+1 (advisory) * Verified sha512 checksum was correct for source tarball * Verified signature was correct for source tarball (not verified trust) * Built source code from tarball on Ubuntu 20.04 (x86) and JDK 1.8.0_312 in Amazon EC2 * Verified S3A (hadoop-tools/hadoop-aws) unit tests passing * Verified S3A (hadoop-tools/hadoop-aws) integration tests passing against Amazon S3 in eu-west-1 * There is a single failure, already known and described in https://issues.apache.org/jira/browse/HADOOP-18168
- Monthon On 2022/05/11 17:25:10 Steve Loughran wrote: > I have put together a release candidate (RC1) for Hadoop 3.3.3 > > The RC is available at: > https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC1/ > > The git tag is release-3.3.3-RC1, commit d37586cbda3 > > The maven artifacts are staged at > https://repository.apache.org/content/repositories/orgapachehadoop-1349/ > > You can find my public key at: > https://dist.apache.org/repos/dist/release/hadoop/common/KEYS > > Change log > https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC1/CHANGELOG.md > > Release notes > https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC1/RELEASENOTES.md > > There's a very small number of changes, primarily critical code/packaging > issues and security fixes. > > * The critical fixes which shipped in the 3.2.3 release. > * CVEs in our code and dependencies > * Shaded client packaging issues. > * A switch from log4j to reload4j > > reload4j is an active fork of the log4j 1.17 library with the classes > which contain CVEs removed. Even though hadoop never used those classes, > they regularly raised alerts on security scans and concen from users. > Switching to the forked project allows us to ship a secure logging > framework. It will complicate the builds of downstream > maven/ivy/gradle projects which exclude our log4j artifacts, as they > need to cut the new dependency instead/as well. > > See the release notes for details. > > This is the second release attempt. It is the same git commit as before, but > fully recompiled with another republish to maven staging, which has bee > verified by building spark, as well as a minimal test project. > > Please try the release and vote. The vote will run for 5 days. > > -Steve >
