >Thin client: best effort affinity,
> > > > > >Thin client: transactions support (not yet)
> > > > > >SQL query history
> > > > > >SQL statistics
> > > > > >
> > > > > >I think we should no longer wait and freeze the master branch
> > anymore
> > > > > >and prepare the next major release by the end of the year.
> > > > > >
> > > > > >
> > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8 release and
> > also
> > > > > >I want to propose myself to be the release manager of the planning
> > > > > >release.
> > > > > >
> > > > > >Scope Freeze: November 4, 2019
> > > > > >Code Freeze: November 18, 2019
> > > > > >Voting Date: December 10, 2019
> > > > > >Release Date: December 17, 2019
> > > > > >
> > > > > >
> > > > > >WDYT?
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
>

> Hello!
>
> I have ran dependency checker plugin and quote the following:
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-urideploy:
> One or more dependencies were identified with known vulnerabilities in
> ignite-spring:
> One or more dependencies were identified with known vulnerabilities in
> ignite-spring-data:
> One or more dependencies were identified with known vulnerabilities in
> ignite-aop:
> One or more dependencies were identified with known vulnerabilities in
> ignite-visor-console:
>
> spring-core-4.3.18.RELEASE.jar
> (pkg:maven/org.springframework/[hidden email],
> cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*) :
> CVE-2018-15756
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-spring-data_2.0:
>
> spring-core-5.0.8.RELEASE.jar
> (pkg:maven/org.springframework/[hidden email],
> cpe:2.3:a:pivotal_software:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> cpe:2.3:a:springsource:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> cpe:2.3:a:vmware:springsource_spring_framework:5.0.8:*:*:*:*:*:*:*) :
> CVE-2018-15756
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-rest-http:
>
> jetty-server-9.4.11.v20180605.jar
> (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> jackson-databind-2.9.6.jar
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-kubernetes:
> One or more dependencies were identified with known vulnerabilities in
> ignite-aws:
>
> jackson-databind-2.9.6.jar
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> bcprov-ext-jdk15on-1.54.jar
> (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.54) : CVE-2015-6644,
> CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341,
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345,
> CVE-2016-1000346, CVE-2016-1000352, CVE-2016-2427, CVE-2017-13098,
> CVE-2018-1000180, CVE-2018-1000613
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-gce:
>
> httpclient-4.0.1.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.0.1
> ,
> cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*) : CVE-2011-1498,
> CVE-2014-3577, CVE-2015-5262
> guava-jdk5-17.0.jar (pkg:maven/com.google.guava/guava-jdk5@17.0,
> cpe:2.3:a:google:guava:17.0:*:*:*:*:*:*:*) : CVE-2018-10237
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-cloud:
>
> openstack-keystone-2.0.0.jar
> (pkg:maven/org.apache.jclouds.api/openstack-keystone@2.0.0,
> cpe:2.3:a:openstack:keystone:2.0.0:*:*:*:*:*:*:*,
> cpe:2.3:a:openstack:openstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2014,
> CVE-2013-4222, CVE-2013-6391, CVE-2014-0204, CVE-2014-3476, CVE-2014-3520,
> CVE-2014-3621, CVE-2015-3646, CVE-2015-7546, CVE-2018-14432, CVE-2018-20170
> cloudstack-2.0.0.jar (pkg:maven/org.apache.jclouds.api/cloudstack@2.0.0,
> cpe:2.3:a:apache:cloudstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2136,
> CVE-2013-6398, CVE-2014-0031, CVE-2014-9593, CVE-2015-3252
> docker-2.0.0.jar (pkg:maven/org.apache.jclouds.api/docker@2.0.0,
> cpe:2.3:a:docker:docker:2.0.0:*:*:*:*:*:*:*) : CVE-2018-10892,
> CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884,
> CVE-2019-5736
> guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> docker-1.9.3.jar (pkg:maven/org.apache.jclouds.labs/docker@1.9.3,
> cpe:2.3:a:docker:docker:1.9.3:*:*:*:*:*:*:*) : CVE-2016-3697,
> CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752,
> CVE-2019-16884, CVE-2019-5736
> jsch.agentproxy.core-0.0.8.jar
> (pkg:maven/com.jcraft/jsch.agentproxy.core@0.0.8,
> cpe:2.3:a:jcraft:jsch:0.0.8:*:*:*:*:*:*:*) : CVE-2016-5725
> bcprov-ext-jdk15on-1.49.jar
> (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.49) : CVE-2015-6644,
> CVE-2015-7940, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000341,
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345,
> CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000613
> okhttp-2.2.0.jar (pkg:maven/com.squareup.okhttp/okhttp@2.2.0,
> cpe:2.3:a:squareup:okhttp:2.2.0:*:*:*:*:*:*:*) : CVE-2016-2402
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-mesos:
>
> mesos-1.5.0.jar (pkg:maven/org.apache.mesos/mesos@1.5.0,
> cpe:2.3:a:apache:mesos:1.5.0:*:*:*:*:*:*:*) : CVE-2018-11793,
> CVE-2018-1330, CVE-2018-8023, CVE-2019-0204, CVE-2019-5736
> jetty-server-9.4.11.v20180605.jar
> (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> jackson-databind-2.9.6.jar
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-kafka:
>
> kafka-clients-2.0.1.jar (pkg:maven/org.apache.kafka/kafka-clients@2.0.1,
> cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> connect-api-2.0.1.jar (pkg:maven/org.apache.kafka/connect-api@2.0.1,
> cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-flume:
>
> guava-11.0.2.jar (pkg:maven/com.google.guava/guava@11.0.2,
> cpe:2.3:a:google:guava:11.0.2:*:*:*:*:*:*:*) : CVE-2018-10237
> jackson-core-asl-1.8.8.jar
> (pkg:maven/org.codehaus.jackson/jackson-core-asl@1.8.8,
> cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*) : CVE-2017-15095,
> CVE-2017-17485, CVE-2017-7525
> jackson-mapper-asl-1.8.8.jar
> (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.8.8,
> cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*) :
> CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-14540,
> CVE-2019-16335, CVE-2019-17267
> commons-collections-3.2.1.jar
> (pkg:maven/commons-collections/commons-collections@3.2.1,
> cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) : CVE-2015-6420,
> CVE-2017-15708, Remote code execution
> netty-3.9.4.Final.jar (pkg:maven/io.netty/[hidden email],
> cpe:2.3:a:netty:netty:3.9.4:*:*:*:*:*:*:*) : CVE-2015-2156, CVE-2019-16869,
> POODLE vulnerability in SSLv3.0 support
> servlet-api-2.5-20110124.jar
> (pkg:maven/org.mortbay.jetty/servlet-api@2.5-20110124,
> cpe:2.3:a:jetty:jetty:2.5.20110124:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay:jetty:2.5.20110124:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:2.5.20110124:*:*:*:*:*:*:*) : CVE-2005-3747,
> CVE-2007-5615, CVE-2009-1523, CVE-2009-1524, CVE-2009-5048, CVE-2009-5049,
> CVE-2011-4461
> jetty-util-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty-util@6.1.26,
> cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> CVE-2011-4461
> jetty-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty@6.1.26,
> cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> CVE-2011-4461, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735,
> CVE-2019-10241, CVE-2019-10247
> libthrift-0.9.0.jar (pkg:maven/org.apache.thrift/libthrift@0.9.0) :
> CVE-2015-3254, CVE-2016-5397, CVE-2018-1320, CVE-2019-0205
> httpclient-4.1.3.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.1.3
> ,
> cpe:2.3:a:apache:httpclient:4.1.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> CVE-2015-5262
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-twitter:
>
> httpclient-4.2.5.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.2.5
> ,
> cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577,
> CVE-2015-5262
> guava-14.0.1.jar (pkg:maven/com.google.guava/guava@14.0.1,
> cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-zookeeper:
>
> jackson-databind-2.9.8.jar
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,
> cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*) : CVE-2019-12086,
> CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> CVE-2019-17267, CVE-2019-17531
> guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> jackson-mapper-asl-1.9.13.jar
> (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13,
> cpe:2.3:a:fasterxml:jackson:1.9.13:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*) :
> CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-10172,
> CVE-2019-14540, CVE-2019-16335, CVE-2019-17267
> netty-all-4.1.29.Final.jar (pkg:maven/io.netty/[hidden email],
> cpe:2.3:a:netty:netty:4.1.29:*:*:*:*:*:*:*) : CVE-2019-16869
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-camel:
>
> camel-core-2.22.0.jar (pkg:maven/org.apache.camel/camel-core@2.22.0,
> cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> CVE-2019-0188, CVE-2019-0194
>
> camel-core-2.22.0.jar/META-INF/maven/org.apache.camel/spi-annotations/pom.xml
> (pkg:maven/org.apache.camel/spi-annotations@2.22.0,
> cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> CVE-2019-0188, CVE-2019-0194
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-storm:
>
> storm-core-1.1.1.jar (pkg:maven/org.apache.storm/storm-core@1.1.1,
> cpe:2.3:a:apache:storm:1.1.1:*:*:*:*:*:*:*) : CVE-2018-11779,
> CVE-2018-1331, CVE-2018-1332, CVE-2018-8008, CVE-2019-0202
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
> (pkg:maven/org.eclipse.jetty/jetty-servlet@7.6.13.v20130916,
> cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2019-10247
>
> storm-core-1.1.1.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml
> (pkg:maven/org.apache.httpcomponents/httpclient@4.3.3,
> cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> CVE-2015-5262
> storm-core-1.1.1.jar/META-INF/maven/com.google.guava/guava/pom.xml
> (pkg:maven/com.google.guava/guava@16.0.1,
> cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> storm-core-1.1.1.jar/META-INF/maven/io.netty/netty/pom.xml
> (pkg:maven/io.netty/[hidden email],
> cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*) : CVE-2014-0193, CVE-2014-3488,
> CVE-2015-2156, CVE-2019-16869, POODLE vulnerability in SSLv3.0 support
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
> (pkg:maven/org.eclipse.jetty/jetty-server@7.6.13.v20130916,
> cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2011-4461,
> CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2019-10241,
> CVE-2019-10247
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
> (pkg:maven/org.eclipse.jetty/jetty-util@7.6.13.v20130916,
> cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2011-4461,
> CVE-2019-10247
>
> storm-core-1.1.1.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom.xml
> (pkg:maven/commons-fileupload/commons-fileupload@1.3.2,
> cpe:2.3:a:apache:commons_fileupload:1.3.2:*:*:*:*:*:*:*) : CVE-2016-1000031
> storm-core-1.1.1.jar/META-INF/maven/org.apache.hadoop/hadoop-auth/pom.xml
> (pkg:maven/org.apache.hadoop/hadoop-auth@2.6.1,
> cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*) : CVE-2015-1776,
> CVE-2016-3086, CVE-2016-5001, CVE-2016-5393, CVE-2016-6811, CVE-2017-15713,
> CVE-2017-3161, CVE-2017-3162, CVE-2017-3166, CVE-2018-11768, CVE-2018-1296,
> CVE-2018-8009, CVE-2018-8029
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-cassandra-store:
> One or more dependencies were identified with known vulnerabilities in
> ignite-cassandra-serializers:
>
> commons-beanutils-1.9.2.jar
> (pkg:maven/commons-beanutils/commons-beanutils@1.9.2,
> cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*) : CVE-2019-10086
> commons-collections-3.2.1.jar
> (pkg:maven/commons-collections/commons-collections@3.2.1,
> cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) : CVE-2015-6420,
> CVE-2017-15708, Remote code execution
> spring-core-4.3.18.RELEASE.jar
> (pkg:maven/org.springframework/[hidden email],
> cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*) :
> CVE-2018-15756
> netty-transport-4.1.27.Final.jar
> (pkg:maven/io.netty/[hidden email],
> cpe:2.3:a:netty:netty:4.1.27:*:*:*:*:*:*:*) : CVE-2019-16869
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-flink:
>
> flink-hadoop-fs-1.5.0.jar (pkg:maven/org.apache.flink/flink-hadoop-fs@1.5.0
> ,
> cpe:2.3:a:apache:hadoop:1.5.0:*:*:*:*:*:*:*) : CVE-2016-5001,
> CVE-2017-3161, CVE-2017-3162
>
> flink-shaded-netty-4.0.27.Final-2.0.jar/META-INF/maven/io.netty/netty-all/pom.xml
> (pkg:maven/io.netty/[hidden email],
> cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*) : CVE-2015-2156, CVE-2016-4970,
> CVE-2019-16869
>
> flink-shaded-jackson-2.7.9-3.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9,
> cpe:2.3:a:fasterxml:jackson:2.7.9:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*) : CVE-2017-15095,
> CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, CVE-2018-11307,
> CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719,
> CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361,
> CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086,
> CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> CVE-2019-17267, CVE-2019-17531
>
> flink-shaded-guava-18.0-2.0.jar/META-INF/maven/com.google.guava/guava/pom.xml
> (pkg:maven/com.google.guava/guava@18.0,
> cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-rocketmq:
>
> netty-all-4.0.42.Final.jar (pkg:maven/io.netty/[hidden email],
> cpe:2.3:a:netty:netty:4.0.42:*:*:*:*:*:*:*) : CVE-2019-16869
> netty-tcnative-boringssl-static-1.1.33.Fork26.jar
> (pkg:maven/io.netty/netty-tcnative-boringssl-static@1.1.33.Fork26,
> cpe:2.3:a:apache:tomcat:1.1.33:*:*:*:*:*:*:*,
> cpe:2.3:a:apache:tomcat_native:1.1.33:*:*:*:*:*:*:*,
> cpe:2.3:a:apache_software_foundation:tomcat:1.1.33:*:*:*:*:*:*:*,
> cpe:2.3:a:apache_tomcat:apache_tomcat:1.1.33:*:*:*:*:*:*:*) :
> CVE-2000-1210, CVE-2001-0590, CVE-2002-0493, CVE-2005-4838, CVE-2006-7196,
> CVE-2007-1358, CVE-2007-2449, CVE-2008-0128, CVE-2009-2696, CVE-2012-5568,
> CVE-2013-2185, CVE-2013-4286, CVE-2013-4322, CVE-2013-4444, CVE-2013-4590,
> CVE-2013-6357, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119,
> CVE-2016-5425, CVE-2017-15698, CVE-2018-8019, CVE-2018-8020
>
> Main offenders seem to be "jackson-databind" and old maintenance releases
> of Spring. I think we can bump most of that.
>
> Some integrations also clearly suffer, through it's a problem of their
> users, since they need to declare their own libraries' versions by
> convention.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> пт, 27 дек. 2019 г. в 23:59, Denis Magda <[hidden email]>:
>
> > Ilya, no I see, thanks for the explanation. Agree with you, let's update
> > the versions of the dependencies to the latest.
> >
> > -
> > Denis
> >
> >
> > On Thu, Dec 26, 2019 at 10:50 PM Ilya Kasnacheev <
> > [hidden email]>
> > wrote:
> >
> > > Hello!
> > >
> > > I have committed ignite-spring-data_2.2 to ignite-2.8.
> > >
> > > By bumping versisons I mean the following:
> > >         <slf4j.version>1.7.*7*</slf4j.version>
> > >         <slf4j16.version>1.6.*4*</slf4j16.version>
> > >         <snappy.version>1.1.7.*2*</snappy.version>
> > >         <spark.hadoop.version>2.6.*5*</spark.hadoop.version>
> > >         <spark.version>2.3.*0*</spark.version>
> > >         <spring.data.version>1.13.*14*.RELEASE</spring.data.version>
> <!--
> > > don't forget to update spring version -->
> > >         <spring.version>4.3.*18*.RELEASE</spring.version><!-- don't
> > forget
> > > to update spring-data version -->
> > >
> >  <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version>
> > > <!-- don't forget to update spring-5.0 version -->
> > >         <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!--
> > don't
> > > forget to update spring-data-2.0 version -->
> > >
> > > All these libraries have maintenance release (such as our 2.7.*6*) and
> I
> > > think it would be beneficial to upgrade these dependencies to the
> latest
> > > maintenance version found in Maven Central.
> > > For example, there is spring.data-2.0 2.0.*14*.RELEASE.
> > >
> > > Regards,
> > > --
> > > Ilya Kasnacheev
> > >
> > >
> > > чт, 26 дек. 2019 г. в 19:32, Denis Magda <[hidden email]>:
> > >
> > > > A huge +1 for adding Spring Data related fixes/improvements. Ilya is
> > > right
> > > > that Spring Data related questions sparked last time due to missing
> > > support
> > > > of 2.2 version.
> > > >
> > > > Ilya, could you elaborate on what you mean under "bumping the
> > versions"?
> > > Do
> > > > you suggest performing a straightforward upgrade of
> > "ignite-spring-data"
> > > to
> > > > version 2.2 and introducing "ignite-spring-data-{old-version"} for
> the
> > > > previous versions? If it's so, I fully agree with the proposal.
> > > >
> > > > -
> > > > Denis
> > > >
> > > >
> > > > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <
> > > [hidden email]
> > > > >
> > > > wrote:
> > > >
> > > > > Hello!
> > > > >
> > > > > I propose to add the following ticket to the scope:
> > > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be
> > > > careful
> > > > > with release version)
> > > > >
> > > > > Adding tickets to scope surely seems crazy now, but I will provide
> > the
> > > > > following considerations:
> > > > > * This is Spring Data 2.2 integration, which we currently do not
> > have,
> > > > > leading to lots of confused questions on stack overflow and mailing
> > > list.
> > > > > Spring Data is important to our public image since many people may
> > > learn
> > > > > about out project by starting with Spring Data.
> > > > >
> > > > > * It has zero code impact outside of its own module (just 2 POM
> file
> > > > > touched and that's all).
> > > > >
> > > > > * The core was ready since early November but, due to gmail quirk,
> we
> > > did
> > > > > not react to it in time.
> > > > >
> > > > > WDYT?
> > > > >
> > > > > Another semi-related question. *Should we bump our dependencies'
> > > versions
> > > > > before releasing 2.8?* I talk mainly about spring and hibernate
> > > > > dependencies. We could switch them to their latest maintenance
> > versions
> > > > to
> > > > > avoid shipping default links to outdated packages.
> > > > >
> > > > > I think this is one of things that are very hard to do between
> > > releases,
> > > > so
> > > > > I think this dependencies bumping should be a part of a formal
> > > > > release/testing cycle, and then be backported to master.
> > > > >
> > > > > I could volunteer to do that myself, if we agree to merge these
> > version
> > > > > upgrades to ignite-2.8 and then re-test.
> > > > >
> > > > > Regards,
> > > > > --
> > > > > Ilya Kasnacheev
> > > > >
> > > > >
> > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > > > <[hidden email]
> > > > > >:
> > > > >
> > > > > >
> > > > > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570
> > 96Gb
> > > > > 512GB
> > > > > > SSD 2048GB HDD 10GB/s
> > > > > > 1 for  client (driver) and 3 for servers.
> > > > > > this mappings for graphs and real yardstick tests:
> > > > > >
> > > > > > atomic-put: IgnitePutBenchmark
> > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > > > atomic-get: IgniteGetBenchmark
> > > > > > tx-get: IgniteGetTxBenchmark
> > > > > > tx-put: IgnitePutTxBenchmark
> > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > > > >
> > > > > > cacheMode — partitioned
> > > > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > > > 1 backup
> > > > > >
> > > > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > > > > Thanks Maxim for wiki page [1]
> > > > > >
> > > > > >
> > > > > > [1]
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > > > >
> > > > > > do we need some bisect or other work here ?
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > >------- Forwarded message -------
> > > > > > >From: "Maxim Muzafarov" < [hidden email] >
> > > > > > >To:  [hidden email]
> > > > > > >Cc:
> > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > > > >
> > > > > > >Igniters,
> > > > > > >
> > > > > > >
> > > > > > >It's almost a year has passed since the last major Apache Ignite
> > 2.7
> > > > > > >has been released. We've accumulated a lot of performance
> > > improvements
> > > > > > >and a lot of new features which are waiting for their release
> > date.
> > > > > > >Here is my list of the most interesting things from my point
> since
> > > the
> > > > > > >last major release:
> > > > > > >
> > > > > > >Service Grid,
> > > > > > >Monitoring,
> > > > > > >Recovery Read
> > > > > > >BLT auto-adjust,
> > > > > > >PDS compression,
> > > > > > >WAL page compression,
> > > > > > >Thin client: best effort affinity,
> > > > > > >Thin client: transactions support (not yet)
> > > > > > >SQL query history
> > > > > > >SQL statistics
> > > > > > >
> > > > > > >I think we should no longer wait and freeze the master branch
> > > anymore
> > > > > > >and prepare the next major release by the end of the year.
> > > > > > >
> > > > > > >
> > > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8 release
> and
> > > also
> > > > > > >I want to propose myself to be the release manager of the
> planning
> > > > > > >release.
> > > > > > >
> > > > > > >Scope Freeze: November 4, 2019
> > > > > > >Code Freeze: November 18, 2019
> > > > > > >Voting Date: December 10, 2019
> > > > > > >Release Date: December 17, 2019
> > > > > > >
> > > > > > >
> > > > > > >WDYT?
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

>
> Maxim M. and anyone who is interested,
>
> I suggest to include this fix to 2.8 release:
> https://issues.apache.org/jira/browse/IGNITE-12225
> Basically, it's a result of the following discussion:
> http://apache-ignite-developers.2346864.n4.nabble.com/DISCUSSION-Single-point-in-API-for-changing-cluster-state-td43665.html
>
> The fix affects public API: IgniteCluster#readOnly methods that work with
> boolean are replaced with ones that work with enum.
> If we include it, we won't be obliged to keep deprecated boolean version of
> API in the code (which is currently present in 2.8 branch) as it wasn't
> published in any release.
>
> On Tue, Dec 31, 2019 at 3:54 PM Ilya Kasnacheev <[hidden email]>
> wrote:
>
> > Hello!
