Upgrade Karaf from 4.4.5 to 4.4.6 #4181
Conversation
|
@holgerfriedrich apropos Jetty.. We should consider ourselves fortunate that Jetty maintainers have patched Jetty 9.4.54.v20240208 to fix what is quite a dangerous security issue. However this may not be the case forever as Jetty 9.x.x has been deprecated since some years. Ideally we should migrate to Jetty 10 or 11. I think that in the past the reason for not migrating to Jetty 10 or 11 was that we had an older version of Karaf that would not support a newer version of Jetty; but I think that the Karaf version upgrade does now open the path towards a Jetty version upgrade too?? |
|
Jetty 10 will be part of Karaf 4.5, which will be released soon. |
You can probably add the older ASM version to the xtext feature to fix the feature verification. But it will still cause issues for itests and devs using Eclipse because bnd has the limitation that it can only resolve one version of a bundle. Xtext 2.35 will use ASM 9.7, see eclipse/xtext#2971 |
|
Thanks, @wborn for your comment. My idea was to force everything to asm 9.7 and it worked for the tests and |
|
Again Xtext is blocking progress... |
|
I think I will stop the activities here until xtext 2.35 is released. It will contain the matching asm 9.7. |
Perhaps even wait until Karaf 10.5 .. so we can also upgrade from Jetty v9.x to 10.x |
holgerfriedrich
force-pushed
the
k446
branch
3 times, most recently
from
8c40431
to
43c7e3b
Compare
holgerfriedrich
added
the
awaiting external dependency
|
Great, xtext provided a first milestone release 2.35.0.M0. |
holgerfriedrich
removed
the
awaiting external dependency
holgerfriedrich
added
enhancement
|
It seems ready for a try.
|
holgerfriedrich
changed the title
|
@wborn Sorry to bother you again with a Karaf upgrade, but I think I need your help on this. I thought I had everything prepared for 4.4.6, the PRs for all repos are up to date. Everything builds fine, tests are succeeding. But then I see an issue installing specific plugins, e.g. the mapdb binding:
Others are working fine. I do not see where I missed something.... |
|
I think this is the same as (or at least very similar to) #4158: The resolver seems to try to find an older (ancient) Java version and fails on that. |
|
@J-N-K I thought that #4158 is a startup issue for new installs or after cleaning the cache. Once I stopped OH, deleted cache and tmp folder, and finally restarted OH, it worked. The test installation is running fine, and still working after I restarted OH. Anyway, the resolver issue is annoying and still present in 4.4.6. I don't know how to debug and resolve this 😒 |
holgerfriedrich
force-pushed
the
k446
branch
2 times, most recently
from
5dcba73
to
07b5dfa
Compare
Seems like #4222 |
|
Local build is fine, distro works without any resolver issues. 🎉 The last verification step is an add-on build including all tests (which were excluded before). |
|
@openhab/core-maintainers Karaf 4.4.6 upgrade seems ready. All itests now pass, including add-ons. |
|
@wborn Do you think we should go for the Karaf upgrade before triggering the milestone build? It would make addon development easier, as anyone can run the current plugins with the last milestone. But it would increase the risk of further delays.... |
|
@holgerfriedrich As such an upgrade always comes with the risk of regressions, I would do it right AFTER the milestone release. But very happy to hear that so far all looks good for Karaf 4.4.6, great job! |
A 2.35.0.M1 was released |
|
Thanks, @lolodomo. It's already included in my latest update to this PR. |
* Sync runtime dependencies with Karaf 4.4.6, most notably: * Jetty 9.4.54.v20240208, addresses CVE-2024-22201 * Pax Logging 2.2.7 * Pax Web 8.0.27 * ASM 9.7 * BouncyCastle 1.77 * Upgrade xtext to 2.35.0.M1 * Resolve itest runbundles Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
|
@kaikreuzer> @holgerfriedrich As such an upgrade always comes with the risk of regressions, I would do it right AFTER the milestone release. But very happy to hear that so far all looks good for Karaf 4.4.6, great job! @openhab/core-maintainers We would need someone who can trigger the snapshot builds and merge in distro repo as well..... |
pom.xml
Outdated
| <slf4j.version>2.0.7</slf4j.version> | ||
| <xtext.version>2.34.0</xtext.version> | ||
| <slf4j.version>2.0.12</slf4j.version> | ||
| <slf4j-for-model.version>2.0.12</slf4j-for-model.version> |
There was a problem hiding this comment.
I don't think this is needed. We can just use slf4j.version instead or omit it completely (not sure if that works).
There was a problem hiding this comment.
No, I did not.
Anyway, you are right, this can be removed since we have the xtext milestone release.
PR is adapted, let the CI check.
Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
|
I also triggered a new core snapshot: https://ci.openhab.org/job/openHAB-Core/1399/ @holgerfriedrich Can you re-build the PR in openhab-addons once this is finished? |
|
@J-N-K could you please re-trigger the core snapshot build? One of the itests somehow failed... |
Refs openhab/openhab-core#4181. Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
Karaf 4.4.6 has just been released, see changelog:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12354057
It includes the fixes for Jetty, but relies on ASM 9.7
(which does not match xtext release, which is still at 9.6).As this is a security topic, I do not want to wait until xtext is released with the matching version of ASM.
This matches a recently published milestone release of xtext 2.35.0.
M0M1.Looking at the changelog of ASM, there might be a chance to replace the dependency.I tried to exclude ASM 9.6 form all imported dependencies and put in ASM 9.7 instead.
mvn dependency:treedoes not show any 9.6 version anymore. Compilation itself succeeds.Open points:
feature verification fails (conflicting ASM versions)M0M1 milestone release@wborn Do you have a recommendation how to pass the feature verification? I have not been successful, the docs are not very detailed and I did not find any matching post on the Karaf mail archive.Fixes: openhab/openhab-distro#1641
Refs: openhab/openhab-addons#16676, openhab/openhab-webui#2547, openhab/openhab-distro#1649