+++ This bug was initially created as a clone of Bug #984649 +++ Description of problem: We need to upgrade (if needed) to the latest version of JGroups --- Additional comment from John Mazzitelli on 2013-07-18 09:20:41 EDT --- What we can do is under: modules/enterprise/server/appserver/src/main/bin-resources/jbossas we can check in any patch jar in the proper subdirectory that we need it. This will be included in the build automatically in the location we want. Downstream builds (like, for example, JON) will need to do something similar if they replace the underlying AS that RHQ ships with. --- Additional comment from Simeon Pinder on 2013-07-23 15:49:42 EDT --- So that only covers some of the patch scenarios. Here's the larger list of that we need to handle: RHQ: 1.i)One off patches: Ex. security update in the modules.jar component from {EAP/AS}/modules/system/layers/.../module.jar * This is relevant because we will continue to use Alpha builds for RHQ and it is not likely that the EAP/AS team will ever go back and patch an Alpha/Beta/etc. release. 1.ii)Versioned patches changes: Ex. RichFaces 3.3.3.Final -> RichFaces 3.3.4.Final JON: 2.i)One off patches: * Same as RHQ, but the container version here is Non-Beta. We should be able to get patches here from EAP, but these are likely to be published to the customer portal as hotfixes. There is some latitude here to fix the issue in the product build. See BZ 972233 where we've already had to do this with a one-off build. 2.ii) Versioned patches: * More tricky than RHQ because the JON builds may be using a) Formalized redhat brew versions. Ex. jgroups-3.2.7.Final-redhat-1.jar b) Imported community versions used only by JON and never formally built in brew. Last wrinkle is with patch updates when there is a security embargo, which means that we necessarily have to do the binary updates in our product builds only(Customer Portal releases) because formal fixes are not releasable to community until after the embargo is lifted. In short, one off patches(1.i and 2.i) are a pita since we need to store them in our git repo(is there a better way?) but then laying down the patch is simple as described in Comment 1 in the product build. Versioned patches are complicated for RHQ or JON builds, a)if we need to rebuild them ourselves, b)if we need to patch one of the jar modules which means removing the old jar and metadata. The JGroups library in master has been upgraded with commits: caeb7a5c832 4fa9f082b2e These patches will make it into the next 3.2.x build so future JON builds of 3.2.x are automatically patched. I attempted to make the patching more simple for versioned patches, by defining a simple jboss-as-module-patches.properties file that looked like patches.old.org.jgroups.jgroups=3.2.7.Final patches.new.org.jgroups.jgroups=3.2.10.Final However in the end the patching logic for removal of old jars and metadata would still need to be done via ant which: i)doesn't handle looping gracefully over properties or files even with ant-contrib ii)doesn't make conditional logic for conditionally updating elements simple. iii)I had concerns that successful implementations of i) and ii) would not work on the build servers used by brew. In the end I decided it was more trouble than it was worth.
This is complicated for JON 3.2.x specifically because the underlying EAP container is 6.1.0.Final which uses jgroups-3.2.7.Final-redhat-1.jar. Typically this means that the EAP rebuilt jgroups-3.2.7.Final in brew i)with no changes or ii)with additional patches on top of the community version. I still do not have visibility into https://bugzilla.redhat.com/show_bug.cgi?id=984367 to know if they have any plans of rebuilding or recertifying a later build of jgroups for the 6.1.0.Final release. If so how is that build going to be built in brew as well or just released to the Customer Portal? When checking the brew artifacts, no new version of jgroups has been built or added recently(see below) so the formal patching for JON 3.2.x cannot be completed until we know how the vulnerability will be addressed there. https://brewweb.devel.redhat.com/search?start=0&order=name&terms=jgroups-3.2.*&type=maven&match=regexp Assigning to myself but leaving this as NEW for now. Will ping Arun to see if he has more details.
@Simeon Added you to the cc list of bug 984367. As for the EAP, the plan is to get the fix into 6.1.1.GA. Either a patched build or a later version of JGroups will be available once bug 984367 is resolved. Hope that helps.
*** Bug 984671 has been marked as a duplicate of this bug. ***
pre-qual'd by QE on special alpha 62 https://mercury.lab.eng.pnq.redhat.com:8443/re/pages/reportsTestGroups.jsp?id=6192
There are several commits across three different git repos that were needed to make this fix work. The most significant commit is aaf8a8d695020bf to the jon-rpmspec git repository. Moving to ON_QA as available for testing in the following ER1 brew build: https://brewweb.devel.redhat.com//buildinfo?buildID=295718
We look QE complete for this bug. The initial issue was against EAP 6.1.0.GA. Since that time, the jgroups version has been incremented >>ahovsepy> i see jgroups-3.2.10.Final-redhat-2.jar in jon 3.2 ER3 and more importantly the entire EAP container has been moved forward to 6.1.1.GA where this issue has already been resolved.
having Simeon's last comment, marking bz as verified.