> >
> > I have ran dependency checker plugin and quote the following:
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-urideploy:
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-spring:
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-spring-data:
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-aop:
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-visor-console:
> >
> > spring-core-4.3.18.RELEASE.jar
> > (pkg:maven/org.springframework/[hidden email],
> > cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*) :
> > CVE-2018-15756
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-spring-data_2.0:
> >
> > spring-core-5.0.8.RELEASE.jar
> > (pkg:maven/org.springframework/[hidden email],
> > cpe:2.3:a:pivotal_software:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > cpe:2.3:a:springsource:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > cpe:2.3:a:vmware:springsource_spring_framework:5.0.8:*:*:*:*:*:*:*) :
> > CVE-2018-15756
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-rest-http:
> >
> > jetty-server-9.4.11.v20180605.jar
> > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > jackson-databind-2.9.6.jar
> > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-kubernetes:
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-aws:
> >
> > jackson-databind-2.9.6.jar
> > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > bcprov-ext-jdk15on-1.54.jar
> > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.54) : CVE-2015-6644,
> > CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341,
> > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345,
> > CVE-2016-1000346, CVE-2016-1000352, CVE-2016-2427, CVE-2017-13098,
> > CVE-2018-1000180, CVE-2018-1000613
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-gce:
> >
> > httpclient-4.0.1.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.0.1
> > ,
> > cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*) : CVE-2011-1498,
> > CVE-2014-3577, CVE-2015-5262
> > guava-jdk5-17.0.jar (pkg:maven/com.google.guava/guava-jdk5@17.0,
> > cpe:2.3:a:google:guava:17.0:*:*:*:*:*:*:*) : CVE-2018-10237
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-cloud:
> >
> > openstack-keystone-2.0.0.jar
> > (pkg:maven/org.apache.jclouds.api/openstack-keystone@2.0.0,
> > cpe:2.3:a:openstack:keystone:2.0.0:*:*:*:*:*:*:*,
> > cpe:2.3:a:openstack:openstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2014,
> > CVE-2013-4222, CVE-2013-6391, CVE-2014-0204, CVE-2014-3476, CVE-2014-3520,
> > CVE-2014-3621, CVE-2015-3646, CVE-2015-7546, CVE-2018-14432, CVE-2018-20170
> > cloudstack-2.0.0.jar (pkg:maven/org.apache.jclouds.api/cloudstack@2.0.0,
> > cpe:2.3:a:apache:cloudstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2136,
> > CVE-2013-6398, CVE-2014-0031, CVE-2014-9593, CVE-2015-3252
> > docker-2.0.0.jar (pkg:maven/org.apache.jclouds.api/docker@2.0.0,
> > cpe:2.3:a:docker:docker:2.0.0:*:*:*:*:*:*:*) : CVE-2018-10892,
> > CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884,
> > CVE-2019-5736
> > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > docker-1.9.3.jar (pkg:maven/org.apache.jclouds.labs/docker@1.9.3,
> > cpe:2.3:a:docker:docker:1.9.3:*:*:*:*:*:*:*) : CVE-2016-3697,
> > CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752,
> > CVE-2019-16884, CVE-2019-5736
> > jsch.agentproxy.core-0.0.8.jar
> > (pkg:maven/com.jcraft/jsch.agentproxy.core@0.0.8,
> > cpe:2.3:a:jcraft:jsch:0.0.8:*:*:*:*:*:*:*) : CVE-2016-5725
> > bcprov-ext-jdk15on-1.49.jar
> > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.49) : CVE-2015-6644,
> > CVE-2015-7940, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000341,
> > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345,
> > CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000613
> > okhttp-2.2.0.jar (pkg:maven/com.squareup.okhttp/okhttp@2.2.0,
> > cpe:2.3:a:squareup:okhttp:2.2.0:*:*:*:*:*:*:*) : CVE-2016-2402
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-mesos:
> >
> > mesos-1.5.0.jar (pkg:maven/org.apache.mesos/mesos@1.5.0,
> > cpe:2.3:a:apache:mesos:1.5.0:*:*:*:*:*:*:*) : CVE-2018-11793,
> > CVE-2018-1330, CVE-2018-8023, CVE-2019-0204, CVE-2019-5736
> > jetty-server-9.4.11.v20180605.jar
> > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > jackson-databind-2.9.6.jar
> > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-kafka:
> >
> > kafka-clients-2.0.1.jar (pkg:maven/org.apache.kafka/kafka-clients@2.0.1,
> > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > connect-api-2.0.1.jar (pkg:maven/org.apache.kafka/connect-api@2.0.1,
> > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-flume:
> >
> > guava-11.0.2.jar (pkg:maven/com.google.guava/guava@11.0.2,
> > cpe:2.3:a:google:guava:11.0.2:*:*:*:*:*:*:*) : CVE-2018-10237
> > jackson-core-asl-1.8.8.jar
> > (pkg:maven/org.codehaus.jackson/jackson-core-asl@1.8.8,
> > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*) : CVE-2017-15095,
> > CVE-2017-17485, CVE-2017-7525
> > jackson-mapper-asl-1.8.8.jar
> > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.8.8,
> > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*,
> > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*) :
> > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-14540,
> > CVE-2019-16335, CVE-2019-17267
> > commons-collections-3.2.1.jar
> > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) : CVE-2015-6420,
> > CVE-2017-15708, Remote code execution
> > netty-3.9.4.Final.jar (pkg:maven/io.netty/[hidden email],
> > cpe:2.3:a:netty:netty:3.9.4:*:*:*:*:*:*:*) : CVE-2015-2156, CVE-2019-16869,
> > POODLE vulnerability in SSLv3.0 support
> > servlet-api-2.5-20110124.jar
> > (pkg:maven/org.mortbay.jetty/servlet-api@2.5-20110124,
> > cpe:2.3:a:jetty:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > cpe:2.3:a:mortbay:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > cpe:2.3:a:mortbay_jetty:jetty:2.5.20110124:*:*:*:*:*:*:*) : CVE-2005-3747,
> > CVE-2007-5615, CVE-2009-1523, CVE-2009-1524, CVE-2009-5048, CVE-2009-5049,
> > CVE-2011-4461
> > jetty-util-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty-util@6.1.26,
> > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> > CVE-2011-4461
> > jetty-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty@6.1.26,
> > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> > CVE-2011-4461, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735,
> > CVE-2019-10241, CVE-2019-10247
> > libthrift-0.9.0.jar (pkg:maven/org.apache.thrift/libthrift@0.9.0) :
> > CVE-2015-3254, CVE-2016-5397, CVE-2018-1320, CVE-2019-0205
> > httpclient-4.1.3.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.1.3
> > ,
> > cpe:2.3:a:apache:httpclient:4.1.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > CVE-2015-5262
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-twitter:
> >
> > httpclient-4.2.5.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.2.5
> > ,
> > cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577,
> > CVE-2015-5262
> > guava-14.0.1.jar (pkg:maven/com.google.guava/guava@14.0.1,
> > cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-zookeeper:
> >
> > jackson-databind-2.9.8.jar
> > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,
> > cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*,
> > cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*) : CVE-2019-12086,
> > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > CVE-2019-17267, CVE-2019-17531
> > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > jackson-mapper-asl-1.9.13.jar
> > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13,
> > cpe:2.3:a:fasterxml:jackson:1.9.13:*:*:*:*:*:*:*,
> > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*) :
> > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-10172,
> > CVE-2019-14540, CVE-2019-16335, CVE-2019-17267
> > netty-all-4.1.29.Final.jar (pkg:maven/io.netty/[hidden email],
> > cpe:2.3:a:netty:netty:4.1.29:*:*:*:*:*:*:*) : CVE-2019-16869
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-camel:
> >
> > camel-core-2.22.0.jar (pkg:maven/org.apache.camel/camel-core@2.22.0,
> > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > CVE-2019-0188, CVE-2019-0194
> >
> > camel-core-2.22.0.jar/META-INF/maven/org.apache.camel/spi-annotations/pom.xml
> > (pkg:maven/org.apache.camel/spi-annotations@2.22.0,
> > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > CVE-2019-0188, CVE-2019-0194
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-storm:
> >
> > storm-core-1.1.1.jar (pkg:maven/org.apache.storm/storm-core@1.1.1,
> > cpe:2.3:a:apache:storm:1.1.1:*:*:*:*:*:*:*) : CVE-2018-11779,
> > CVE-2018-1331, CVE-2018-1332, CVE-2018-8008, CVE-2019-0202
> > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
> > (pkg:maven/org.eclipse.jetty/jetty-servlet@7.6.13.v20130916,
> > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2019-10247
> >
> > storm-core-1.1.1.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml
> > (pkg:maven/org.apache.httpcomponents/httpclient@4.3.3,
> > cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > CVE-2015-5262
> > storm-core-1.1.1.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > (pkg:maven/com.google.guava/guava@16.0.1,
> > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > storm-core-1.1.1.jar/META-INF/maven/io.netty/netty/pom.xml
> > (pkg:maven/io.netty/[hidden email],
> > cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*) : CVE-2014-0193, CVE-2014-3488,
> > CVE-2015-2156, CVE-2019-16869, POODLE vulnerability in SSLv3.0 support
> > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
> > (pkg:maven/org.eclipse.jetty/jetty-server@7.6.13.v20130916,
> > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2011-4461,
> > CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2019-10241,
> > CVE-2019-10247
> > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
> > (pkg:maven/org.eclipse.jetty/jetty-util@7.6.13.v20130916,
> > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2011-4461,
> > CVE-2019-10247
> >
> > storm-core-1.1.1.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom.xml
> > (pkg:maven/commons-fileupload/commons-fileupload@1.3.2,
> > cpe:2.3:a:apache:commons_fileupload:1.3.2:*:*:*:*:*:*:*) : CVE-2016-1000031
> > storm-core-1.1.1.jar/META-INF/maven/org.apache.hadoop/hadoop-auth/pom.xml
> > (pkg:maven/org.apache.hadoop/hadoop-auth@2.6.1,
> > cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*) : CVE-2015-1776,
> > CVE-2016-3086, CVE-2016-5001, CVE-2016-5393, CVE-2016-6811, CVE-2017-15713,
> > CVE-2017-3161, CVE-2017-3162, CVE-2017-3166, CVE-2018-11768, CVE-2018-1296,
> > CVE-2018-8009, CVE-2018-8029
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-cassandra-store:
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-cassandra-serializers:
> >
> > commons-beanutils-1.9.2.jar
> > (pkg:maven/commons-beanutils/commons-beanutils@1.9.2,
> > cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*) : CVE-2019-10086
> > commons-collections-3.2.1.jar
> > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) : CVE-2015-6420,
> > CVE-2017-15708, Remote code execution
> > spring-core-4.3.18.RELEASE.jar
> > (pkg:maven/org.springframework/[hidden email],
> > cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*) :
> > CVE-2018-15756
> > netty-transport-4.1.27.Final.jar
> > (pkg:maven/io.netty/[hidden email],
> > cpe:2.3:a:netty:netty:4.1.27:*:*:*:*:*:*:*) : CVE-2019-16869
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-flink:
> >
> > flink-hadoop-fs-1.5.0.jar (pkg:maven/org.apache.flink/flink-hadoop-fs@1.5.0
> > ,
> > cpe:2.3:a:apache:hadoop:1.5.0:*:*:*:*:*:*:*) : CVE-2016-5001,
> > CVE-2017-3161, CVE-2017-3162
> >
> > flink-shaded-netty-4.0.27.Final-2.0.jar/META-INF/maven/io.netty/netty-all/pom.xml
> > (pkg:maven/io.netty/[hidden email],
> > cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*) : CVE-2015-2156, CVE-2016-4970,
> > CVE-2019-16869
> >
> > flink-shaded-jackson-2.7.9-3.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9,
> > cpe:2.3:a:fasterxml:jackson:2.7.9:*:*:*:*:*:*:*,
> > cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*) : CVE-2017-15095,
> > CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, CVE-2018-11307,
> > CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719,
> > CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361,
> > CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086,
> > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > CVE-2019-17267, CVE-2019-17531
> >
> > flink-shaded-guava-18.0-2.0.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > (pkg:maven/com.google.guava/guava@18.0,
> > cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237
> >
> > One or more dependencies were identified with known vulnerabilities in
> > ignite-rocketmq:
> >
> > netty-all-4.0.42.Final.jar (pkg:maven/io.netty/[hidden email],
> > cpe:2.3:a:netty:netty:4.0.42:*:*:*:*:*:*:*) : CVE-2019-16869
> > netty-tcnative-boringssl-static-1.1.33.Fork26.jar
> > (pkg:maven/io.netty/netty-tcnative-boringssl-static@1.1.33.Fork26,
> > cpe:2.3:a:apache:tomcat:1.1.33:*:*:*:*:*:*:*,
> > cpe:2.3:a:apache:tomcat_native:1.1.33:*:*:*:*:*:*:*,
> > cpe:2.3:a:apache_software_foundation:tomcat:1.1.33:*:*:*:*:*:*:*,
> > cpe:2.3:a:apache_tomcat:apache_tomcat:1.1.33:*:*:*:*:*:*:*) :
> > CVE-2000-1210, CVE-2001-0590, CVE-2002-0493, CVE-2005-4838, CVE-2006-7196,
> > CVE-2007-1358, CVE-2007-2449, CVE-2008-0128, CVE-2009-2696, CVE-2012-5568,
> > CVE-2013-2185, CVE-2013-4286, CVE-2013-4322, CVE-2013-4444, CVE-2013-4590,
> > CVE-2013-6357, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119,
> > CVE-2016-5425, CVE-2017-15698, CVE-2018-8019, CVE-2018-8020
> >
> > Main offenders seem to be "jackson-databind" and old maintenance releases
> > of Spring. I think we can bump most of that.
> >
> > Some integrations also clearly suffer, through it's a problem of their
> > users, since they need to declare their own libraries' versions by
> > convention.
> >
> > Regards,
> > --
> > Ilya Kasnacheev
> >
> >
> > пт, 27 дек. 2019 г. в 23:59, Denis Magda <[hidden email]>:
> >
> > > Ilya, no I see, thanks for the explanation. Agree with you, let's update
> > > the versions of the dependencies to the latest.
> > >
> > > -
> > > Denis
> > >
> > >
> > > On Thu, Dec 26, 2019 at 10:50 PM Ilya Kasnacheev <
> > > [hidden email]>
> > > wrote:
> > >
> > > > Hello!
> > > >
> > > > I have committed ignite-spring-data_2.2 to ignite-2.8.
> > > >
> > > > By bumping versisons I mean the following:
> > > >         <slf4j.version>1.7.*7*</slf4j.version>
> > > >         <slf4j16.version>1.6.*4*</slf4j16.version>
> > > >         <snappy.version>1.1.7.*2*</snappy.version>
> > > >         <spark.hadoop.version>2.6.*5*</spark.hadoop.version>
> > > >         <spark.version>2.3.*0*</spark.version>
> > > >         <spring.data.version>1.13.*14*.RELEASE</spring.data.version>
> > <!--
> > > > don't forget to update spring version -->
> > > >         <spring.version>4.3.*18*.RELEASE</spring.version><!-- don't
> > > forget
> > > > to update spring-data version -->
> > > >
> > >  <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version>
> > > > <!-- don't forget to update spring-5.0 version -->
> > > >         <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!--
> > > don't
> > > > forget to update spring-data-2.0 version -->
> > > >
> > > > All these libraries have maintenance release (such as our 2.7.*6*) and
> > I
> > > > think it would be beneficial to upgrade these dependencies to the
> > latest
> > > > maintenance version found in Maven Central.
> > > > For example, there is spring.data-2.0 2.0.*14*.RELEASE.
> > > >
> > > > Regards,
> > > > --
> > > > Ilya Kasnacheev
> > > >
> > > >
> > > > чт, 26 дек. 2019 г. в 19:32, Denis Magda <[hidden email]>:
> > > >
> > > > > A huge +1 for adding Spring Data related fixes/improvements. Ilya is
> > > > right
> > > > > that Spring Data related questions sparked last time due to missing
> > > > support
> > > > > of 2.2 version.
> > > > >
> > > > > Ilya, could you elaborate on what you mean under "bumping the
> > > versions"?
> > > > Do
> > > > > you suggest performing a straightforward upgrade of
> > > "ignite-spring-data"
> > > > to
> > > > > version 2.2 and introducing "ignite-spring-data-{old-version"} for
> > the
> > > > > previous versions? If it's so, I fully agree with the proposal.
> > > > >
> > > > > -
> > > > > Denis
> > > > >
> > > > >
> > > > > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <
> > > > [hidden email]
> > > > > >
> > > > > wrote:
> > > > >
> > > > > > Hello!
> > > > > >
> > > > > > I propose to add the following ticket to the scope:
> > > > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be
> > > > > careful
> > > > > > with release version)
> > > > > >
> > > > > > Adding tickets to scope surely seems crazy now, but I will provide
> > > the
> > > > > > following considerations:
> > > > > > * This is Spring Data 2.2 integration, which we currently do not
> > > have,
> > > > > > leading to lots of confused questions on stack overflow and mailing
> > > > list.
> > > > > > Spring Data is important to our public image since many people may
> > > > learn
> > > > > > about out project by starting with Spring Data.
> > > > > >
> > > > > > * It has zero code impact outside of its own module (just 2 POM
> > file
> > > > > > touched and that's all).
> > > > > >
> > > > > > * The core was ready since early November but, due to gmail quirk,
> > we
> > > > did
> > > > > > not react to it in time.
> > > > > >
> > > > > > WDYT?
> > > > > >
> > > > > > Another semi-related question. *Should we bump our dependencies'
> > > > versions
> > > > > > before releasing 2.8?* I talk mainly about spring and hibernate
> > > > > > dependencies. We could switch them to their latest maintenance
> > > versions
> > > > > to
> > > > > > avoid shipping default links to outdated packages.
> > > > > >
> > > > > > I think this is one of things that are very hard to do between
> > > > releases,
> > > > > so
> > > > > > I think this dependencies bumping should be a part of a formal
> > > > > > release/testing cycle, and then be backported to master.
> > > > > >
> > > > > > I could volunteer to do that myself, if we agree to merge these
> > > version
> > > > > > upgrades to ignite-2.8 and then re-test.
> > > > > >
> > > > > > Regards,
> > > > > > --
> > > > > > Ilya Kasnacheev
> > > > > >
> > > > > >
> > > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > > > > <[hidden email]
> > > > > > >:
> > > > > >
> > > > > > >
> > > > > > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > > > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > > > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570
> > > 96Gb
> > > > > > 512GB
> > > > > > > SSD 2048GB HDD 10GB/s
> > > > > > > 1 for  client (driver) and 3 for servers.
> > > > > > > this mappings for graphs and real yardstick tests:
> > > > > > >
> > > > > > > atomic-put: IgnitePutBenchmark
> > > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > > > > atomic-get: IgniteGetBenchmark
> > > > > > > tx-get: IgniteGetTxBenchmark
> > > > > > > tx-put: IgnitePutTxBenchmark
> > > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > > > > >
> > > > > > > cacheMode — partitioned
> > > > > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > > > > 1 backup
> > > > > > >
> > > > > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > > > > > Thanks Maxim for wiki page [1]
> > > > > > >
> > > > > > >
> > > > > > > [1]
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > > > > >
> > > > > > > do we need some bisect or other work here ?
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >------- Forwarded message -------
> > > > > > > >From: "Maxim Muzafarov" < [hidden email] >
> > > > > > > >To:  [hidden email]
> > > > > > > >Cc:
> > > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > > > > >
> > > > > > > >Igniters,
> > > > > > > >
> > > > > > > >
> > > > > > > >It's almost a year has passed since the last major Apache Ignite
> > > 2.7
> > > > > > > >has been released. We've accumulated a lot of performance
> > > > improvements
> > > > > > > >and a lot of new features which are waiting for their release
> > > date.
> > > > > > > >Here is my list of the most interesting things from my point
> > since
> > > > the
> > > > > > > >last major release:
> > > > > > > >
> > > > > > > >Service Grid,
> > > > > > > >Monitoring,
> > > > > > > >Recovery Read
> > > > > > > >BLT auto-adjust,
> > > > > > > >PDS compression,
> > > > > > > >WAL page compression,
> > > > > > > >Thin client: best effort affinity,
> > > > > > > >Thin client: transactions support (not yet)
> > > > > > > >SQL query history
> > > > > > > >SQL statistics
> > > > > > > >
> > > > > > > >I think we should no longer wait and freeze the master branch
> > > > anymore
> > > > > > > >and prepare the next major release by the end of the year.
> > > > > > > >
> > > > > > > >
> > > > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8 release
> > and
> > > > also
> > > > > > > >I want to propose myself to be the release manager of the
> > planning
> > > > > > > >release.
> > > > > > > >
> > > > > > > >Scope Freeze: November 4, 2019
> > > > > > > >Code Freeze: November 18, 2019
> > > > > > > >Voting Date: December 10, 2019
> > > > > > > >Release Date: December 17, 2019
> > > > > > > >
> > > > > > > >
> > > > > > > >WDYT?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >

> +1
>
> чт, 9 янв. 2020 г. в 16:38, Ivan Rakov <[hidden email]>:
> >
> > Maxim M. and anyone who is interested,
> >
> > I suggest to include this fix to 2.8 release:
> > https://issues.apache.org/jira/browse/IGNITE-12225
> > Basically, it's a result of the following discussion:
> >
> http://apache-ignite-developers.2346864.n4.nabble.com/DISCUSSION-Single-point-in-API-for-changing-cluster-state-td43665.html
> >
> > The fix affects public API: IgniteCluster#readOnly methods that work with
> > boolean are replaced with ones that work with enum.
> > If we include it, we won't be obliged to keep deprecated boolean version
> of
> > API in the code (which is currently present in 2.8 branch) as it wasn't
> > published in any release.
> >
> > On Tue, Dec 31, 2019 at 3:54 PM Ilya Kasnacheev <
> [hidden email]>
> > wrote:
> >
> > > Hello!
> > >
> > > I have ran dependency checker plugin and quote the following:
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-urideploy:
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-spring:
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-spring-data:
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-aop:
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-visor-console:
> > >
> > > spring-core-4.3.18.RELEASE.jar
> > > (pkg:maven/org.springframework/[hidden email],
> > >
> cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*) :
> > > CVE-2018-15756
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-spring-data_2.0:
> > >
> > > spring-core-5.0.8.RELEASE.jar
> > > (pkg:maven/org.springframework/[hidden email],
> > >
> cpe:2.3:a:pivotal_software:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > > cpe:2.3:a:springsource:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > > cpe:2.3:a:vmware:springsource_spring_framework:5.0.8:*:*:*:*:*:*:*) :
> > > CVE-2018-15756
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-rest-http:
> > >
> > > jetty-server-9.4.11.v20180605.jar
> > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > > jackson-databind-2.9.6.jar
> > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-kubernetes:
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-aws:
> > >
> > > jackson-databind-2.9.6.jar
> > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > bcprov-ext-jdk15on-1.54.jar
> > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.54) : CVE-2015-6644,
> > > CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341,
> > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345,
> > > CVE-2016-1000346, CVE-2016-1000352, CVE-2016-2427, CVE-2017-13098,
> > > CVE-2018-1000180, CVE-2018-1000613
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-gce:
> > >
> > > httpclient-4.0.1.jar
> (pkg:maven/org.apache.httpcomponents/httpclient@4.0.1
> > > ,
> > > cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*) : CVE-2011-1498,
> > > CVE-2014-3577, CVE-2015-5262
> > > guava-jdk5-17.0.jar (pkg:maven/com.google.guava/guava-jdk5@17.0,
> > > cpe:2.3:a:google:guava:17.0:*:*:*:*:*:*:*) : CVE-2018-10237
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-cloud:
> > >
> > > openstack-keystone-2.0.0.jar
> > > (pkg:maven/org.apache.jclouds.api/openstack-keystone@2.0.0,
> > > cpe:2.3:a:openstack:keystone:2.0.0:*:*:*:*:*:*:*,
> > > cpe:2.3:a:openstack:openstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2014,
> > > CVE-2013-4222, CVE-2013-6391, CVE-2014-0204, CVE-2014-3476,
> CVE-2014-3520,
> > > CVE-2014-3621, CVE-2015-3646, CVE-2015-7546, CVE-2018-14432,
> CVE-2018-20170
> > > cloudstack-2.0.0.jar (pkg:maven/org.apache.jclouds.api/cloudstack@2.0.0
> ,
> > > cpe:2.3:a:apache:cloudstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2136,
> > > CVE-2013-6398, CVE-2014-0031, CVE-2014-9593, CVE-2015-3252
> > > docker-2.0.0.jar (pkg:maven/org.apache.jclouds.api/docker@2.0.0,
> > > cpe:2.3:a:docker:docker:2.0.0:*:*:*:*:*:*:*) : CVE-2018-10892,
> > > CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884,
> > > CVE-2019-5736
> > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > docker-1.9.3.jar (pkg:maven/org.apache.jclouds.labs/docker@1.9.3,
> > > cpe:2.3:a:docker:docker:1.9.3:*:*:*:*:*:*:*) : CVE-2016-3697,
> > > CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752,
> > > CVE-2019-16884, CVE-2019-5736
> > > jsch.agentproxy.core-0.0.8.jar
> > > (pkg:maven/com.jcraft/jsch.agentproxy.core@0.0.8,
> > > cpe:2.3:a:jcraft:jsch:0.0.8:*:*:*:*:*:*:*) : CVE-2016-5725
> > > bcprov-ext-jdk15on-1.49.jar
> > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.49) : CVE-2015-6644,
> > > CVE-2015-7940, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000341,
> > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345,
> > > CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000613
> > > okhttp-2.2.0.jar (pkg:maven/com.squareup.okhttp/okhttp@2.2.0,
> > > cpe:2.3:a:squareup:okhttp:2.2.0:*:*:*:*:*:*:*) : CVE-2016-2402
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-mesos:
> > >
> > > mesos-1.5.0.jar (pkg:maven/org.apache.mesos/mesos@1.5.0,
> > > cpe:2.3:a:apache:mesos:1.5.0:*:*:*:*:*:*:*) : CVE-2018-11793,
> > > CVE-2018-1330, CVE-2018-8023, CVE-2019-0204, CVE-2019-5736
> > > jetty-server-9.4.11.v20180605.jar
> > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > > jackson-databind-2.9.6.jar
> > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-kafka:
> > >
> > > kafka-clients-2.0.1.jar (pkg:maven/org.apache.kafka/kafka-clients@2.0.1
> ,
> > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > > connect-api-2.0.1.jar (pkg:maven/org.apache.kafka/connect-api@2.0.1,
> > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-flume:
> > >
> > > guava-11.0.2.jar (pkg:maven/com.google.guava/guava@11.0.2,
> > > cpe:2.3:a:google:guava:11.0.2:*:*:*:*:*:*:*) : CVE-2018-10237
> > > jackson-core-asl-1.8.8.jar
> > > (pkg:maven/org.codehaus.jackson/jackson-core-asl@1.8.8,
> > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*) : CVE-2017-15095,
> > > CVE-2017-17485, CVE-2017-7525
> > > jackson-mapper-asl-1.8.8.jar
> > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.8.8,
> > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*,
> > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*) :
> > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-14540,
> > > CVE-2019-16335, CVE-2019-17267
> > > commons-collections-3.2.1.jar
> > > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) :
> CVE-2015-6420,
> > > CVE-2017-15708, Remote code execution
> > > netty-3.9.4.Final.jar (pkg:maven/io.netty/[hidden email],
> > > cpe:2.3:a:netty:netty:3.9.4:*:*:*:*:*:*:*) : CVE-2015-2156,
> CVE-2019-16869,
> > > POODLE vulnerability in SSLv3.0 support
> > > servlet-api-2.5-20110124.jar
> > > (pkg:maven/org.mortbay.jetty/servlet-api@2.5-20110124,
> > > cpe:2.3:a:jetty:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > > cpe:2.3:a:mortbay:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > > cpe:2.3:a:mortbay_jetty:jetty:2.5.20110124:*:*:*:*:*:*:*) :
> CVE-2005-3747,
> > > CVE-2007-5615, CVE-2009-1523, CVE-2009-1524, CVE-2009-5048,
> CVE-2009-5049,
> > > CVE-2011-4461
> > > jetty-util-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty-util@6.1.26,
> > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> > > CVE-2011-4461
> > > jetty-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty@6.1.26,
> > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> > > CVE-2011-4461, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658,
> CVE-2017-9735,
> > > CVE-2019-10241, CVE-2019-10247
> > > libthrift-0.9.0.jar (pkg:maven/org.apache.thrift/libthrift@0.9.0) :
> > > CVE-2015-3254, CVE-2016-5397, CVE-2018-1320, CVE-2019-0205
> > > httpclient-4.1.3.jar
> (pkg:maven/org.apache.httpcomponents/httpclient@4.1.3
> > > ,
> > > cpe:2.3:a:apache:httpclient:4.1.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > CVE-2015-5262
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-twitter:
> > >
> > > httpclient-4.2.5.jar
> (pkg:maven/org.apache.httpcomponents/httpclient@4.2.5
> > > ,
> > > cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > CVE-2015-5262
> > > guava-14.0.1.jar (pkg:maven/com.google.guava/guava@14.0.1,
> > > cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-zookeeper:
> > >
> > > jackson-databind-2.9.8.jar
> > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,
> > > cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*,
> > > cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*) :
> CVE-2019-12086,
> > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > > CVE-2019-17267, CVE-2019-17531
> > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > jackson-mapper-asl-1.9.13.jar
> > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13,
> > > cpe:2.3:a:fasterxml:jackson:1.9.13:*:*:*:*:*:*:*,
> > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*) :
> > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-10172,
> > > CVE-2019-14540, CVE-2019-16335, CVE-2019-17267
> > > netty-all-4.1.29.Final.jar (pkg:maven/io.netty/[hidden email],
> > > cpe:2.3:a:netty:netty:4.1.29:*:*:*:*:*:*:*) : CVE-2019-16869
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-camel:
> > >
> > > camel-core-2.22.0.jar (pkg:maven/org.apache.camel/camel-core@2.22.0,
> > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > > CVE-2019-0188, CVE-2019-0194
> > >
> > >
> camel-core-2.22.0.jar/META-INF/maven/org.apache.camel/spi-annotations/pom.xml
> > > (pkg:maven/org.apache.camel/spi-annotations@2.22.0,
> > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > > CVE-2019-0188, CVE-2019-0194
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-storm:
> > >
> > > storm-core-1.1.1.jar (pkg:maven/org.apache.storm/storm-core@1.1.1,
> > > cpe:2.3:a:apache:storm:1.1.1:*:*:*:*:*:*:*) : CVE-2018-11779,
> > > CVE-2018-1331, CVE-2018-1332, CVE-2018-8008, CVE-2019-0202
> > >
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
> > > (pkg:maven/org.eclipse.jetty/jetty-servlet@7.6.13.v20130916,
> > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2019-10247
> > >
> > >
> storm-core-1.1.1.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml
> > > (pkg:maven/org.apache.httpcomponents/httpclient@4.3.3,
> > > cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > CVE-2015-5262
> > > storm-core-1.1.1.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > > (pkg:maven/com.google.guava/guava@16.0.1,
> > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > storm-core-1.1.1.jar/META-INF/maven/io.netty/netty/pom.xml
> > > (pkg:maven/io.netty/[hidden email],
> > > cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*) : CVE-2014-0193,
> CVE-2014-3488,
> > > CVE-2015-2156, CVE-2019-16869, POODLE vulnerability in SSLv3.0 support
> > >
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
> > > (pkg:maven/org.eclipse.jetty/jetty-server@7.6.13.v20130916,
> > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2011-4461,
> > > CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735,
> CVE-2019-10241,
> > > CVE-2019-10247
> > >
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
> > > (pkg:maven/org.eclipse.jetty/jetty-util@7.6.13.v20130916,
> > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2011-4461,
> > > CVE-2019-10247
> > >
> > >
> storm-core-1.1.1.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom.xml
> > > (pkg:maven/commons-fileupload/commons-fileupload@1.3.2,
> > > cpe:2.3:a:apache:commons_fileupload:1.3.2:*:*:*:*:*:*:*) :
> CVE-2016-1000031
> > >
> storm-core-1.1.1.jar/META-INF/maven/org.apache.hadoop/hadoop-auth/pom.xml
> > > (pkg:maven/org.apache.hadoop/hadoop-auth@2.6.1,
> > > cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*) : CVE-2015-1776,
> > > CVE-2016-3086, CVE-2016-5001, CVE-2016-5393, CVE-2016-6811,
> CVE-2017-15713,
> > > CVE-2017-3161, CVE-2017-3162, CVE-2017-3166, CVE-2018-11768,
> CVE-2018-1296,
> > > CVE-2018-8009, CVE-2018-8029
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-cassandra-store:
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-cassandra-serializers:
> > >
> > > commons-beanutils-1.9.2.jar
> > > (pkg:maven/commons-beanutils/commons-beanutils@1.9.2,
> > > cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*) :
> CVE-2019-10086
> > > commons-collections-3.2.1.jar
> > > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) :
> CVE-2015-6420,
> > > CVE-2017-15708, Remote code execution
> > > spring-core-4.3.18.RELEASE.jar
> > > (pkg:maven/org.springframework/[hidden email],
> > >
> cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*) :
> > > CVE-2018-15756
> > > netty-transport-4.1.27.Final.jar
> > > (pkg:maven/io.netty/[hidden email],
> > > cpe:2.3:a:netty:netty:4.1.27:*:*:*:*:*:*:*) : CVE-2019-16869
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-flink:
> > >
> > > flink-hadoop-fs-1.5.0.jar
> (pkg:maven/org.apache.flink/flink-hadoop-fs@1.5.0
> > > ,
> > > cpe:2.3:a:apache:hadoop:1.5.0:*:*:*:*:*:*:*) : CVE-2016-5001,
> > > CVE-2017-3161, CVE-2017-3162
> > >
> > >
> flink-shaded-netty-4.0.27.Final-2.0.jar/META-INF/maven/io.netty/netty-all/pom.xml
> > > (pkg:maven/io.netty/[hidden email],
> > > cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*) : CVE-2015-2156,
> CVE-2016-4970,
> > > CVE-2019-16869
> > >
> > >
> flink-shaded-jackson-2.7.9-3.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9,
> > > cpe:2.3:a:fasterxml:jackson:2.7.9:*:*:*:*:*:*:*,
> > > cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*) :
> CVE-2017-15095,
> > > CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, CVE-2018-11307,
> > > CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719,
> > > CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361,
> > > CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086,
> > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > > CVE-2019-17267, CVE-2019-17531
> > >
> > >
> flink-shaded-guava-18.0-2.0.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > > (pkg:maven/com.google.guava/guava@18.0,
> > > cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237
> > >
> > > One or more dependencies were identified with known vulnerabilities in
> > > ignite-rocketmq:
> > >
> > > netty-all-4.0.42.Final.jar (pkg:maven/io.netty/[hidden email],
> > > cpe:2.3:a:netty:netty:4.0.42:*:*:*:*:*:*:*) : CVE-2019-16869
> > > netty-tcnative-boringssl-static-1.1.33.Fork26.jar
> > > (pkg:maven/io.netty/netty-tcnative-boringssl-static@1.1.33.Fork26,
> > > cpe:2.3:a:apache:tomcat:1.1.33:*:*:*:*:*:*:*,
> > > cpe:2.3:a:apache:tomcat_native:1.1.33:*:*:*:*:*:*:*,
> > > cpe:2.3:a:apache_software_foundation:tomcat:1.1.33:*:*:*:*:*:*:*,
> > > cpe:2.3:a:apache_tomcat:apache_tomcat:1.1.33:*:*:*:*:*:*:*) :
> > > CVE-2000-1210, CVE-2001-0590, CVE-2002-0493, CVE-2005-4838,
> CVE-2006-7196,
> > > CVE-2007-1358, CVE-2007-2449, CVE-2008-0128, CVE-2009-2696,
> CVE-2012-5568,
> > > CVE-2013-2185, CVE-2013-4286, CVE-2013-4322, CVE-2013-4444,
> CVE-2013-4590,
> > > CVE-2013-6357, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099,
> CVE-2014-0119,
> > > CVE-2016-5425, CVE-2017-15698, CVE-2018-8019, CVE-2018-8020
> > >
> > > Main offenders seem to be "jackson-databind" and old maintenance
> releases
> > > of Spring. I think we can bump most of that.
> > >
> > > Some integrations also clearly suffer, through it's a problem of their
> > > users, since they need to declare their own libraries' versions by
> > > convention.
> > >
> > > Regards,
> > > --
> > > Ilya Kasnacheev
> > >
> > >
> > > пт, 27 дек. 2019 г. в 23:59, Denis Magda <[hidden email]>:
> > >
> > > > Ilya, no I see, thanks for the explanation. Agree with you, let's
> update
> > > > the versions of the dependencies to the latest.
> > > >
> > > > -
> > > > Denis
> > > >
> > > >
> > > > On Thu, Dec 26, 2019 at 10:50 PM Ilya Kasnacheev <
> > > > [hidden email]>
> > > > wrote:
> > > >
> > > > > Hello!
> > > > >
> > > > > I have committed ignite-spring-data_2.2 to ignite-2.8.
> > > > >
> > > > > By bumping versisons I mean the following:
> > > > >         <slf4j.version>1.7.*7*</slf4j.version>
> > > > >         <slf4j16.version>1.6.*4*</slf4j16.version>
> > > > >         <snappy.version>1.1.7.*2*</snappy.version>
> > > > >         <spark.hadoop.version>2.6.*5*</spark.hadoop.version>
> > > > >         <spark.version>2.3.*0*</spark.version>
> > > > >
>  <spring.data.version>1.13.*14*.RELEASE</spring.data.version>
> > > <!--
> > > > > don't forget to update spring version -->
> > > > >         <spring.version>4.3.*18*.RELEASE</spring.version><!-- don't
> > > > forget
> > > > > to update spring-data version -->
> > > > >
> > > >  <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version>
> > > > > <!-- don't forget to update spring-5.0 version -->
> > > > >
>  <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!--
> > > > don't
> > > > > forget to update spring-data-2.0 version -->
> > > > >
> > > > > All these libraries have maintenance release (such as our 2.7.*6*)
> and
> > > I
> > > > > think it would be beneficial to upgrade these dependencies to the
> > > latest
> > > > > maintenance version found in Maven Central.
> > > > > For example, there is spring.data-2.0 2.0.*14*.RELEASE.
> > > > >
> > > > > Regards,
> > > > > --
> > > > > Ilya Kasnacheev
> > > > >
> > > > >
> > > > > чт, 26 дек. 2019 г. в 19:32, Denis Magda <[hidden email]>:
> > > > >
> > > > > > A huge +1 for adding Spring Data related fixes/improvements.
> Ilya is
> > > > > right
> > > > > > that Spring Data related questions sparked last time due to
> missing
> > > > > support
> > > > > > of 2.2 version.
> > > > > >
> > > > > > Ilya, could you elaborate on what you mean under "bumping the
> > > > versions"?
> > > > > Do
> > > > > > you suggest performing a straightforward upgrade of
> > > > "ignite-spring-data"
> > > > > to
> > > > > > version 2.2 and introducing "ignite-spring-data-{old-version"}
> for
> > > the
> > > > > > previous versions? If it's so, I fully agree with the proposal.
> > > > > >
> > > > > > -
> > > > > > Denis
> > > > > >
> > > > > >
> > > > > > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <
> > > > > [hidden email]
> > > > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > Hello!
> > > > > > >
> > > > > > > I propose to add the following ticket to the scope:
> > > > > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3
> commits, be
> > > > > > careful
> > > > > > > with release version)
> > > > > > >
> > > > > > > Adding tickets to scope surely seems crazy now, but I will
> provide
> > > > the
> > > > > > > following considerations:
> > > > > > > * This is Spring Data 2.2 integration, which we currently do
> not
> > > > have,
> > > > > > > leading to lots of confused questions on stack overflow and
> mailing
> > > > > list.
> > > > > > > Spring Data is important to our public image since many people
> may
> > > > > learn
> > > > > > > about out project by starting with Spring Data.
> > > > > > >
> > > > > > > * It has zero code impact outside of its own module (just 2 POM
> > > file
> > > > > > > touched and that's all).
> > > > > > >
> > > > > > > * The core was ready since early November but, due to gmail
> quirk,
> > > we
> > > > > did
> > > > > > > not react to it in time.
> > > > > > >
> > > > > > > WDYT?
> > > > > > >
> > > > > > > Another semi-related question. *Should we bump our
> dependencies'
> > > > > versions
> > > > > > > before releasing 2.8?* I talk mainly about spring and hibernate
> > > > > > > dependencies. We could switch them to their latest maintenance
> > > > versions
> > > > > > to
> > > > > > > avoid shipping default links to outdated packages.
> > > > > > >
> > > > > > > I think this is one of things that are very hard to do between
> > > > > releases,
> > > > > > so
> > > > > > > I think this dependencies bumping should be a part of a formal
> > > > > > > release/testing cycle, and then be backported to master.
> > > > > > >
> > > > > > > I could volunteer to do that myself, if we agree to merge these
> > > > version
> > > > > > > upgrades to ignite-2.8 and then re-test.
> > > > > > >
> > > > > > > Regards,
> > > > > > > --
> > > > > > > Ilya Kasnacheev
> > > > > > >
> > > > > > >
> > > > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > > > > > <[hidden email]
> > > > > > > >:
> > > > > > >
> > > > > > > >
> > > > > > > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > > > > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > > > > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon
> X5570
> > > > 96Gb
> > > > > > > 512GB
> > > > > > > > SSD 2048GB HDD 10GB/s
> > > > > > > > 1 for  client (driver) and 3 for servers.
> > > > > > > > this mappings for graphs and real yardstick tests:
> > > > > > > >
> > > > > > > > atomic-put: IgnitePutBenchmark
> > > > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > > > > > atomic-get: IgniteGetBenchmark
> > > > > > > > tx-get: IgniteGetTxBenchmark
> > > > > > > > tx-put: IgnitePutTxBenchmark
> > > > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > > > > > >
> > > > > > > > cacheMode — partitioned
> > > > > > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > > > > > 1 backup
> > > > > > > >
> > > > > > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > > > > > > Thanks Maxim for wiki page [1]
> > > > > > > >
> > > > > > > >
> > > > > > > > [1]
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > > > > > >
> > > > > > > > do we need some bisect or other work here ?
> > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >------- Forwarded message -------
> > > > > > > > >From: "Maxim Muzafarov" < [hidden email] >
> > > > > > > > >To:  [hidden email]
> > > > > > > > >Cc:
> > > > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > > > > > >
> > > > > > > > >Igniters,
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >It's almost a year has passed since the last major Apache
> Ignite
> > > > 2.7
> > > > > > > > >has been released. We've accumulated a lot of performance
> > > > > improvements
> > > > > > > > >and a lot of new features which are waiting for their
> release
> > > > date.
> > > > > > > > >Here is my list of the most interesting things from my point
> > > since
> > > > > the
> > > > > > > > >last major release:
> > > > > > > > >
> > > > > > > > >Service Grid,
> > > > > > > > >Monitoring,
> > > > > > > > >Recovery Read
> > > > > > > > >BLT auto-adjust,
> > > > > > > > >PDS compression,
> > > > > > > > >WAL page compression,
> > > > > > > > >Thin client: best effort affinity,
> > > > > > > > >Thin client: transactions support (not yet)
> > > > > > > > >SQL query history
> > > > > > > > >SQL statistics
> > > > > > > > >
> > > > > > > > >I think we should no longer wait and freeze the master
> branch
> > > > > anymore
> > > > > > > > >and prepare the next major release by the end of the year.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8
> release
> > > and
> > > > > also
> > > > > > > > >I want to propose myself to be the release manager of the
> > > planning
> > > > > > > > >release.
> > > > > > > > >
> > > > > > > > >Scope Freeze: November 4, 2019
> > > > > > > > >Code Freeze: November 18, 2019
> > > > > > > > >Voting Date: December 10, 2019
> > > > > > > > >Release Date: December 17, 2019
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >WDYT?
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
>
>
>
> --
> Best regards,
> Ivan Pavlukhin
>

> +1
>
> I'm preparing patch for 2.8 branch now. TC Bot visa for 2.8 branch will be
> at 13 Jan
>
> чт, 9 янв. 2020 г., 21:06 Ivan Pavlukhin <[hidden email]>:
>
> > +1
> >
> > чт, 9 янв. 2020 г. в 16:38, Ivan Rakov <[hidden email]>:
> > >
> > > Maxim M. and anyone who is interested,
> > >
> > > I suggest to include this fix to 2.8 release:
> > > https://issues.apache.org/jira/browse/IGNITE-12225
> > > Basically, it's a result of the following discussion:
> > >
> >
> http://apache-ignite-developers.2346864.n4.nabble.com/DISCUSSION-Single-point-in-API-for-changing-cluster-state-td43665.html
> > >
> > > The fix affects public API: IgniteCluster#readOnly methods that work
> with
> > > boolean are replaced with ones that work with enum.
> > > If we include it, we won't be obliged to keep deprecated boolean
> version
> > of
> > > API in the code (which is currently present in 2.8 branch) as it wasn't
> > > published in any release.
> > >
> > > On Tue, Dec 31, 2019 at 3:54 PM Ilya Kasnacheev <
> > [hidden email]>
> > > wrote:
> > >
> > > > Hello!
> > > >
> > > > I have ran dependency checker plugin and quote the following:
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-urideploy:
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-spring:
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-spring-data:
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-aop:
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-visor-console:
> > > >
> > > > spring-core-4.3.18.RELEASE.jar
> > > > (pkg:maven/org.springframework/[hidden email],
> > > >
> > cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*)
> :
> > > > CVE-2018-15756
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-spring-data_2.0:
> > > >
> > > > spring-core-5.0.8.RELEASE.jar
> > > > (pkg:maven/org.springframework/[hidden email],
> > > >
> > cpe:2.3:a:pivotal_software:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:springsource:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:vmware:springsource_spring_framework:5.0.8:*:*:*:*:*:*:*) :
> > > > CVE-2018-15756
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-rest-http:
> > > >
> > > > jetty-server-9.4.11.v20180605.jar
> > > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > > > jackson-databind-2.9.6.jar
> > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-kubernetes:
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-aws:
> > > >
> > > > jackson-databind-2.9.6.jar
> > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > bcprov-ext-jdk15on-1.54.jar
> > > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.54) :
> CVE-2015-6644,
> > > > CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340,
> CVE-2016-1000341,
> > > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344,
> CVE-2016-1000345,
> > > > CVE-2016-1000346, CVE-2016-1000352, CVE-2016-2427, CVE-2017-13098,
> > > > CVE-2018-1000180, CVE-2018-1000613
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-gce:
> > > >
> > > > httpclient-4.0.1.jar
> > (pkg:maven/org.apache.httpcomponents/httpclient@4.0.1
> > > > ,
> > > > cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*) : CVE-2011-1498,
> > > > CVE-2014-3577, CVE-2015-5262
> > > > guava-jdk5-17.0.jar (pkg:maven/com.google.guava/guava-jdk5@17.0,
> > > > cpe:2.3:a:google:guava:17.0:*:*:*:*:*:*:*) : CVE-2018-10237
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-cloud:
> > > >
> > > > openstack-keystone-2.0.0.jar
> > > > (pkg:maven/org.apache.jclouds.api/openstack-keystone@2.0.0,
> > > > cpe:2.3:a:openstack:keystone:2.0.0:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:openstack:openstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2014,
> > > > CVE-2013-4222, CVE-2013-6391, CVE-2014-0204, CVE-2014-3476,
> > CVE-2014-3520,
> > > > CVE-2014-3621, CVE-2015-3646, CVE-2015-7546, CVE-2018-14432,
> > CVE-2018-20170
> > > > cloudstack-2.0.0.jar
> (pkg:maven/org.apache.jclouds.api/cloudstack@2.0.0
> > ,
> > > > cpe:2.3:a:apache:cloudstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2136,
> > > > CVE-2013-6398, CVE-2014-0031, CVE-2014-9593, CVE-2015-3252
> > > > docker-2.0.0.jar (pkg:maven/org.apache.jclouds.api/docker@2.0.0,
> > > > cpe:2.3:a:docker:docker:2.0.0:*:*:*:*:*:*:*) : CVE-2018-10892,
> > > > CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884,
> > > > CVE-2019-5736
> > > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > docker-1.9.3.jar (pkg:maven/org.apache.jclouds.labs/docker@1.9.3,
> > > > cpe:2.3:a:docker:docker:1.9.3:*:*:*:*:*:*:*) : CVE-2016-3697,
> > > > CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752,
> > > > CVE-2019-16884, CVE-2019-5736
> > > > jsch.agentproxy.core-0.0.8.jar
> > > > (pkg:maven/com.jcraft/jsch.agentproxy.core@0.0.8,
> > > > cpe:2.3:a:jcraft:jsch:0.0.8:*:*:*:*:*:*:*) : CVE-2016-5725
> > > > bcprov-ext-jdk15on-1.49.jar
> > > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.49) :
> CVE-2015-6644,
> > > > CVE-2015-7940, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000341,
> > > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344,
> CVE-2016-1000345,
> > > > CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000613
> > > > okhttp-2.2.0.jar (pkg:maven/com.squareup.okhttp/okhttp@2.2.0,
> > > > cpe:2.3:a:squareup:okhttp:2.2.0:*:*:*:*:*:*:*) : CVE-2016-2402
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-mesos:
> > > >
> > > > mesos-1.5.0.jar (pkg:maven/org.apache.mesos/mesos@1.5.0,
> > > > cpe:2.3:a:apache:mesos:1.5.0:*:*:*:*:*:*:*) : CVE-2018-11793,
> > > > CVE-2018-1330, CVE-2018-8023, CVE-2019-0204, CVE-2019-5736
> > > > jetty-server-9.4.11.v20180605.jar
> > > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > > > jackson-databind-2.9.6.jar
> > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-kafka:
> > > >
> > > > kafka-clients-2.0.1.jar
> (pkg:maven/org.apache.kafka/kafka-clients@2.0.1
> > ,
> > > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > > > connect-api-2.0.1.jar (pkg:maven/org.apache.kafka/connect-api@2.0.1,
> > > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-flume:
> > > >
> > > > guava-11.0.2.jar (pkg:maven/com.google.guava/guava@11.0.2,
> > > > cpe:2.3:a:google:guava:11.0.2:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > jackson-core-asl-1.8.8.jar
> > > > (pkg:maven/org.codehaus.jackson/jackson-core-asl@1.8.8,
> > > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*) : CVE-2017-15095,
> > > > CVE-2017-17485, CVE-2017-7525
> > > > jackson-mapper-asl-1.8.8.jar
> > > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.8.8,
> > > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*) :
> > > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-14540,
> > > > CVE-2019-16335, CVE-2019-17267
> > > > commons-collections-3.2.1.jar
> > > > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) :
> > CVE-2015-6420,
> > > > CVE-2017-15708, Remote code execution
> > > > netty-3.9.4.Final.jar (pkg:maven/io.netty/[hidden email],
> > > > cpe:2.3:a:netty:netty:3.9.4:*:*:*:*:*:*:*) : CVE-2015-2156,
> > CVE-2019-16869,
> > > > POODLE vulnerability in SSLv3.0 support
> > > > servlet-api-2.5-20110124.jar
> > > > (pkg:maven/org.mortbay.jetty/servlet-api@2.5-20110124,
> > > > cpe:2.3:a:jetty:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:mortbay:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:mortbay_jetty:jetty:2.5.20110124:*:*:*:*:*:*:*) :
> > CVE-2005-3747,
> > > > CVE-2007-5615, CVE-2009-1523, CVE-2009-1524, CVE-2009-5048,
> > CVE-2009-5049,
> > > > CVE-2011-4461
> > > > jetty-util-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty-util@6.1.26
> ,
> > > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> > > > CVE-2011-4461
> > > > jetty-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty@6.1.26,
> > > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> > > > CVE-2011-4461, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658,
> > CVE-2017-9735,
> > > > CVE-2019-10241, CVE-2019-10247
> > > > libthrift-0.9.0.jar (pkg:maven/org.apache.thrift/libthrift@0.9.0) :
> > > > CVE-2015-3254, CVE-2016-5397, CVE-2018-1320, CVE-2019-0205
> > > > httpclient-4.1.3.jar
> > (pkg:maven/org.apache.httpcomponents/httpclient@4.1.3
> > > > ,
> > > > cpe:2.3:a:apache:httpclient:4.1.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > CVE-2015-5262
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-twitter:
> > > >
> > > > httpclient-4.2.5.jar
> > (pkg:maven/org.apache.httpcomponents/httpclient@4.2.5
> > > > ,
> > > > cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > CVE-2015-5262
> > > > guava-14.0.1.jar (pkg:maven/com.google.guava/guava@14.0.1,
> > > > cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-zookeeper:
> > > >
> > > > jackson-databind-2.9.8.jar
> > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,
> > > > cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*) :
> > CVE-2019-12086,
> > > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > > > CVE-2019-17267, CVE-2019-17531
> > > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > jackson-mapper-asl-1.9.13.jar
> > > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13,
> > > > cpe:2.3:a:fasterxml:jackson:1.9.13:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*) :
> > > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-10172,
> > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-17267
> > > > netty-all-4.1.29.Final.jar (pkg:maven/io.netty/[hidden email]
> ,
> > > > cpe:2.3:a:netty:netty:4.1.29:*:*:*:*:*:*:*) : CVE-2019-16869
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-camel:
> > > >
> > > > camel-core-2.22.0.jar (pkg:maven/org.apache.camel/camel-core@2.22.0,
> > > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > > > CVE-2019-0188, CVE-2019-0194
> > > >
> > > >
> >
> camel-core-2.22.0.jar/META-INF/maven/org.apache.camel/spi-annotations/pom.xml
> > > > (pkg:maven/org.apache.camel/spi-annotations@2.22.0,
> > > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > > > CVE-2019-0188, CVE-2019-0194
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-storm:
> > > >
> > > > storm-core-1.1.1.jar (pkg:maven/org.apache.storm/storm-core@1.1.1,
> > > > cpe:2.3:a:apache:storm:1.1.1:*:*:*:*:*:*:*) : CVE-2018-11779,
> > > > CVE-2018-1331, CVE-2018-1332, CVE-2018-8008, CVE-2019-0202
> > > >
> >
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
> > > > (pkg:maven/org.eclipse.jetty/jetty-servlet@7.6.13.v20130916,
> > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> CVE-2019-10247
> > > >
> > > >
> >
> storm-core-1.1.1.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml
> > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.3.3,
> > > > cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > CVE-2015-5262
> > > > storm-core-1.1.1.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > > > (pkg:maven/com.google.guava/guava@16.0.1,
> > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > storm-core-1.1.1.jar/META-INF/maven/io.netty/netty/pom.xml
> > > > (pkg:maven/io.netty/[hidden email],
> > > > cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*) : CVE-2014-0193,
> > CVE-2014-3488,
> > > > CVE-2015-2156, CVE-2019-16869, POODLE vulnerability in SSLv3.0
> support
> > > >
> >
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
> > > > (pkg:maven/org.eclipse.jetty/jetty-server@7.6.13.v20130916,
> > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> CVE-2011-4461,
> > > > CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735,
> > CVE-2019-10241,
> > > > CVE-2019-10247
> > > >
> > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
> > > > (pkg:maven/org.eclipse.jetty/jetty-util@7.6.13.v20130916,
> > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> CVE-2011-4461,
> > > > CVE-2019-10247
> > > >
> > > >
> >
> storm-core-1.1.1.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom.xml
> > > > (pkg:maven/commons-fileupload/commons-fileupload@1.3.2,
> > > > cpe:2.3:a:apache:commons_fileupload:1.3.2:*:*:*:*:*:*:*) :
> > CVE-2016-1000031
> > > >
> > storm-core-1.1.1.jar/META-INF/maven/org.apache.hadoop/hadoop-auth/pom.xml
> > > > (pkg:maven/org.apache.hadoop/hadoop-auth@2.6.1,
> > > > cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*) : CVE-2015-1776,
> > > > CVE-2016-3086, CVE-2016-5001, CVE-2016-5393, CVE-2016-6811,
> > CVE-2017-15713,
> > > > CVE-2017-3161, CVE-2017-3162, CVE-2017-3166, CVE-2018-11768,
> > CVE-2018-1296,
> > > > CVE-2018-8009, CVE-2018-8029
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-cassandra-store:
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-cassandra-serializers:
> > > >
> > > > commons-beanutils-1.9.2.jar
> > > > (pkg:maven/commons-beanutils/commons-beanutils@1.9.2,
> > > > cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*) :
> > CVE-2019-10086
> > > > commons-collections-3.2.1.jar
> > > > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) :
> > CVE-2015-6420,
> > > > CVE-2017-15708, Remote code execution
> > > > spring-core-4.3.18.RELEASE.jar
> > > > (pkg:maven/org.springframework/[hidden email],
> > > >
> > cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*)
> :
> > > > CVE-2018-15756
> > > > netty-transport-4.1.27.Final.jar
> > > > (pkg:maven/io.netty/[hidden email],
> > > > cpe:2.3:a:netty:netty:4.1.27:*:*:*:*:*:*:*) : CVE-2019-16869
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-flink:
> > > >
> > > > flink-hadoop-fs-1.5.0.jar
> > (pkg:maven/org.apache.flink/flink-hadoop-fs@1.5.0
> > > > ,
> > > > cpe:2.3:a:apache:hadoop:1.5.0:*:*:*:*:*:*:*) : CVE-2016-5001,
> > > > CVE-2017-3161, CVE-2017-3162
> > > >
> > > >
> >
> flink-shaded-netty-4.0.27.Final-2.0.jar/META-INF/maven/io.netty/netty-all/pom.xml
> > > > (pkg:maven/io.netty/[hidden email],
> > > > cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*) : CVE-2015-2156,
> > CVE-2016-4970,
> > > > CVE-2019-16869
> > > >
> > > >
> >
> flink-shaded-jackson-2.7.9-3.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9,
> > > > cpe:2.3:a:fasterxml:jackson:2.7.9:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*) :
> > CVE-2017-15095,
> > > > CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, CVE-2018-11307,
> > > > CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719,
> > > > CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361,
> > > > CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086,
> > > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > > > CVE-2019-17267, CVE-2019-17531
> > > >
> > > >
> >
> flink-shaded-guava-18.0-2.0.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > > > (pkg:maven/com.google.guava/guava@18.0,
> > > > cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237
> > > >
> > > > One or more dependencies were identified with known vulnerabilities
> in
> > > > ignite-rocketmq:
> > > >
> > > > netty-all-4.0.42.Final.jar (pkg:maven/io.netty/[hidden email]
> ,
> > > > cpe:2.3:a:netty:netty:4.0.42:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > netty-tcnative-boringssl-static-1.1.33.Fork26.jar
> > > > (pkg:maven/io.netty/netty-tcnative-boringssl-static@1.1.33.Fork26,
> > > > cpe:2.3:a:apache:tomcat:1.1.33:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:apache:tomcat_native:1.1.33:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:apache_software_foundation:tomcat:1.1.33:*:*:*:*:*:*:*,
> > > > cpe:2.3:a:apache_tomcat:apache_tomcat:1.1.33:*:*:*:*:*:*:*) :
> > > > CVE-2000-1210, CVE-2001-0590, CVE-2002-0493, CVE-2005-4838,
> > CVE-2006-7196,
> > > > CVE-2007-1358, CVE-2007-2449, CVE-2008-0128, CVE-2009-2696,
> > CVE-2012-5568,
> > > > CVE-2013-2185, CVE-2013-4286, CVE-2013-4322, CVE-2013-4444,
> > CVE-2013-4590,
> > > > CVE-2013-6357, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099,
> > CVE-2014-0119,
> > > > CVE-2016-5425, CVE-2017-15698, CVE-2018-8019, CVE-2018-8020
> > > >
> > > > Main offenders seem to be "jackson-databind" and old maintenance
> > releases
> > > > of Spring. I think we can bump most of that.
> > > >
> > > > Some integrations also clearly suffer, through it's a problem of
> their
> > > > users, since they need to declare their own libraries' versions by
> > > > convention.
> > > >
> > > > Regards,
> > > > --
> > > > Ilya Kasnacheev
> > > >
> > > >
> > > > пт, 27 дек. 2019 г. в 23:59, Denis Magda <[hidden email]>:
> > > >
> > > > > Ilya, no I see, thanks for the explanation. Agree with you, let's
> > update
> > > > > the versions of the dependencies to the latest.
> > > > >
> > > > > -
> > > > > Denis
> > > > >
> > > > >
> > > > > On Thu, Dec 26, 2019 at 10:50 PM Ilya Kasnacheev <
> > > > > [hidden email]>
> > > > > wrote:
> > > > >
> > > > > > Hello!
> > > > > >
> > > > > > I have committed ignite-spring-data_2.2 to ignite-2.8.
> > > > > >
> > > > > > By bumping versisons I mean the following:
> > > > > >         <slf4j.version>1.7.*7*</slf4j.version>
> > > > > >         <slf4j16.version>1.6.*4*</slf4j16.version>
> > > > > >         <snappy.version>1.1.7.*2*</snappy.version>
> > > > > >         <spark.hadoop.version>2.6.*5*</spark.hadoop.version>
> > > > > >         <spark.version>2.3.*0*</spark.version>
> > > > > >
> >  <spring.data.version>1.13.*14*.RELEASE</spring.data.version>
> > > > <!--
> > > > > > don't forget to update spring version -->
> > > > > >         <spring.version>4.3.*18*.RELEASE</spring.version><!--
> don't
> > > > > forget
> > > > > > to update spring-data version -->
> > > > > >
> > > > >  <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version>
> > > > > > <!-- don't forget to update spring-5.0 version -->
> > > > > >
> >  <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!--
> > > > > don't
> > > > > > forget to update spring-data-2.0 version -->
> > > > > >
> > > > > > All these libraries have maintenance release (such as our
> 2.7.*6*)
> > and
> > > > I
> > > > > > think it would be beneficial to upgrade these dependencies to the
> > > > latest
> > > > > > maintenance version found in Maven Central.
> > > > > > For example, there is spring.data-2.0 2.0.*14*.RELEASE.
> > > > > >
> > > > > > Regards,
> > > > > > --
> > > > > > Ilya Kasnacheev
> > > > > >
> > > > > >
> > > > > > чт, 26 дек. 2019 г. в 19:32, Denis Magda <[hidden email]>:
> > > > > >
> > > > > > > A huge +1 for adding Spring Data related fixes/improvements.
> > Ilya is
> > > > > > right
> > > > > > > that Spring Data related questions sparked last time due to
> > missing
> > > > > > support
> > > > > > > of 2.2 version.
> > > > > > >
> > > > > > > Ilya, could you elaborate on what you mean under "bumping the
> > > > > versions"?
> > > > > > Do
> > > > > > > you suggest performing a straightforward upgrade of
> > > > > "ignite-spring-data"
> > > > > > to
> > > > > > > version 2.2 and introducing "ignite-spring-data-{old-version"}
> > for
> > > > the
> > > > > > > previous versions? If it's so, I fully agree with the proposal.
> > > > > > >
> > > > > > > -
> > > > > > > Denis
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <
> > > > > > [hidden email]
> > > > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hello!
> > > > > > > >
> > > > > > > > I propose to add the following ticket to the scope:
> > > > > > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3
> > commits, be
> > > > > > > careful
> > > > > > > > with release version)
> > > > > > > >
> > > > > > > > Adding tickets to scope surely seems crazy now, but I will
> > provide
> > > > > the
> > > > > > > > following considerations:
> > > > > > > > * This is Spring Data 2.2 integration, which we currently do
> > not
> > > > > have,
> > > > > > > > leading to lots of confused questions on stack overflow and
> > mailing
> > > > > > list.
> > > > > > > > Spring Data is important to our public image since many
> people
> > may
> > > > > > learn
> > > > > > > > about out project by starting with Spring Data.
> > > > > > > >
> > > > > > > > * It has zero code impact outside of its own module (just 2
> POM
> > > > file
> > > > > > > > touched and that's all).
> > > > > > > >
> > > > > > > > * The core was ready since early November but, due to gmail
> > quirk,
> > > > we
> > > > > > did
> > > > > > > > not react to it in time.
> > > > > > > >
> > > > > > > > WDYT?
> > > > > > > >
> > > > > > > > Another semi-related question. *Should we bump our
> > dependencies'
> > > > > > versions
> > > > > > > > before releasing 2.8?* I talk mainly about spring and
> hibernate
> > > > > > > > dependencies. We could switch them to their latest
> maintenance
> > > > > versions
> > > > > > > to
> > > > > > > > avoid shipping default links to outdated packages.
> > > > > > > >
> > > > > > > > I think this is one of things that are very hard to do
> between
> > > > > > releases,
> > > > > > > so
> > > > > > > > I think this dependencies bumping should be a part of a
> formal
> > > > > > > > release/testing cycle, and then be backported to master.
> > > > > > > >
> > > > > > > > I could volunteer to do that myself, if we agree to merge
> these
> > > > > version
> > > > > > > > upgrades to ignite-2.8 and then re-test.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > --
> > > > > > > > Ilya Kasnacheev
> > > > > > > >
> > > > > > > >
> > > > > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > > > > > > <[hidden email]
> > > > > > > > >:
> > > > > > > >
> > > > > > > > >
> > > > > > > > > Igniters, i`l try to compare 2.8 release candidate vs
> 2.7.6,
> > > > > > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > > > > > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon
> > X5570
> > > > > 96Gb
> > > > > > > > 512GB
> > > > > > > > > SSD 2048GB HDD 10GB/s
> > > > > > > > > 1 for  client (driver) and 3 for servers.
> > > > > > > > > this mappings for graphs and real yardstick tests:
> > > > > > > > >
> > > > > > > > > atomic-put: IgnitePutBenchmark
> > > > > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > > > > > > atomic-get: IgniteGetBenchmark
> > > > > > > > > tx-get: IgniteGetTxBenchmark
> > > > > > > > > tx-put: IgnitePutTxBenchmark
> > > > > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > > > > > > >
> > > > > > > > > cacheMode — partitioned
> > > > > > > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > > > > > > 1 backup
> > > > > > > > >
> > > > > > > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > > > > > > > Thanks Maxim for wiki page [1]
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > [1]
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > > > > > > >
> > > > > > > > > do we need some bisect or other work here ?
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >------- Forwarded message -------
> > > > > > > > > >From: "Maxim Muzafarov" < [hidden email] >
> > > > > > > > > >To:  [hidden email]
> > > > > > > > > >Cc:
> > > > > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > > > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > > > > > > >
> > > > > > > > > >Igniters,
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >It's almost a year has passed since the last major Apache
> > Ignite
> > > > > 2.7
> > > > > > > > > >has been released. We've accumulated a lot of performance
> > > > > > improvements
> > > > > > > > > >and a lot of new features which are waiting for their
> > release
> > > > > date.
> > > > > > > > > >Here is my list of the most interesting things from my
> point
> > > > since
> > > > > > the
> > > > > > > > > >last major release:
> > > > > > > > > >
> > > > > > > > > >Service Grid,
> > > > > > > > > >Monitoring,
> > > > > > > > > >Recovery Read
> > > > > > > > > >BLT auto-adjust,
> > > > > > > > > >PDS compression,
> > > > > > > > > >WAL page compression,
> > > > > > > > > >Thin client: best effort affinity,
> > > > > > > > > >Thin client: transactions support (not yet)
> > > > > > > > > >SQL query history
> > > > > > > > > >SQL statistics
> > > > > > > > > >
> > > > > > > > > >I think we should no longer wait and freeze the master
> > branch
> > > > > > anymore
> > > > > > > > > >and prepare the next major release by the end of the year.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8
> > release
> > > > and
> > > > > > also
> > > > > > > > > >I want to propose myself to be the release manager of the
> > > > planning
> > > > > > > > > >release.
> > > > > > > > > >
> > > > > > > > > >Scope Freeze: November 4, 2019
> > > > > > > > > >Code Freeze: November 18, 2019
> > > > > > > > > >Voting Date: December 10, 2019
> > > > > > > > > >Release Date: December 17, 2019
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >WDYT?
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> >
> >
> >
> > --
> > Best regards,
> > Ivan Pavlukhin
> >
>

>
> +1
>
> чт, 9 янв. 2020 г. в 18:52, Sergey Antonov <[hidden email]>:
>
> > +1
> >
> > I'm preparing patch for 2.8 branch now. TC Bot visa for 2.8 branch will be
> > at 13 Jan
> >
> > чт, 9 янв. 2020 г., 21:06 Ivan Pavlukhin <[hidden email]>:
> >
> > > +1
> > >
> > > чт, 9 янв. 2020 г. в 16:38, Ivan Rakov <[hidden email]>:
> > > >
> > > > Maxim M. and anyone who is interested,
> > > >
> > > > I suggest to include this fix to 2.8 release:
> > > > https://issues.apache.org/jira/browse/IGNITE-12225
> > > > Basically, it's a result of the following discussion:
> > > >
> > >
> > http://apache-ignite-developers.2346864.n4.nabble.com/DISCUSSION-Single-point-in-API-for-changing-cluster-state-td43665.html
> > > >
> > > > The fix affects public API: IgniteCluster#readOnly methods that work
> > with
> > > > boolean are replaced with ones that work with enum.
> > > > If we include it, we won't be obliged to keep deprecated boolean
> > version
> > > of
> > > > API in the code (which is currently present in 2.8 branch) as it wasn't
> > > > published in any release.
> > > >
> > > > On Tue, Dec 31, 2019 at 3:54 PM Ilya Kasnacheev <
> > > [hidden email]>
> > > > wrote:
> > > >
> > > > > Hello!
> > > > >
> > > > > I have ran dependency checker plugin and quote the following:
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-urideploy:
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-spring:
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-spring-data:
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-aop:
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-visor-console:
> > > > >
> > > > > spring-core-4.3.18.RELEASE.jar
> > > > > (pkg:maven/org.springframework/[hidden email],
> > > > >
> > > cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*)
> > :
> > > > > CVE-2018-15756
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-spring-data_2.0:
> > > > >
> > > > > spring-core-5.0.8.RELEASE.jar
> > > > > (pkg:maven/org.springframework/[hidden email],
> > > > >
> > > cpe:2.3:a:pivotal_software:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:springsource:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:vmware:springsource_spring_framework:5.0.8:*:*:*:*:*:*:*) :
> > > > > CVE-2018-15756
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-rest-http:
> > > > >
> > > > > jetty-server-9.4.11.v20180605.jar
> > > > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > > > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > > > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > > > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > > > > jackson-databind-2.9.6.jar
> > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-kubernetes:
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-aws:
> > > > >
> > > > > jackson-databind-2.9.6.jar
> > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > > bcprov-ext-jdk15on-1.54.jar
> > > > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.54) :
> > CVE-2015-6644,
> > > > > CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340,
> > CVE-2016-1000341,
> > > > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344,
> > CVE-2016-1000345,
> > > > > CVE-2016-1000346, CVE-2016-1000352, CVE-2016-2427, CVE-2017-13098,
> > > > > CVE-2018-1000180, CVE-2018-1000613
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-gce:
> > > > >
> > > > > httpclient-4.0.1.jar
> > > (pkg:maven/org.apache.httpcomponents/httpclient@4.0.1
> > > > > ,
> > > > > cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*) : CVE-2011-1498,
> > > > > CVE-2014-3577, CVE-2015-5262
> > > > > guava-jdk5-17.0.jar (pkg:maven/com.google.guava/guava-jdk5@17.0,
> > > > > cpe:2.3:a:google:guava:17.0:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-cloud:
> > > > >
> > > > > openstack-keystone-2.0.0.jar
> > > > > (pkg:maven/org.apache.jclouds.api/openstack-keystone@2.0.0,
> > > > > cpe:2.3:a:openstack:keystone:2.0.0:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:openstack:openstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2014,
> > > > > CVE-2013-4222, CVE-2013-6391, CVE-2014-0204, CVE-2014-3476,
> > > CVE-2014-3520,
> > > > > CVE-2014-3621, CVE-2015-3646, CVE-2015-7546, CVE-2018-14432,
> > > CVE-2018-20170
> > > > > cloudstack-2.0.0.jar
> > (pkg:maven/org.apache.jclouds.api/cloudstack@2.0.0
> > > ,
> > > > > cpe:2.3:a:apache:cloudstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2136,
> > > > > CVE-2013-6398, CVE-2014-0031, CVE-2014-9593, CVE-2015-3252
> > > > > docker-2.0.0.jar (pkg:maven/org.apache.jclouds.api/docker@2.0.0,
> > > > > cpe:2.3:a:docker:docker:2.0.0:*:*:*:*:*:*:*) : CVE-2018-10892,
> > > > > CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884,
> > > > > CVE-2019-5736
> > > > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > docker-1.9.3.jar (pkg:maven/org.apache.jclouds.labs/docker@1.9.3,
> > > > > cpe:2.3:a:docker:docker:1.9.3:*:*:*:*:*:*:*) : CVE-2016-3697,
> > > > > CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752,
> > > > > CVE-2019-16884, CVE-2019-5736
> > > > > jsch.agentproxy.core-0.0.8.jar
> > > > > (pkg:maven/com.jcraft/jsch.agentproxy.core@0.0.8,
> > > > > cpe:2.3:a:jcraft:jsch:0.0.8:*:*:*:*:*:*:*) : CVE-2016-5725
> > > > > bcprov-ext-jdk15on-1.49.jar
> > > > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.49) :
> > CVE-2015-6644,
> > > > > CVE-2015-7940, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000341,
> > > > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344,
> > CVE-2016-1000345,
> > > > > CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000613
> > > > > okhttp-2.2.0.jar (pkg:maven/com.squareup.okhttp/okhttp@2.2.0,
> > > > > cpe:2.3:a:squareup:okhttp:2.2.0:*:*:*:*:*:*:*) : CVE-2016-2402
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-mesos:
> > > > >
> > > > > mesos-1.5.0.jar (pkg:maven/org.apache.mesos/mesos@1.5.0,
> > > > > cpe:2.3:a:apache:mesos:1.5.0:*:*:*:*:*:*:*) : CVE-2018-11793,
> > > > > CVE-2018-1330, CVE-2018-8023, CVE-2019-0204, CVE-2019-5736
> > > > > jetty-server-9.4.11.v20180605.jar
> > > > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > > > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > > > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > > > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > > > > jackson-databind-2.9.6.jar
> > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-kafka:
> > > > >
> > > > > kafka-clients-2.0.1.jar
> > (pkg:maven/org.apache.kafka/kafka-clients@2.0.1
> > > ,
> > > > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > > > > connect-api-2.0.1.jar (pkg:maven/org.apache.kafka/connect-api@2.0.1,
> > > > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-flume:
> > > > >
> > > > > guava-11.0.2.jar (pkg:maven/com.google.guava/guava@11.0.2,
> > > > > cpe:2.3:a:google:guava:11.0.2:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > jackson-core-asl-1.8.8.jar
> > > > > (pkg:maven/org.codehaus.jackson/jackson-core-asl@1.8.8,
> > > > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*) : CVE-2017-15095,
> > > > > CVE-2017-17485, CVE-2017-7525
> > > > > jackson-mapper-asl-1.8.8.jar
> > > > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.8.8,
> > > > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*) :
> > > > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > > > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-14540,
> > > > > CVE-2019-16335, CVE-2019-17267
> > > > > commons-collections-3.2.1.jar
> > > > > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > > > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) :
> > > CVE-2015-6420,
> > > > > CVE-2017-15708, Remote code execution
> > > > > netty-3.9.4.Final.jar (pkg:maven/io.netty/[hidden email],
> > > > > cpe:2.3:a:netty:netty:3.9.4:*:*:*:*:*:*:*) : CVE-2015-2156,
> > > CVE-2019-16869,
> > > > > POODLE vulnerability in SSLv3.0 support
> > > > > servlet-api-2.5-20110124.jar
> > > > > (pkg:maven/org.mortbay.jetty/servlet-api@2.5-20110124,
> > > > > cpe:2.3:a:jetty:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay_jetty:jetty:2.5.20110124:*:*:*:*:*:*:*) :
> > > CVE-2005-3747,
> > > > > CVE-2007-5615, CVE-2009-1523, CVE-2009-1524, CVE-2009-5048,
> > > CVE-2009-5049,
> > > > > CVE-2011-4461
> > > > > jetty-util-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty-util@6.1.26
> > ,
> > > > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> > > > > CVE-2011-4461
> > > > > jetty-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty@6.1.26,
> > > > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> > > > > CVE-2011-4461, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658,
> > > CVE-2017-9735,
> > > > > CVE-2019-10241, CVE-2019-10247
> > > > > libthrift-0.9.0.jar (pkg:maven/org.apache.thrift/libthrift@0.9.0) :
> > > > > CVE-2015-3254, CVE-2016-5397, CVE-2018-1320, CVE-2019-0205
> > > > > httpclient-4.1.3.jar
> > > (pkg:maven/org.apache.httpcomponents/httpclient@4.1.3
> > > > > ,
> > > > > cpe:2.3:a:apache:httpclient:4.1.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > > CVE-2015-5262
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-twitter:
> > > > >
> > > > > httpclient-4.2.5.jar
> > > (pkg:maven/org.apache.httpcomponents/httpclient@4.2.5
> > > > > ,
> > > > > cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > > CVE-2015-5262
> > > > > guava-14.0.1.jar (pkg:maven/com.google.guava/guava@14.0.1,
> > > > > cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-zookeeper:
> > > > >
> > > > > jackson-databind-2.9.8.jar
> > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,
> > > > > cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*) :
> > > CVE-2019-12086,
> > > > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > > > > CVE-2019-17267, CVE-2019-17531
> > > > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > jackson-mapper-asl-1.9.13.jar
> > > > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13,
> > > > > cpe:2.3:a:fasterxml:jackson:1.9.13:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*) :
> > > > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > > > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-10172,
> > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-17267
> > > > > netty-all-4.1.29.Final.jar (pkg:maven/io.netty/[hidden email]
> > ,
> > > > > cpe:2.3:a:netty:netty:4.1.29:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-camel:
> > > > >
> > > > > camel-core-2.22.0.jar (pkg:maven/org.apache.camel/camel-core@2.22.0,
> > > > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > > > > CVE-2019-0188, CVE-2019-0194
> > > > >
> > > > >
> > >
> > camel-core-2.22.0.jar/META-INF/maven/org.apache.camel/spi-annotations/pom.xml
> > > > > (pkg:maven/org.apache.camel/spi-annotations@2.22.0,
> > > > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > > > > CVE-2019-0188, CVE-2019-0194
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-storm:
> > > > >
> > > > > storm-core-1.1.1.jar (pkg:maven/org.apache.storm/storm-core@1.1.1,
> > > > > cpe:2.3:a:apache:storm:1.1.1:*:*:*:*:*:*:*) : CVE-2018-11779,
> > > > > CVE-2018-1331, CVE-2018-1332, CVE-2018-8008, CVE-2019-0202
> > > > >
> > >
> > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
> > > > > (pkg:maven/org.eclipse.jetty/jetty-servlet@7.6.13.v20130916,
> > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> > CVE-2019-10247
> > > > >
> > > > >
> > >
> > storm-core-1.1.1.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml
> > > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.3.3,
> > > > > cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > > CVE-2015-5262
> > > > > storm-core-1.1.1.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > > > > (pkg:maven/com.google.guava/guava@16.0.1,
> > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > storm-core-1.1.1.jar/META-INF/maven/io.netty/netty/pom.xml
> > > > > (pkg:maven/io.netty/[hidden email],
> > > > > cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*) : CVE-2014-0193,
> > > CVE-2014-3488,
> > > > > CVE-2015-2156, CVE-2019-16869, POODLE vulnerability in SSLv3.0
> > support
> > > > >
> > >
> > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
> > > > > (pkg:maven/org.eclipse.jetty/jetty-server@7.6.13.v20130916,
> > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> > CVE-2011-4461,
> > > > > CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735,
> > > CVE-2019-10241,
> > > > > CVE-2019-10247
> > > > >
> > > storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
> > > > > (pkg:maven/org.eclipse.jetty/jetty-util@7.6.13.v20130916,
> > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> > CVE-2011-4461,
> > > > > CVE-2019-10247
> > > > >
> > > > >
> > >
> > storm-core-1.1.1.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom.xml
> > > > > (pkg:maven/commons-fileupload/commons-fileupload@1.3.2,
> > > > > cpe:2.3:a:apache:commons_fileupload:1.3.2:*:*:*:*:*:*:*) :
> > > CVE-2016-1000031
> > > > >
> > > storm-core-1.1.1.jar/META-INF/maven/org.apache.hadoop/hadoop-auth/pom.xml
> > > > > (pkg:maven/org.apache.hadoop/hadoop-auth@2.6.1,
> > > > > cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*) : CVE-2015-1776,
> > > > > CVE-2016-3086, CVE-2016-5001, CVE-2016-5393, CVE-2016-6811,
> > > CVE-2017-15713,
> > > > > CVE-2017-3161, CVE-2017-3162, CVE-2017-3166, CVE-2018-11768,
> > > CVE-2018-1296,
> > > > > CVE-2018-8009, CVE-2018-8029
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-cassandra-store:
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-cassandra-serializers:
> > > > >
> > > > > commons-beanutils-1.9.2.jar
> > > > > (pkg:maven/commons-beanutils/commons-beanutils@1.9.2,
> > > > > cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*) :
> > > CVE-2019-10086
> > > > > commons-collections-3.2.1.jar
> > > > > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > > > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) :
> > > CVE-2015-6420,
> > > > > CVE-2017-15708, Remote code execution
> > > > > spring-core-4.3.18.RELEASE.jar
> > > > > (pkg:maven/org.springframework/[hidden email],
> > > > >
> > > cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*)
> > :
> > > > > CVE-2018-15756
> > > > > netty-transport-4.1.27.Final.jar
> > > > > (pkg:maven/io.netty/[hidden email],
> > > > > cpe:2.3:a:netty:netty:4.1.27:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-flink:
> > > > >
> > > > > flink-hadoop-fs-1.5.0.jar
> > > (pkg:maven/org.apache.flink/flink-hadoop-fs@1.5.0
> > > > > ,
> > > > > cpe:2.3:a:apache:hadoop:1.5.0:*:*:*:*:*:*:*) : CVE-2016-5001,
> > > > > CVE-2017-3161, CVE-2017-3162
> > > > >
> > > > >
> > >
> > flink-shaded-netty-4.0.27.Final-2.0.jar/META-INF/maven/io.netty/netty-all/pom.xml
> > > > > (pkg:maven/io.netty/[hidden email],
> > > > > cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*) : CVE-2015-2156,
> > > CVE-2016-4970,
> > > > > CVE-2019-16869
> > > > >
> > > > >
> > >
> > flink-shaded-jackson-2.7.9-3.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9,
> > > > > cpe:2.3:a:fasterxml:jackson:2.7.9:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*) :
> > > CVE-2017-15095,
> > > > > CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, CVE-2018-11307,
> > > > > CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719,
> > > > > CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361,
> > > > > CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086,
> > > > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > > > > CVE-2019-17267, CVE-2019-17531
> > > > >
> > > > >
> > >
> > flink-shaded-guava-18.0-2.0.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > > > > (pkg:maven/com.google.guava/guava@18.0,
> > > > > cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > >
> > > > > One or more dependencies were identified with known vulnerabilities
> > in
> > > > > ignite-rocketmq:
> > > > >
> > > > > netty-all-4.0.42.Final.jar (pkg:maven/io.netty/[hidden email]
> > ,
> > > > > cpe:2.3:a:netty:netty:4.0.42:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > > netty-tcnative-boringssl-static-1.1.33.Fork26.jar
> > > > > (pkg:maven/io.netty/netty-tcnative-boringssl-static@1.1.33.Fork26,
> > > > > cpe:2.3:a:apache:tomcat:1.1.33:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:apache:tomcat_native:1.1.33:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:apache_software_foundation:tomcat:1.1.33:*:*:*:*:*:*:*,
> > > > > cpe:2.3:a:apache_tomcat:apache_tomcat:1.1.33:*:*:*:*:*:*:*) :
> > > > > CVE-2000-1210, CVE-2001-0590, CVE-2002-0493, CVE-2005-4838,
> > > CVE-2006-7196,
> > > > > CVE-2007-1358, CVE-2007-2449, CVE-2008-0128, CVE-2009-2696,
> > > CVE-2012-5568,
> > > > > CVE-2013-2185, CVE-2013-4286, CVE-2013-4322, CVE-2013-4444,
> > > CVE-2013-4590,
> > > > > CVE-2013-6357, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099,
> > > CVE-2014-0119,
> > > > > CVE-2016-5425, CVE-2017-15698, CVE-2018-8019, CVE-2018-8020
> > > > >
> > > > > Main offenders seem to be "jackson-databind" and old maintenance
> > > releases
> > > > > of Spring. I think we can bump most of that.
> > > > >
> > > > > Some integrations also clearly suffer, through it's a problem of
> > their
> > > > > users, since they need to declare their own libraries' versions by
> > > > > convention.
> > > > >
> > > > > Regards,
> > > > > --
> > > > > Ilya Kasnacheev
> > > > >
> > > > >
> > > > > пт, 27 дек. 2019 г. в 23:59, Denis Magda <[hidden email]>:
> > > > >
> > > > > > Ilya, no I see, thanks for the explanation. Agree with you, let's
> > > update
> > > > > > the versions of the dependencies to the latest.
> > > > > >
> > > > > > -
> > > > > > Denis
> > > > > >
> > > > > >
> > > > > > On Thu, Dec 26, 2019 at 10:50 PM Ilya Kasnacheev <
> > > > > > [hidden email]>
> > > > > > wrote:
> > > > > >
> > > > > > > Hello!
> > > > > > >
> > > > > > > I have committed ignite-spring-data_2.2 to ignite-2.8.
> > > > > > >
> > > > > > > By bumping versisons I mean the following:
> > > > > > >         <slf4j.version>1.7.*7*</slf4j.version>
> > > > > > >         <slf4j16.version>1.6.*4*</slf4j16.version>
> > > > > > >         <snappy.version>1.1.7.*2*</snappy.version>
> > > > > > >         <spark.hadoop.version>2.6.*5*</spark.hadoop.version>
> > > > > > >         <spark.version>2.3.*0*</spark.version>
> > > > > > >
> > >  <spring.data.version>1.13.*14*.RELEASE</spring.data.version>
> > > > > <!--
> > > > > > > don't forget to update spring version -->
> > > > > > >         <spring.version>4.3.*18*.RELEASE</spring.version><!--
> > don't
> > > > > > forget
> > > > > > > to update spring-data version -->
> > > > > > >
> > > > > >  <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version>
> > > > > > > <!-- don't forget to update spring-5.0 version -->
> > > > > > >
> > >  <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!--
> > > > > > don't
> > > > > > > forget to update spring-data-2.0 version -->
> > > > > > >
> > > > > > > All these libraries have maintenance release (such as our
> > 2.7.*6*)
> > > and
> > > > > I
> > > > > > > think it would be beneficial to upgrade these dependencies to the
> > > > > latest
> > > > > > > maintenance version found in Maven Central.
> > > > > > > For example, there is spring.data-2.0 2.0.*14*.RELEASE.
> > > > > > >
> > > > > > > Regards,
> > > > > > > --
> > > > > > > Ilya Kasnacheev
> > > > > > >
> > > > > > >
> > > > > > > чт, 26 дек. 2019 г. в 19:32, Denis Magda <[hidden email]>:
> > > > > > >
> > > > > > > > A huge +1 for adding Spring Data related fixes/improvements.
> > > Ilya is
> > > > > > > right
> > > > > > > > that Spring Data related questions sparked last time due to
> > > missing
> > > > > > > support
> > > > > > > > of 2.2 version.
> > > > > > > >
> > > > > > > > Ilya, could you elaborate on what you mean under "bumping the
> > > > > > versions"?
> > > > > > > Do
> > > > > > > > you suggest performing a straightforward upgrade of
> > > > > > "ignite-spring-data"
> > > > > > > to
> > > > > > > > version 2.2 and introducing "ignite-spring-data-{old-version"}
> > > for
> > > > > the
> > > > > > > > previous versions? If it's so, I fully agree with the proposal.
> > > > > > > >
> > > > > > > > -
> > > > > > > > Denis
> > > > > > > >
> > > > > > > >
> > > > > > > > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <
> > > > > > > [hidden email]
> > > > > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Hello!
> > > > > > > > >
> > > > > > > > > I propose to add the following ticket to the scope:
> > > > > > > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3
> > > commits, be
> > > > > > > > careful
> > > > > > > > > with release version)
> > > > > > > > >
> > > > > > > > > Adding tickets to scope surely seems crazy now, but I will
> > > provide
> > > > > > the
> > > > > > > > > following considerations:
> > > > > > > > > * This is Spring Data 2.2 integration, which we currently do
> > > not
> > > > > > have,
> > > > > > > > > leading to lots of confused questions on stack overflow and
> > > mailing
> > > > > > > list.
> > > > > > > > > Spring Data is important to our public image since many
> > people
> > > may
> > > > > > > learn
> > > > > > > > > about out project by starting with Spring Data.
> > > > > > > > >
> > > > > > > > > * It has zero code impact outside of its own module (just 2
> > POM
> > > > > file
> > > > > > > > > touched and that's all).
> > > > > > > > >
> > > > > > > > > * The core was ready since early November but, due to gmail
> > > quirk,
> > > > > we
> > > > > > > did
> > > > > > > > > not react to it in time.
> > > > > > > > >
> > > > > > > > > WDYT?
> > > > > > > > >
> > > > > > > > > Another semi-related question. *Should we bump our
> > > dependencies'
> > > > > > > versions
> > > > > > > > > before releasing 2.8?* I talk mainly about spring and
> > hibernate
> > > > > > > > > dependencies. We could switch them to their latest
> > maintenance
> > > > > > versions
> > > > > > > > to
> > > > > > > > > avoid shipping default links to outdated packages.
> > > > > > > > >
> > > > > > > > > I think this is one of things that are very hard to do
> > between
> > > > > > > releases,
> > > > > > > > so
> > > > > > > > > I think this dependencies bumping should be a part of a
> > formal
> > > > > > > > > release/testing cycle, and then be backported to master.
> > > > > > > > >
> > > > > > > > > I could volunteer to do that myself, if we agree to merge
> > these
> > > > > > version
> > > > > > > > > upgrades to ignite-2.8 and then re-test.
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > > --
> > > > > > > > > Ilya Kasnacheev
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > > > > > > > <[hidden email]
> > > > > > > > > >:
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Igniters, i`l try to compare 2.8 release candidate vs
> > 2.7.6,
> > > > > > > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > > > > > > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon
> > > X5570
> > > > > > 96Gb
> > > > > > > > > 512GB
> > > > > > > > > > SSD 2048GB HDD 10GB/s
> > > > > > > > > > 1 for  client (driver) and 3 for servers.
> > > > > > > > > > this mappings for graphs and real yardstick tests:
> > > > > > > > > >
> > > > > > > > > > atomic-put: IgnitePutBenchmark
> > > > > > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > > > > > > > atomic-get: IgniteGetBenchmark
> > > > > > > > > > tx-get: IgniteGetTxBenchmark
> > > > > > > > > > tx-put: IgnitePutTxBenchmark
> > > > > > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > > > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > > > > > > > >
> > > > > > > > > > cacheMode — partitioned
> > > > > > > > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > > > > > > > 1 backup
> > > > > > > > > >
> > > > > > > > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > > > > > > > > Thanks Maxim for wiki page [1]
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > [1]
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > >
> > https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > > > > > > > >
> > > > > > > > > > do we need some bisect or other work here ?
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >------- Forwarded message -------
> > > > > > > > > > >From: "Maxim Muzafarov" < [hidden email] >
> > > > > > > > > > >To:  [hidden email]
> > > > > > > > > > >Cc:
> > > > > > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > > > > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > > > > > > > >
> > > > > > > > > > >Igniters,
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >It's almost a year has passed since the last major Apache
> > > Ignite
> > > > > > 2.7
> > > > > > > > > > >has been released. We've accumulated a lot of performance
> > > > > > > improvements
> > > > > > > > > > >and a lot of new features which are waiting for their
> > > release
> > > > > > date.
> > > > > > > > > > >Here is my list of the most interesting things from my
> > point
> > > > > since
> > > > > > > the
> > > > > > > > > > >last major release:
> > > > > > > > > > >
> > > > > > > > > > >Service Grid,
> > > > > > > > > > >Monitoring,
> > > > > > > > > > >Recovery Read
> > > > > > > > > > >BLT auto-adjust,
> > > > > > > > > > >PDS compression,
> > > > > > > > > > >WAL page compression,
> > > > > > > > > > >Thin client: best effort affinity,
> > > > > > > > > > >Thin client: transactions support (not yet)
> > > > > > > > > > >SQL query history
> > > > > > > > > > >SQL statistics
> > > > > > > > > > >
> > > > > > > > > > >I think we should no longer wait and freeze the master
> > > branch
> > > > > > > anymore
> > > > > > > > > > >and prepare the next major release by the end of the year.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8
> > > release
> > > > > and
> > > > > > > also
> > > > > > > > > > >I want to propose myself to be the release manager of the
> > > > > planning
> > > > > > > > > > >release.
> > > > > > > > > > >
> > > > > > > > > > >Scope Freeze: November 4, 2019
> > > > > > > > > > >Code Freeze: November 18, 2019
> > > > > > > > > > >Voting Date: December 10, 2019
> > > > > > > > > > >Release Date: December 17, 2019
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >WDYT?
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > >
> > >
> > >
> > > --
> > > Best regards,
> > > Ivan Pavlukhin
> > >
> >

> Folks,
>
>
> Let me remind you that we are working on the 2.8 release branch
> stabilization currently (please, keep it in mind).
>
>
> Do we have a really STRONG reason for adding such a change [1] to the
> ignite-2.8 branch? This PR [2] doesn't look a very simple +5,517
> −2,038, 111 files changed.
> Do we have customer requests for this feature or maybe users who are
> waiting for exactly that ENUM values exactly in 2.8 release (not the
> 2.8.1 for instance)?
> Can we just simply remove IgniteCluster#readOnly to eliminate any
> backward compatibility issues between 2.8 and 2.9 releases?
> Do we have extended test results report (on just only TC.Bot green
> visa) on this feature to be sure that we will not add any blocker
> issues to the release? For instance, on pre-production environment.
>
> I'd like to notice that we also have more than enough the release
> blocker issues [3] which are still `in progress` and such a release
> run becomes endless. Such changes without strong reasons looks too
> scary for me a special after scope and code freeze dates.
>
> Please, dispel my doubts.
>
> [1] https://issues.apache.org/jira/browse/IGNITE-12225
> [2] https://github.com/apache/ignite/pull/7194
> [3]
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Unresolvedissues(notrelatedtodocumentation)
>
> On Thu, 9 Jan 2020 at 19:01, Alexey Zinoviev <[hidden email]>
> wrote:
> >
> > +1
> >
> > чт, 9 янв. 2020 г. в 18:52, Sergey Antonov <[hidden email]>:
> >
> > > +1
> > >
> > > I'm preparing patch for 2.8 branch now. TC Bot visa for 2.8 branch
> will be
> > > at 13 Jan
> > >
> > > чт, 9 янв. 2020 г., 21:06 Ivan Pavlukhin <[hidden email]>:
> > >
> > > > +1
> > > >
> > > > чт, 9 янв. 2020 г. в 16:38, Ivan Rakov <[hidden email]>:
> > > > >
> > > > > Maxim M. and anyone who is interested,
> > > > >
> > > > > I suggest to include this fix to 2.8 release:
> > > > > https://issues.apache.org/jira/browse/IGNITE-12225
> > > > > Basically, it's a result of the following discussion:
> > > > >
> > > >
> > >
> http://apache-ignite-developers.2346864.n4.nabble.com/DISCUSSION-Single-point-in-API-for-changing-cluster-state-td43665.html
> > > > >
> > > > > The fix affects public API: IgniteCluster#readOnly methods that
> work
> > > with
> > > > > boolean are replaced with ones that work with enum.
> > > > > If we include it, we won't be obliged to keep deprecated boolean
> > > version
> > > > of
> > > > > API in the code (which is currently present in 2.8 branch) as it
> wasn't
> > > > > published in any release.
> > > > >
> > > > > On Tue, Dec 31, 2019 at 3:54 PM Ilya Kasnacheev <
> > > > [hidden email]>
> > > > > wrote:
> > > > >
> > > > > > Hello!
> > > > > >
> > > > > > I have ran dependency checker plugin and quote the following:
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-urideploy:
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-spring:
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-spring-data:
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-aop:
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-visor-console:
> > > > > >
> > > > > > spring-core-4.3.18.RELEASE.jar
> > > > > > (pkg:maven/org.springframework/[hidden email],
> > > > > >
> > > >
> cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > >
> cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > >
> cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*)
> > > :
> > > > > > CVE-2018-15756
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-spring-data_2.0:
> > > > > >
> > > > > > spring-core-5.0.8.RELEASE.jar
> > > > > > (pkg:maven/org.springframework/[hidden email],
> > > > > >
> > > >
> cpe:2.3:a:pivotal_software:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > > > > >
> cpe:2.3:a:springsource:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > > > > >
> cpe:2.3:a:vmware:springsource_spring_framework:5.0.8:*:*:*:*:*:*:*) :
> > > > > > CVE-2018-15756
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-rest-http:
> > > > > >
> > > > > > jetty-server-9.4.11.v20180605.jar
> > > > > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > > > > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > > > > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > > > > > jackson-databind-2.9.6.jar
> > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-kubernetes:
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-aws:
> > > > > >
> > > > > > jackson-databind-2.9.6.jar
> > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > > > bcprov-ext-jdk15on-1.54.jar
> > > > > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.54) :
> > > CVE-2015-6644,
> > > > > > CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340,
> > > CVE-2016-1000341,
> > > > > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344,
> > > CVE-2016-1000345,
> > > > > > CVE-2016-1000346, CVE-2016-1000352, CVE-2016-2427,
> CVE-2017-13098,
> > > > > > CVE-2018-1000180, CVE-2018-1000613
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-gce:
> > > > > >
> > > > > > httpclient-4.0.1.jar
> > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.0.1
> > > > > > ,
> > > > > > cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*) : CVE-2011-1498,
> > > > > > CVE-2014-3577, CVE-2015-5262
> > > > > > guava-jdk5-17.0.jar (pkg:maven/com.google.guava/guava-jdk5@17.0,
> > > > > > cpe:2.3:a:google:guava:17.0:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-cloud:
> > > > > >
> > > > > > openstack-keystone-2.0.0.jar
> > > > > > (pkg:maven/org.apache.jclouds.api/openstack-keystone@2.0.0,
> > > > > > cpe:2.3:a:openstack:keystone:2.0.0:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:openstack:openstack:2.0.0:*:*:*:*:*:*:*) :
> CVE-2013-2014,
> > > > > > CVE-2013-4222, CVE-2013-6391, CVE-2014-0204, CVE-2014-3476,
> > > > CVE-2014-3520,
> > > > > > CVE-2014-3621, CVE-2015-3646, CVE-2015-7546, CVE-2018-14432,
> > > > CVE-2018-20170
> > > > > > cloudstack-2.0.0.jar
> > > (pkg:maven/org.apache.jclouds.api/cloudstack@2.0.0
> > > > ,
> > > > > > cpe:2.3:a:apache:cloudstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2136,
> > > > > > CVE-2013-6398, CVE-2014-0031, CVE-2014-9593, CVE-2015-3252
> > > > > > docker-2.0.0.jar (pkg:maven/org.apache.jclouds.api/docker@2.0.0,
> > > > > > cpe:2.3:a:docker:docker:2.0.0:*:*:*:*:*:*:*) : CVE-2018-10892,
> > > > > > CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884,
> > > > > > CVE-2019-5736
> > > > > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > > docker-1.9.3.jar (pkg:maven/org.apache.jclouds.labs/docker@1.9.3
> ,
> > > > > > cpe:2.3:a:docker:docker:1.9.3:*:*:*:*:*:*:*) : CVE-2016-3697,
> > > > > > CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752,
> > > > > > CVE-2019-16884, CVE-2019-5736
> > > > > > jsch.agentproxy.core-0.0.8.jar
> > > > > > (pkg:maven/com.jcraft/jsch.agentproxy.core@0.0.8,
> > > > > > cpe:2.3:a:jcraft:jsch:0.0.8:*:*:*:*:*:*:*) : CVE-2016-5725
> > > > > > bcprov-ext-jdk15on-1.49.jar
> > > > > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.49) :
> > > CVE-2015-6644,
> > > > > > CVE-2015-7940, CVE-2016-1000338, CVE-2016-1000339,
> CVE-2016-1000341,
> > > > > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344,
> > > CVE-2016-1000345,
> > > > > > CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098,
> CVE-2018-1000613
> > > > > > okhttp-2.2.0.jar (pkg:maven/com.squareup.okhttp/okhttp@2.2.0,
> > > > > > cpe:2.3:a:squareup:okhttp:2.2.0:*:*:*:*:*:*:*) : CVE-2016-2402
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-mesos:
> > > > > >
> > > > > > mesos-1.5.0.jar (pkg:maven/org.apache.mesos/mesos@1.5.0,
> > > > > > cpe:2.3:a:apache:mesos:1.5.0:*:*:*:*:*:*:*) : CVE-2018-11793,
> > > > > > CVE-2018-1330, CVE-2018-8023, CVE-2019-0204, CVE-2019-5736
> > > > > > jetty-server-9.4.11.v20180605.jar
> > > > > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > > > > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > > > > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > > > > > jackson-databind-2.9.6.jar
> > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-kafka:
> > > > > >
> > > > > > kafka-clients-2.0.1.jar
> > > (pkg:maven/org.apache.kafka/kafka-clients@2.0.1
> > > > ,
> > > > > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > > > > > connect-api-2.0.1.jar
> (pkg:maven/org.apache.kafka/connect-api@2.0.1,
> > > > > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-flume:
> > > > > >
> > > > > > guava-11.0.2.jar (pkg:maven/com.google.guava/guava@11.0.2,
> > > > > > cpe:2.3:a:google:guava:11.0.2:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > > jackson-core-asl-1.8.8.jar
> > > > > > (pkg:maven/org.codehaus.jackson/jackson-core-asl@1.8.8,
> > > > > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*) :
> CVE-2017-15095,
> > > > > > CVE-2017-17485, CVE-2017-7525
> > > > > > jackson-mapper-asl-1.8.8.jar
> > > > > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.8.8,
> > > > > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*) :
> > > > > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > > > > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-14540,
> > > > > > CVE-2019-16335, CVE-2019-17267
> > > > > > commons-collections-3.2.1.jar
> > > > > > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > > > > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) :
> > > > CVE-2015-6420,
> > > > > > CVE-2017-15708, Remote code execution
> > > > > > netty-3.9.4.Final.jar (pkg:maven/io.netty/[hidden email],
> > > > > > cpe:2.3:a:netty:netty:3.9.4:*:*:*:*:*:*:*) : CVE-2015-2156,
> > > > CVE-2019-16869,
> > > > > > POODLE vulnerability in SSLv3.0 support
> > > > > > servlet-api-2.5-20110124.jar
> > > > > > (pkg:maven/org.mortbay.jetty/servlet-api@2.5-20110124,
> > > > > > cpe:2.3:a:jetty:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay_jetty:jetty:2.5.20110124:*:*:*:*:*:*:*) :
> > > > CVE-2005-3747,
> > > > > > CVE-2007-5615, CVE-2009-1523, CVE-2009-1524, CVE-2009-5048,
> > > > CVE-2009-5049,
> > > > > > CVE-2011-4461
> > > > > > jetty-util-6.1.26.jar
> (pkg:maven/org.mortbay.jetty/jetty-util@6.1.26
> > > ,
> > > > > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) :
> CVE-2009-1523,
> > > > > > CVE-2011-4461
> > > > > > jetty-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty@6.1.26,
> > > > > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) :
> CVE-2009-1523,
> > > > > > CVE-2011-4461, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658,
> > > > CVE-2017-9735,
> > > > > > CVE-2019-10241, CVE-2019-10247
> > > > > > libthrift-0.9.0.jar (pkg:maven/org.apache.thrift/libthrift@0.9.0)
> :
> > > > > > CVE-2015-3254, CVE-2016-5397, CVE-2018-1320, CVE-2019-0205
> > > > > > httpclient-4.1.3.jar
> > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.1.3
> > > > > > ,
> > > > > > cpe:2.3:a:apache:httpclient:4.1.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > > > CVE-2015-5262
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-twitter:
> > > > > >
> > > > > > httpclient-4.2.5.jar
> > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.2.5
> > > > > > ,
> > > > > > cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > > > CVE-2015-5262
> > > > > > guava-14.0.1.jar (pkg:maven/com.google.guava/guava@14.0.1,
> > > > > > cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-zookeeper:
> > > > > >
> > > > > > jackson-databind-2.9.8.jar
> > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,
> > > > > > cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*) :
> > > > CVE-2019-12086,
> > > > > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > > > > > CVE-2019-17267, CVE-2019-17531
> > > > > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > > jackson-mapper-asl-1.9.13.jar
> > > > > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13,
> > > > > > cpe:2.3:a:fasterxml:jackson:1.9.13:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*) :
> > > > > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > > > > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-10172,
> > > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-17267
> > > > > > netty-all-4.1.29.Final.jar
> (pkg:maven/io.netty/[hidden email]
> > > ,
> > > > > > cpe:2.3:a:netty:netty:4.1.29:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-camel:
> > > > > >
> > > > > > camel-core-2.22.0.jar
> (pkg:maven/org.apache.camel/camel-core@2.22.0,
> > > > > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > > > > > CVE-2019-0188, CVE-2019-0194
> > > > > >
> > > > > >
> > > >
> > >
> camel-core-2.22.0.jar/META-INF/maven/org.apache.camel/spi-annotations/pom.xml
> > > > > > (pkg:maven/org.apache.camel/spi-annotations@2.22.0,
> > > > > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > > > > > CVE-2019-0188, CVE-2019-0194
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-storm:
> > > > > >
> > > > > > storm-core-1.1.1.jar (pkg:maven/org.apache.storm/storm-core@1.1.1
> ,
> > > > > > cpe:2.3:a:apache:storm:1.1.1:*:*:*:*:*:*:*) : CVE-2018-11779,
> > > > > > CVE-2018-1331, CVE-2018-1332, CVE-2018-8008, CVE-2019-0202
> > > > > >
> > > >
> > >
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
> > > > > > (pkg:maven/org.eclipse.jetty/jetty-servlet@7.6.13.v20130916,
> > > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> > > CVE-2019-10247
> > > > > >
> > > > > >
> > > >
> > >
> storm-core-1.1.1.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml
> > > > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.3.3,
> > > > > > cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > > > CVE-2015-5262
> > > > > >
> storm-core-1.1.1.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > > > > > (pkg:maven/com.google.guava/guava@16.0.1,
> > > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > > storm-core-1.1.1.jar/META-INF/maven/io.netty/netty/pom.xml
> > > > > > (pkg:maven/io.netty/[hidden email],
> > > > > > cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*) : CVE-2014-0193,
> > > > CVE-2014-3488,
> > > > > > CVE-2015-2156, CVE-2019-16869, POODLE vulnerability in SSLv3.0
> > > support
> > > > > >
> > > >
> > >
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
> > > > > > (pkg:maven/org.eclipse.jetty/jetty-server@7.6.13.v20130916,
> > > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> > > CVE-2011-4461,
> > > > > > CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735,
> > > > CVE-2019-10241,
> > > > > > CVE-2019-10247
> > > > > >
> > > >
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
> > > > > > (pkg:maven/org.eclipse.jetty/jetty-util@7.6.13.v20130916,
> > > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> > > CVE-2011-4461,
> > > > > > CVE-2019-10247
> > > > > >
> > > > > >
> > > >
> > >
> storm-core-1.1.1.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom.xml
> > > > > > (pkg:maven/commons-fileupload/commons-fileupload@1.3.2,
> > > > > > cpe:2.3:a:apache:commons_fileupload:1.3.2:*:*:*:*:*:*:*) :
> > > > CVE-2016-1000031
> > > > > >
> > > >
> storm-core-1.1.1.jar/META-INF/maven/org.apache.hadoop/hadoop-auth/pom.xml
> > > > > > (pkg:maven/org.apache.hadoop/hadoop-auth@2.6.1,
> > > > > > cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*) : CVE-2015-1776,
> > > > > > CVE-2016-3086, CVE-2016-5001, CVE-2016-5393, CVE-2016-6811,
> > > > CVE-2017-15713,
> > > > > > CVE-2017-3161, CVE-2017-3162, CVE-2017-3166, CVE-2018-11768,
> > > > CVE-2018-1296,
> > > > > > CVE-2018-8009, CVE-2018-8029
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-cassandra-store:
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-cassandra-serializers:
> > > > > >
> > > > > > commons-beanutils-1.9.2.jar
> > > > > > (pkg:maven/commons-beanutils/commons-beanutils@1.9.2,
> > > > > > cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*) :
> > > > CVE-2019-10086
> > > > > > commons-collections-3.2.1.jar
> > > > > > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > > > > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) :
> > > > CVE-2015-6420,
> > > > > > CVE-2017-15708, Remote code execution
> > > > > > spring-core-4.3.18.RELEASE.jar
> > > > > > (pkg:maven/org.springframework/[hidden email],
> > > > > >
> > > >
> cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > >
> cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > >
> cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*)
> > > :
> > > > > > CVE-2018-15756
> > > > > > netty-transport-4.1.27.Final.jar
> > > > > > (pkg:maven/io.netty/[hidden email],
> > > > > > cpe:2.3:a:netty:netty:4.1.27:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-flink:
> > > > > >
> > > > > > flink-hadoop-fs-1.5.0.jar
> > > > (pkg:maven/org.apache.flink/flink-hadoop-fs@1.5.0
> > > > > > ,
> > > > > > cpe:2.3:a:apache:hadoop:1.5.0:*:*:*:*:*:*:*) : CVE-2016-5001,
> > > > > > CVE-2017-3161, CVE-2017-3162
> > > > > >
> > > > > >
> > > >
> > >
> flink-shaded-netty-4.0.27.Final-2.0.jar/META-INF/maven/io.netty/netty-all/pom.xml
> > > > > > (pkg:maven/io.netty/[hidden email],
> > > > > > cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*) : CVE-2015-2156,
> > > > CVE-2016-4970,
> > > > > > CVE-2019-16869
> > > > > >
> > > > > >
> > > >
> > >
> flink-shaded-jackson-2.7.9-3.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9,
> > > > > > cpe:2.3:a:fasterxml:jackson:2.7.9:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*) :
> > > > CVE-2017-15095,
> > > > > > CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, CVE-2018-11307,
> > > > > > CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719,
> > > > > > CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361,
> > > > > > CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086,
> > > > > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > > > > > CVE-2019-17267, CVE-2019-17531
> > > > > >
> > > > > >
> > > >
> > >
> flink-shaded-guava-18.0-2.0.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > > > > > (pkg:maven/com.google.guava/guava@18.0,
> > > > > > cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-rocketmq:
> > > > > >
> > > > > > netty-all-4.0.42.Final.jar
> (pkg:maven/io.netty/[hidden email]
> > > ,
> > > > > > cpe:2.3:a:netty:netty:4.0.42:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > > > netty-tcnative-boringssl-static-1.1.33.Fork26.jar
> > > > > > (pkg:maven/io.netty/netty-tcnative-boringssl-static@1.1.33.Fork26
> ,
> > > > > > cpe:2.3:a:apache:tomcat:1.1.33:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:apache:tomcat_native:1.1.33:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:apache_software_foundation:tomcat:1.1.33:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:apache_tomcat:apache_tomcat:1.1.33:*:*:*:*:*:*:*) :
> > > > > > CVE-2000-1210, CVE-2001-0590, CVE-2002-0493, CVE-2005-4838,
> > > > CVE-2006-7196,
> > > > > > CVE-2007-1358, CVE-2007-2449, CVE-2008-0128, CVE-2009-2696,
> > > > CVE-2012-5568,
> > > > > > CVE-2013-2185, CVE-2013-4286, CVE-2013-4322, CVE-2013-4444,
> > > > CVE-2013-4590,
> > > > > > CVE-2013-6357, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099,
> > > > CVE-2014-0119,
> > > > > > CVE-2016-5425, CVE-2017-15698, CVE-2018-8019, CVE-2018-8020
> > > > > >
> > > > > > Main offenders seem to be "jackson-databind" and old maintenance
> > > > releases
> > > > > > of Spring. I think we can bump most of that.
> > > > > >
> > > > > > Some integrations also clearly suffer, through it's a problem of
> > > their
> > > > > > users, since they need to declare their own libraries' versions
> by
> > > > > > convention.
> > > > > >
> > > > > > Regards,
> > > > > > --
> > > > > > Ilya Kasnacheev
> > > > > >
> > > > > >
> > > > > > пт, 27 дек. 2019 г. в 23:59, Denis Magda <[hidden email]>:
> > > > > >
> > > > > > > Ilya, no I see, thanks for the explanation. Agree with you,
> let's
> > > > update
> > > > > > > the versions of the dependencies to the latest.
> > > > > > >
> > > > > > > -
> > > > > > > Denis
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Dec 26, 2019 at 10:50 PM Ilya Kasnacheev <
> > > > > > > [hidden email]>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hello!
> > > > > > > >
> > > > > > > > I have committed ignite-spring-data_2.2 to ignite-2.8.
> > > > > > > >
> > > > > > > > By bumping versisons I mean the following:
> > > > > > > >         <slf4j.version>1.7.*7*</slf4j.version>
> > > > > > > >         <slf4j16.version>1.6.*4*</slf4j16.version>
> > > > > > > >         <snappy.version>1.1.7.*2*</snappy.version>
> > > > > > > >         <spark.hadoop.version>2.6.*5*</spark.hadoop.version>
> > > > > > > >         <spark.version>2.3.*0*</spark.version>
> > > > > > > >
> > > >  <spring.data.version>1.13.*14*.RELEASE</spring.data.version>
> > > > > > <!--
> > > > > > > > don't forget to update spring version -->
> > > > > > > >         <spring.version>4.3.*18*.RELEASE</spring.version><!--
> > > don't
> > > > > > > forget
> > > > > > > > to update spring-data version -->
> > > > > > > >
> > > > > > >
> <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version>
> > > > > > > > <!-- don't forget to update spring-5.0 version -->
> > > > > > > >
> > > >  <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!--
> > > > > > > don't
> > > > > > > > forget to update spring-data-2.0 version -->
> > > > > > > >
> > > > > > > > All these libraries have maintenance release (such as our
> > > 2.7.*6*)
> > > > and
> > > > > > I
> > > > > > > > think it would be beneficial to upgrade these dependencies
> to the
> > > > > > latest
> > > > > > > > maintenance version found in Maven Central.
> > > > > > > > For example, there is spring.data-2.0 2.0.*14*.RELEASE.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > --
> > > > > > > > Ilya Kasnacheev
> > > > > > > >
> > > > > > > >
> > > > > > > > чт, 26 дек. 2019 г. в 19:32, Denis Magda <[hidden email]
> >:
> > > > > > > >
> > > > > > > > > A huge +1 for adding Spring Data related
> fixes/improvements.
> > > > Ilya is
> > > > > > > > right
> > > > > > > > > that Spring Data related questions sparked last time due to
> > > > missing
> > > > > > > > support
> > > > > > > > > of 2.2 version.
> > > > > > > > >
> > > > > > > > > Ilya, could you elaborate on what you mean under "bumping
> the
> > > > > > > versions"?
> > > > > > > > Do
> > > > > > > > > you suggest performing a straightforward upgrade of
> > > > > > > "ignite-spring-data"
> > > > > > > > to
> > > > > > > > > version 2.2 and introducing
> "ignite-spring-data-{old-version"}
> > > > for
> > > > > > the
> > > > > > > > > previous versions? If it's so, I fully agree with the
> proposal.
> > > > > > > > >
> > > > > > > > > -
> > > > > > > > > Denis
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <
> > > > > > > > [hidden email]
> > > > > > > > > >
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Hello!
> > > > > > > > > >
> > > > > > > > > > I propose to add the following ticket to the scope:
> > > > > > > > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3
> > > > commits, be
> > > > > > > > > careful
> > > > > > > > > > with release version)
> > > > > > > > > >
> > > > > > > > > > Adding tickets to scope surely seems crazy now, but I
> will
> > > > provide
> > > > > > > the
> > > > > > > > > > following considerations:
> > > > > > > > > > * This is Spring Data 2.2 integration, which we
> currently do
> > > > not
> > > > > > > have,
> > > > > > > > > > leading to lots of confused questions on stack overflow
> and
> > > > mailing
> > > > > > > > list.
> > > > > > > > > > Spring Data is important to our public image since many
> > > people
> > > > may
> > > > > > > > learn
> > > > > > > > > > about out project by starting with Spring Data.
> > > > > > > > > >
> > > > > > > > > > * It has zero code impact outside of its own module
> (just 2
> > > POM
> > > > > > file
> > > > > > > > > > touched and that's all).
> > > > > > > > > >
> > > > > > > > > > * The core was ready since early November but, due to
> gmail
> > > > quirk,
> > > > > > we
> > > > > > > > did
> > > > > > > > > > not react to it in time.
> > > > > > > > > >
> > > > > > > > > > WDYT?
> > > > > > > > > >
> > > > > > > > > > Another semi-related question. *Should we bump our
> > > > dependencies'
> > > > > > > > versions
> > > > > > > > > > before releasing 2.8?* I talk mainly about spring and
> > > hibernate
> > > > > > > > > > dependencies. We could switch them to their latest
> > > maintenance
> > > > > > > versions
> > > > > > > > > to
> > > > > > > > > > avoid shipping default links to outdated packages.
> > > > > > > > > >
> > > > > > > > > > I think this is one of things that are very hard to do
> > > between
> > > > > > > > releases,
> > > > > > > > > so
> > > > > > > > > > I think this dependencies bumping should be a part of a
> > > formal
> > > > > > > > > > release/testing cycle, and then be backported to master.
> > > > > > > > > >
> > > > > > > > > > I could volunteer to do that myself, if we agree to merge
> > > these
> > > > > > > version
> > > > > > > > > > upgrades to ignite-2.8 and then re-test.
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > > --
> > > > > > > > > > Ilya Kasnacheev
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > > > > > > > > <[hidden email]
> > > > > > > > > > >:
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Igniters, i`l try to compare 2.8 release candidate vs
> > > 2.7.6,
> > > > > > > > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > > > > > > > > i use yardstick benchmarks, 4 bare machine with:  2x
> Xeon
> > > > X5570
> > > > > > > 96Gb
> > > > > > > > > > 512GB
> > > > > > > > > > > SSD 2048GB HDD 10GB/s
> > > > > > > > > > > 1 for  client (driver) and 3 for servers.
> > > > > > > > > > > this mappings for graphs and real yardstick tests:
> > > > > > > > > > >
> > > > > > > > > > > atomic-put: IgnitePutBenchmark
> > > > > > > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > > > > > > > > atomic-get: IgniteGetBenchmark
> > > > > > > > > > > tx-get: IgniteGetTxBenchmark
> > > > > > > > > > > tx-put: IgnitePutTxBenchmark
> > > > > > > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > > > > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > > > > > > > > >
> > > > > > > > > > > cacheMode — partitioned
> > > > > > > > > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > > > > > > > > 1 backup
> > > > > > > > > > >
> > > > > > > > > > > 1. wal = log_only 2. wal = none 3. persistence
> disabled.
> > > > > > > > > > > Thanks Maxim for wiki page [1]
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > [1]
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > >
> > >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > > > > > > > > >
> > > > > > > > > > > do we need some bisect or other work here ?
> > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >------- Forwarded message -------
> > > > > > > > > > > >From: "Maxim Muzafarov" < [hidden email] >
> > > > > > > > > > > >To:  [hidden email]
> > > > > > > > > > > >Cc:
> > > > > > > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope,
> Manager]
> > > > > > > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > > > > > > > > >
> > > > > > > > > > > >Igniters,
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >It's almost a year has passed since the last major
> Apache
> > > > Ignite
> > > > > > > 2.7
> > > > > > > > > > > >has been released. We've accumulated a lot of
> performance
> > > > > > > > improvements
> > > > > > > > > > > >and a lot of new features which are waiting for their
> > > > release
> > > > > > > date.
> > > > > > > > > > > >Here is my list of the most interesting things from my
> > > point
> > > > > > since
> > > > > > > > the
> > > > > > > > > > > >last major release:
> > > > > > > > > > > >
> > > > > > > > > > > >Service Grid,
> > > > > > > > > > > >Monitoring,
> > > > > > > > > > > >Recovery Read
> > > > > > > > > > > >BLT auto-adjust,
> > > > > > > > > > > >PDS compression,
> > > > > > > > > > > >WAL page compression,
> > > > > > > > > > > >Thin client: best effort affinity,
> > > > > > > > > > > >Thin client: transactions support (not yet)
> > > > > > > > > > > >SQL query history
> > > > > > > > > > > >SQL statistics
> > > > > > > > > > > >
> > > > > > > > > > > >I think we should no longer wait and freeze the master
> > > > branch
> > > > > > > > anymore
> > > > > > > > > > > >and prepare the next major release by the end of the
> year.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8
> > > > release
> > > > > > and
> > > > > > > > also
> > > > > > > > > > > >I want to propose myself to be the release manager of
> the
> > > > > > planning
> > > > > > > > > > > >release.
> > > > > > > > > > > >
> > > > > > > > > > > >Scope Freeze: November 4, 2019
> > > > > > > > > > > >Code Freeze: November 18, 2019
> > > > > > > > > > > >Voting Date: December 10, 2019
> > > > > > > > > > > >Release Date: December 17, 2019
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >WDYT?
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Best regards,
> > > > Ivan Pavlukhin
> > > >
> > >
>

> Folks,
>
>
> Let me remind you that we are working on the 2.8 release branch
> stabilization currently (please, keep it in mind).
>
>
> Do we have a really STRONG reason for adding such a change [1] to the
> ignite-2.8 branch? This PR [2] doesn't look a very simple +5,517
> −2,038, 111 files changed.
> Do we have customer requests for this feature or maybe users who are
> waiting for exactly that ENUM values exactly in 2.8 release (not the
> 2.8.1 for instance)?
> Can we just simply remove IgniteCluster#readOnly to eliminate any
> backward compatibility issues between 2.8 and 2.9 releases?
> Do we have extended test results report (on just only TC.Bot green
> visa) on this feature to be sure that we will not add any blocker
> issues to the release? For instance, on pre-production environment.
>
> I'd like to notice that we also have more than enough the release
> blocker issues [3] which are still `in progress` and such a release
> run becomes endless. Such changes without strong reasons looks too
> scary for me a special after scope and code freeze dates.
>
> Please, dispel my doubts.
>
> [1] https://issues.apache.org/jira/browse/IGNITE-12225
> [2] https://github.com/apache/ignite/pull/7194
> [3]
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Unresolvedissues(notrelatedtodocumentation)
>
> On Thu, 9 Jan 2020 at 19:01, Alexey Zinoviev <[hidden email]>
> wrote:
> >
> > +1
> >
> > чт, 9 янв. 2020 г. в 18:52, Sergey Antonov <[hidden email]>:
> >
> > > +1
> > >
> > > I'm preparing patch for 2.8 branch now. TC Bot visa for 2.8 branch
> will be
> > > at 13 Jan
> > >
> > > чт, 9 янв. 2020 г., 21:06 Ivan Pavlukhin <[hidden email]>:
> > >
> > > > +1
> > > >
> > > > чт, 9 янв. 2020 г. в 16:38, Ivan Rakov <[hidden email]>:
> > > > >
> > > > > Maxim M. and anyone who is interested,
> > > > >
> > > > > I suggest to include this fix to 2.8 release:
> > > > > https://issues.apache.org/jira/browse/IGNITE-12225
> > > > > Basically, it's a result of the following discussion:
> > > > >
> > > >
> > >
> http://apache-ignite-developers.2346864.n4.nabble.com/DISCUSSION-Single-point-in-API-for-changing-cluster-state-td43665.html
> > > > >
> > > > > The fix affects public API: IgniteCluster#readOnly methods that
> work
> > > with
> > > > > boolean are replaced with ones that work with enum.
> > > > > If we include it, we won't be obliged to keep deprecated boolean
> > > version
> > > > of
> > > > > API in the code (which is currently present in 2.8 branch) as it
> wasn't
> > > > > published in any release.
> > > > >
> > > > > On Tue, Dec 31, 2019 at 3:54 PM Ilya Kasnacheev <
> > > > [hidden email]>
> > > > > wrote:
> > > > >
> > > > > > Hello!
> > > > > >
> > > > > > I have ran dependency checker plugin and quote the following:
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-urideploy:
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-spring:
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-spring-data:
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-aop:
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-visor-console:
> > > > > >
> > > > > > spring-core-4.3.18.RELEASE.jar
> > > > > > (pkg:maven/org.springframework/[hidden email],
> > > > > >
> > > >
> cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > >
> cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > >
> cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*)
> > > :
> > > > > > CVE-2018-15756
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-spring-data_2.0:
> > > > > >
> > > > > > spring-core-5.0.8.RELEASE.jar
> > > > > > (pkg:maven/org.springframework/[hidden email],
> > > > > >
> > > >
> cpe:2.3:a:pivotal_software:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > > > > >
> cpe:2.3:a:springsource:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> > > > > >
> cpe:2.3:a:vmware:springsource_spring_framework:5.0.8:*:*:*:*:*:*:*) :
> > > > > > CVE-2018-15756
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-rest-http:
> > > > > >
> > > > > > jetty-server-9.4.11.v20180605.jar
> > > > > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > > > > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > > > > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > > > > > jackson-databind-2.9.6.jar
> > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-kubernetes:
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-aws:
> > > > > >
> > > > > > jackson-databind-2.9.6.jar
> > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > > > bcprov-ext-jdk15on-1.54.jar
> > > > > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.54) :
> > > CVE-2015-6644,
> > > > > > CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340,
> > > CVE-2016-1000341,
> > > > > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344,
> > > CVE-2016-1000345,
> > > > > > CVE-2016-1000346, CVE-2016-1000352, CVE-2016-2427,
> CVE-2017-13098,
> > > > > > CVE-2018-1000180, CVE-2018-1000613
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-gce:
> > > > > >
> > > > > > httpclient-4.0.1.jar
> > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.0.1
> > > > > > ,
> > > > > > cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*) : CVE-2011-1498,
> > > > > > CVE-2014-3577, CVE-2015-5262
> > > > > > guava-jdk5-17.0.jar (pkg:maven/com.google.guava/guava-jdk5@17.0,
> > > > > > cpe:2.3:a:google:guava:17.0:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-cloud:
> > > > > >
> > > > > > openstack-keystone-2.0.0.jar
> > > > > > (pkg:maven/org.apache.jclouds.api/openstack-keystone@2.0.0,
> > > > > > cpe:2.3:a:openstack:keystone:2.0.0:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:openstack:openstack:2.0.0:*:*:*:*:*:*:*) :
> CVE-2013-2014,
> > > > > > CVE-2013-4222, CVE-2013-6391, CVE-2014-0204, CVE-2014-3476,
> > > > CVE-2014-3520,
> > > > > > CVE-2014-3621, CVE-2015-3646, CVE-2015-7546, CVE-2018-14432,
> > > > CVE-2018-20170
> > > > > > cloudstack-2.0.0.jar
> > > (pkg:maven/org.apache.jclouds.api/cloudstack@2.0.0
> > > > ,
> > > > > > cpe:2.3:a:apache:cloudstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2136,
> > > > > > CVE-2013-6398, CVE-2014-0031, CVE-2014-9593, CVE-2015-3252
> > > > > > docker-2.0.0.jar (pkg:maven/org.apache.jclouds.api/docker@2.0.0,
> > > > > > cpe:2.3:a:docker:docker:2.0.0:*:*:*:*:*:*:*) : CVE-2018-10892,
> > > > > > CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884,
> > > > > > CVE-2019-5736
> > > > > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > > docker-1.9.3.jar (pkg:maven/org.apache.jclouds.labs/docker@1.9.3
> ,
> > > > > > cpe:2.3:a:docker:docker:1.9.3:*:*:*:*:*:*:*) : CVE-2016-3697,
> > > > > > CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752,
> > > > > > CVE-2019-16884, CVE-2019-5736
> > > > > > jsch.agentproxy.core-0.0.8.jar
> > > > > > (pkg:maven/com.jcraft/jsch.agentproxy.core@0.0.8,
> > > > > > cpe:2.3:a:jcraft:jsch:0.0.8:*:*:*:*:*:*:*) : CVE-2016-5725
> > > > > > bcprov-ext-jdk15on-1.49.jar
> > > > > > (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.49) :
> > > CVE-2015-6644,
> > > > > > CVE-2015-7940, CVE-2016-1000338, CVE-2016-1000339,
> CVE-2016-1000341,
> > > > > > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344,
> > > CVE-2016-1000345,
> > > > > > CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098,
> CVE-2018-1000613
> > > > > > okhttp-2.2.0.jar (pkg:maven/com.squareup.okhttp/okhttp@2.2.0,
> > > > > > cpe:2.3:a:squareup:okhttp:2.2.0:*:*:*:*:*:*:*) : CVE-2016-2402
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-mesos:
> > > > > >
> > > > > > mesos-1.5.0.jar (pkg:maven/org.apache.mesos/mesos@1.5.0,
> > > > > > cpe:2.3:a:apache:mesos:1.5.0:*:*:*:*:*:*:*) : CVE-2018-11793,
> > > > > > CVE-2018-1330, CVE-2018-8023, CVE-2019-0204, CVE-2019-5736
> > > > > > jetty-server-9.4.11.v20180605.jar
> > > > > > (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> > > > > > cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> > > > > > CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> > > > > > jackson-databind-2.9.6.jar
> > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> > > > > > cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> > > > > > CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> > > > > > CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> > > > > > CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> > > > > > CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> > > > > > CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-kafka:
> > > > > >
> > > > > > kafka-clients-2.0.1.jar
> > > (pkg:maven/org.apache.kafka/kafka-clients@2.0.1
> > > > ,
> > > > > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > > > > > connect-api-2.0.1.jar
> (pkg:maven/org.apache.kafka/connect-api@2.0.1,
> > > > > > cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-flume:
> > > > > >
> > > > > > guava-11.0.2.jar (pkg:maven/com.google.guava/guava@11.0.2,
> > > > > > cpe:2.3:a:google:guava:11.0.2:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > > jackson-core-asl-1.8.8.jar
> > > > > > (pkg:maven/org.codehaus.jackson/jackson-core-asl@1.8.8,
> > > > > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*) :
> CVE-2017-15095,
> > > > > > CVE-2017-17485, CVE-2017-7525
> > > > > > jackson-mapper-asl-1.8.8.jar
> > > > > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.8.8,
> > > > > > cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*) :
> > > > > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > > > > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-14540,
> > > > > > CVE-2019-16335, CVE-2019-17267
> > > > > > commons-collections-3.2.1.jar
> > > > > > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > > > > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) :
> > > > CVE-2015-6420,
> > > > > > CVE-2017-15708, Remote code execution
> > > > > > netty-3.9.4.Final.jar (pkg:maven/io.netty/[hidden email],
> > > > > > cpe:2.3:a:netty:netty:3.9.4:*:*:*:*:*:*:*) : CVE-2015-2156,
> > > > CVE-2019-16869,
> > > > > > POODLE vulnerability in SSLv3.0 support
> > > > > > servlet-api-2.5-20110124.jar
> > > > > > (pkg:maven/org.mortbay.jetty/servlet-api@2.5-20110124,
> > > > > > cpe:2.3:a:jetty:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay:jetty:2.5.20110124:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay_jetty:jetty:2.5.20110124:*:*:*:*:*:*:*) :
> > > > CVE-2005-3747,
> > > > > > CVE-2007-5615, CVE-2009-1523, CVE-2009-1524, CVE-2009-5048,
> > > > CVE-2009-5049,
> > > > > > CVE-2011-4461
> > > > > > jetty-util-6.1.26.jar
> (pkg:maven/org.mortbay.jetty/jetty-util@6.1.26
> > > ,
> > > > > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) :
> CVE-2009-1523,
> > > > > > CVE-2011-4461
> > > > > > jetty-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty@6.1.26,
> > > > > > cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) :
> CVE-2009-1523,
> > > > > > CVE-2011-4461, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658,
> > > > CVE-2017-9735,
> > > > > > CVE-2019-10241, CVE-2019-10247
> > > > > > libthrift-0.9.0.jar (pkg:maven/org.apache.thrift/libthrift@0.9.0)
> :
> > > > > > CVE-2015-3254, CVE-2016-5397, CVE-2018-1320, CVE-2019-0205
> > > > > > httpclient-4.1.3.jar
> > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.1.3
> > > > > > ,
> > > > > > cpe:2.3:a:apache:httpclient:4.1.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > > > CVE-2015-5262
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-twitter:
> > > > > >
> > > > > > httpclient-4.2.5.jar
> > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.2.5
> > > > > > ,
> > > > > > cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > > > CVE-2015-5262
> > > > > > guava-14.0.1.jar (pkg:maven/com.google.guava/guava@14.0.1,
> > > > > > cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-zookeeper:
> > > > > >
> > > > > > jackson-databind-2.9.8.jar
> > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,
> > > > > > cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*) :
> > > > CVE-2019-12086,
> > > > > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > > > > > CVE-2019-17267, CVE-2019-17531
> > > > > > guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> > > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > > jackson-mapper-asl-1.9.13.jar
> > > > > > (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13,
> > > > > > cpe:2.3:a:fasterxml:jackson:1.9.13:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*) :
> > > > > > CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> > > > > > CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-10172,
> > > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-17267
> > > > > > netty-all-4.1.29.Final.jar
> (pkg:maven/io.netty/[hidden email]
> > > ,
> > > > > > cpe:2.3:a:netty:netty:4.1.29:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-camel:
> > > > > >
> > > > > > camel-core-2.22.0.jar
> (pkg:maven/org.apache.camel/camel-core@2.22.0,
> > > > > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > > > > > CVE-2019-0188, CVE-2019-0194
> > > > > >
> > > > > >
> > > >
> > >
> camel-core-2.22.0.jar/META-INF/maven/org.apache.camel/spi-annotations/pom.xml
> > > > > > (pkg:maven/org.apache.camel/spi-annotations@2.22.0,
> > > > > > cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> > > > > > CVE-2019-0188, CVE-2019-0194
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-storm:
> > > > > >
> > > > > > storm-core-1.1.1.jar (pkg:maven/org.apache.storm/storm-core@1.1.1
> ,
> > > > > > cpe:2.3:a:apache:storm:1.1.1:*:*:*:*:*:*:*) : CVE-2018-11779,
> > > > > > CVE-2018-1331, CVE-2018-1332, CVE-2018-8008, CVE-2019-0202
> > > > > >
> > > >
> > >
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
> > > > > > (pkg:maven/org.eclipse.jetty/jetty-servlet@7.6.13.v20130916,
> > > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> > > CVE-2019-10247
> > > > > >
> > > > > >
> > > >
> > >
> storm-core-1.1.1.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml
> > > > > > (pkg:maven/org.apache.httpcomponents/httpclient@4.3.3,
> > > > > > cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> > > > > > CVE-2015-5262
> > > > > >
> storm-core-1.1.1.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > > > > > (pkg:maven/com.google.guava/guava@16.0.1,
> > > > > > cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > > storm-core-1.1.1.jar/META-INF/maven/io.netty/netty/pom.xml
> > > > > > (pkg:maven/io.netty/[hidden email],
> > > > > > cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*) : CVE-2014-0193,
> > > > CVE-2014-3488,
> > > > > > CVE-2015-2156, CVE-2019-16869, POODLE vulnerability in SSLv3.0
> > > support
> > > > > >
> > > >
> > >
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
> > > > > > (pkg:maven/org.eclipse.jetty/jetty-server@7.6.13.v20130916,
> > > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> > > CVE-2011-4461,
> > > > > > CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735,
> > > > CVE-2019-10241,
> > > > > > CVE-2019-10247
> > > > > >
> > > >
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
> > > > > > (pkg:maven/org.eclipse.jetty/jetty-util@7.6.13.v20130916,
> > > > > > cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) :
> > > CVE-2011-4461,
> > > > > > CVE-2019-10247
> > > > > >
> > > > > >
> > > >
> > >
> storm-core-1.1.1.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom.xml
> > > > > > (pkg:maven/commons-fileupload/commons-fileupload@1.3.2,
> > > > > > cpe:2.3:a:apache:commons_fileupload:1.3.2:*:*:*:*:*:*:*) :
> > > > CVE-2016-1000031
> > > > > >
> > > >
> storm-core-1.1.1.jar/META-INF/maven/org.apache.hadoop/hadoop-auth/pom.xml
> > > > > > (pkg:maven/org.apache.hadoop/hadoop-auth@2.6.1,
> > > > > > cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*) : CVE-2015-1776,
> > > > > > CVE-2016-3086, CVE-2016-5001, CVE-2016-5393, CVE-2016-6811,
> > > > CVE-2017-15713,
> > > > > > CVE-2017-3161, CVE-2017-3162, CVE-2017-3166, CVE-2018-11768,
> > > > CVE-2018-1296,
> > > > > > CVE-2018-8009, CVE-2018-8029
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-cassandra-store:
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-cassandra-serializers:
> > > > > >
> > > > > > commons-beanutils-1.9.2.jar
> > > > > > (pkg:maven/commons-beanutils/commons-beanutils@1.9.2,
> > > > > > cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*) :
> > > > CVE-2019-10086
> > > > > > commons-collections-3.2.1.jar
> > > > > > (pkg:maven/commons-collections/commons-collections@3.2.1,
> > > > > > cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) :
> > > > CVE-2015-6420,
> > > > > > CVE-2017-15708, Remote code execution
> > > > > > spring-core-4.3.18.RELEASE.jar
> > > > > > (pkg:maven/org.springframework/[hidden email],
> > > > > >
> > > >
> cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > >
> cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> > > > > >
> cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*)
> > > :
> > > > > > CVE-2018-15756
> > > > > > netty-transport-4.1.27.Final.jar
> > > > > > (pkg:maven/io.netty/[hidden email],
> > > > > > cpe:2.3:a:netty:netty:4.1.27:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-flink:
> > > > > >
> > > > > > flink-hadoop-fs-1.5.0.jar
> > > > (pkg:maven/org.apache.flink/flink-hadoop-fs@1.5.0
> > > > > > ,
> > > > > > cpe:2.3:a:apache:hadoop:1.5.0:*:*:*:*:*:*:*) : CVE-2016-5001,
> > > > > > CVE-2017-3161, CVE-2017-3162
> > > > > >
> > > > > >
> > > >
> > >
> flink-shaded-netty-4.0.27.Final-2.0.jar/META-INF/maven/io.netty/netty-all/pom.xml
> > > > > > (pkg:maven/io.netty/[hidden email],
> > > > > > cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*) : CVE-2015-2156,
> > > > CVE-2016-4970,
> > > > > > CVE-2019-16869
> > > > > >
> > > > > >
> > > >
> > >
> flink-shaded-jackson-2.7.9-3.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> > > > > > (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9,
> > > > > > cpe:2.3:a:fasterxml:jackson:2.7.9:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*) :
> > > > CVE-2017-15095,
> > > > > > CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, CVE-2018-11307,
> > > > > > CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719,
> > > > > > CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361,
> > > > > > CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086,
> > > > > > CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> > > > > > CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> > > > > > CVE-2019-17267, CVE-2019-17531
> > > > > >
> > > > > >
> > > >
> > >
> flink-shaded-guava-18.0-2.0.jar/META-INF/maven/com.google.guava/guava/pom.xml
> > > > > > (pkg:maven/com.google.guava/guava@18.0,
> > > > > > cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237
> > > > > >
> > > > > > One or more dependencies were identified with known
> vulnerabilities
> > > in
> > > > > > ignite-rocketmq:
> > > > > >
> > > > > > netty-all-4.0.42.Final.jar
> (pkg:maven/io.netty/[hidden email]
> > > ,
> > > > > > cpe:2.3:a:netty:netty:4.0.42:*:*:*:*:*:*:*) : CVE-2019-16869
> > > > > > netty-tcnative-boringssl-static-1.1.33.Fork26.jar
> > > > > > (pkg:maven/io.netty/netty-tcnative-boringssl-static@1.1.33.Fork26
> ,
> > > > > > cpe:2.3:a:apache:tomcat:1.1.33:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:apache:tomcat_native:1.1.33:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:apache_software_foundation:tomcat:1.1.33:*:*:*:*:*:*:*,
> > > > > > cpe:2.3:a:apache_tomcat:apache_tomcat:1.1.33:*:*:*:*:*:*:*) :
> > > > > > CVE-2000-1210, CVE-2001-0590, CVE-2002-0493, CVE-2005-4838,
> > > > CVE-2006-7196,
> > > > > > CVE-2007-1358, CVE-2007-2449, CVE-2008-0128, CVE-2009-2696,
> > > > CVE-2012-5568,
> > > > > > CVE-2013-2185, CVE-2013-4286, CVE-2013-4322, CVE-2013-4444,
> > > > CVE-2013-4590,
> > > > > > CVE-2013-6357, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099,
> > > > CVE-2014-0119,
> > > > > > CVE-2016-5425, CVE-2017-15698, CVE-2018-8019, CVE-2018-8020
> > > > > >
> > > > > > Main offenders seem to be "jackson-databind" and old maintenance
> > > > releases
> > > > > > of Spring. I think we can bump most of that.
> > > > > >
> > > > > > Some integrations also clearly suffer, through it's a problem of
> > > their
> > > > > > users, since they need to declare their own libraries' versions
> by
> > > > > > convention.
> > > > > >
> > > > > > Regards,
> > > > > > --
> > > > > > Ilya Kasnacheev
> > > > > >
> > > > > >
> > > > > > пт, 27 дек. 2019 г. в 23:59, Denis Magda <[hidden email]>:
> > > > > >
> > > > > > > Ilya, no I see, thanks for the explanation. Agree with you,
> let's
> > > > update
> > > > > > > the versions of the dependencies to the latest.
> > > > > > >
> > > > > > > -
> > > > > > > Denis
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Dec 26, 2019 at 10:50 PM Ilya Kasnacheev <
> > > > > > > [hidden email]>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hello!
> > > > > > > >
> > > > > > > > I have committed ignite-spring-data_2.2 to ignite-2.8.
> > > > > > > >
> > > > > > > > By bumping versisons I mean the following:
> > > > > > > >         <slf4j.version>1.7.*7*</slf4j.version>
> > > > > > > >         <slf4j16.version>1.6.*4*</slf4j16.version>
> > > > > > > >         <snappy.version>1.1.7.*2*</snappy.version>
> > > > > > > >         <spark.hadoop.version>2.6.*5*</spark.hadoop.version>
> > > > > > > >         <spark.version>2.3.*0*</spark.version>
> > > > > > > >
> > > >  <spring.data.version>1.13.*14*.RELEASE</spring.data.version>
> > > > > > <!--
> > > > > > > > don't forget to update spring version -->
> > > > > > > >         <spring.version>4.3.*18*.RELEASE</spring.version><!--
> > > don't
> > > > > > > forget
> > > > > > > > to update spring-data version -->
> > > > > > > >
> > > > > > >
> <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version>
> > > > > > > > <!-- don't forget to update spring-5.0 version -->
> > > > > > > >
> > > >  <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!--
> > > > > > > don't
> > > > > > > > forget to update spring-data-2.0 version -->
> > > > > > > >
> > > > > > > > All these libraries have maintenance release (such as our
> > > 2.7.*6*)
> > > > and
> > > > > > I
> > > > > > > > think it would be beneficial to upgrade these dependencies
> to the
> > > > > > latest
> > > > > > > > maintenance version found in Maven Central.
> > > > > > > > For example, there is spring.data-2.0 2.0.*14*.RELEASE.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > --
> > > > > > > > Ilya Kasnacheev
> > > > > > > >
> > > > > > > >
> > > > > > > > чт, 26 дек. 2019 г. в 19:32, Denis Magda <[hidden email]
> >:
> > > > > > > >
> > > > > > > > > A huge +1 for adding Spring Data related
> fixes/improvements.
> > > > Ilya is
> > > > > > > > right
> > > > > > > > > that Spring Data related questions sparked last time due to
> > > > missing
> > > > > > > > support
> > > > > > > > > of 2.2 version.
> > > > > > > > >
> > > > > > > > > Ilya, could you elaborate on what you mean under "bumping
> the
> > > > > > > versions"?
> > > > > > > > Do
> > > > > > > > > you suggest performing a straightforward upgrade of
> > > > > > > "ignite-spring-data"
> > > > > > > > to
> > > > > > > > > version 2.2 and introducing
> "ignite-spring-data-{old-version"}
> > > > for
> > > > > > the
> > > > > > > > > previous versions? If it's so, I fully agree with the
> proposal.
> > > > > > > > >
> > > > > > > > > -
> > > > > > > > > Denis
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <
> > > > > > > > [hidden email]
> > > > > > > > > >
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Hello!
> > > > > > > > > >
> > > > > > > > > > I propose to add the following ticket to the scope:
> > > > > > > > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3
> > > > commits, be
> > > > > > > > > careful
> > > > > > > > > > with release version)
> > > > > > > > > >
> > > > > > > > > > Adding tickets to scope surely seems crazy now, but I
> will
> > > > provide
> > > > > > > the
> > > > > > > > > > following considerations:
> > > > > > > > > > * This is Spring Data 2.2 integration, which we
> currently do
> > > > not
> > > > > > > have,
> > > > > > > > > > leading to lots of confused questions on stack overflow
> and
> > > > mailing
> > > > > > > > list.
> > > > > > > > > > Spring Data is important to our public image since many
> > > people
> > > > may
> > > > > > > > learn
> > > > > > > > > > about out project by starting with Spring Data.
> > > > > > > > > >
> > > > > > > > > > * It has zero code impact outside of its own module
> (just 2
> > > POM
> > > > > > file
> > > > > > > > > > touched and that's all).
> > > > > > > > > >
> > > > > > > > > > * The core was ready since early November but, due to
> gmail
> > > > quirk,
> > > > > > we
> > > > > > > > did
> > > > > > > > > > not react to it in time.
> > > > > > > > > >
> > > > > > > > > > WDYT?
> > > > > > > > > >
> > > > > > > > > > Another semi-related question. *Should we bump our
> > > > dependencies'
> > > > > > > > versions
> > > > > > > > > > before releasing 2.8?* I talk mainly about spring and
> > > hibernate
> > > > > > > > > > dependencies. We could switch them to their latest
> > > maintenance
> > > > > > > versions
> > > > > > > > > to
> > > > > > > > > > avoid shipping default links to outdated packages.
> > > > > > > > > >
> > > > > > > > > > I think this is one of things that are very hard to do
> > > between
> > > > > > > > releases,
> > > > > > > > > so
> > > > > > > > > > I think this dependencies bumping should be a part of a
> > > formal
> > > > > > > > > > release/testing cycle, and then be backported to master.
> > > > > > > > > >
> > > > > > > > > > I could volunteer to do that myself, if we agree to merge
> > > these
> > > > > > > version
> > > > > > > > > > upgrades to ignite-2.8 and then re-test.
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > > --
> > > > > > > > > > Ilya Kasnacheev
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > > > > > > > > <[hidden email]
> > > > > > > > > > >:
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Igniters, i`l try to compare 2.8 release candidate vs
> > > 2.7.6,
> > > > > > > > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > > > > > > > > i use yardstick benchmarks, 4 bare machine with:  2x
> Xeon
> > > > X5570
> > > > > > > 96Gb
> > > > > > > > > > 512GB
> > > > > > > > > > > SSD 2048GB HDD 10GB/s
> > > > > > > > > > > 1 for  client (driver) and 3 for servers.
> > > > > > > > > > > this mappings for graphs and real yardstick tests:
> > > > > > > > > > >
> > > > > > > > > > > atomic-put: IgnitePutBenchmark
> > > > > > > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > > > > > > > > atomic-get: IgniteGetBenchmark
> > > > > > > > > > > tx-get: IgniteGetTxBenchmark
> > > > > > > > > > > tx-put: IgnitePutTxBenchmark
> > > > > > > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > > > > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > > > > > > > > >
> > > > > > > > > > > cacheMode — partitioned
> > > > > > > > > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > > > > > > > > 1 backup
> > > > > > > > > > >
> > > > > > > > > > > 1. wal = log_only 2. wal = none 3. persistence
> disabled.
> > > > > > > > > > > Thanks Maxim for wiki page [1]
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > [1]
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > >
> > >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > > > > > > > > >
> > > > > > > > > > > do we need some bisect or other work here ?
> > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >------- Forwarded message -------
> > > > > > > > > > > >From: "Maxim Muzafarov" < [hidden email] >
> > > > > > > > > > > >To:  [hidden email]
> > > > > > > > > > > >Cc:
> > > > > > > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope,
> Manager]
> > > > > > > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > > > > > > > > >
> > > > > > > > > > > >Igniters,
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >It's almost a year has passed since the last major
> Apache
> > > > Ignite
> > > > > > > 2.7
> > > > > > > > > > > >has been released. We've accumulated a lot of
> performance
> > > > > > > > improvements
> > > > > > > > > > > >and a lot of new features which are waiting for their
> > > > release
> > > > > > > date.
> > > > > > > > > > > >Here is my list of the most interesting things from my
> > > point
> > > > > > since
> > > > > > > > the
> > > > > > > > > > > >last major release:
> > > > > > > > > > > >
> > > > > > > > > > > >Service Grid,
> > > > > > > > > > > >Monitoring,
> > > > > > > > > > > >Recovery Read
> > > > > > > > > > > >BLT auto-adjust,
> > > > > > > > > > > >PDS compression,
> > > > > > > > > > > >WAL page compression,
> > > > > > > > > > > >Thin client: best effort affinity,
> > > > > > > > > > > >Thin client: transactions support (not yet)
> > > > > > > > > > > >SQL query history
> > > > > > > > > > > >SQL statistics
> > > > > > > > > > > >
> > > > > > > > > > > >I think we should no longer wait and freeze the master
> > > > branch
> > > > > > > > anymore
> > > > > > > > > > > >and prepare the next major release by the end of the
> year.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8
> > > > release
> > > > > > and
> > > > > > > > also
> > > > > > > > > > > >I want to propose myself to be the release manager of
> the
> > > > > > planning
> > > > > > > > > > > >release.
> > > > > > > > > > > >
> > > > > > > > > > > >Scope Freeze: November 4, 2019
> > > > > > > > > > > >Code Freeze: November 18, 2019
> > > > > > > > > > > >Voting Date: December 10, 2019
> > > > > > > > > > > >Release Date: December 17, 2019
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >WDYT?
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Best regards,
> > > > Ivan Pavlukhin
> > > >
> > >
>