[jira] [Commented] (HADOOP-18198) Release Hadoop 3.3.3: hadoop-3.3.2 with some fixes

[Steve Loughran (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-18198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17526297#comment-17526297
 ] 

Steve Loughran commented on HADOOP-18198:
-----------------------------------------

i can't build locally (at least where i am this week) because i get network 
errors on the docker runs. maybe once i'm at home from monday and with a faster 
network it'll be better.

so i've been setting up to do it from an ec2 vm, which doesn't (yet) have my 
signing key. i was going to upload it and then destroy it afterwards.

bq. releases must be verified on hardware owned and controlled by the 
committer. 

what does that mean when I'm running off a chain of docker images where i'm not 
in complete control of the underlayers? on a macos laptop managed by an IT dept?

anyway, if you do want to do the build, that'd be great. that release branch 
has the same fixes as 3.2.x, adds the reload4j and other dependency updates, 
fixes a shading bug and brings building.text into sync with the docker run.

> Release Hadoop 3.3.3: hadoop-3.3.2 with some fixes
> --------------------------------------------------
>
>                 Key: HADOOP-18198
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18198
>             Project: Hadoop Common
>          Issue Type: Task
>          Components: build
>    Affects Versions: 3.3.2
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Hadoop 3.3.3 is a minor followup release to Hadoop 3.3.2 with all the 
> incremental changes which went in to the 3.2.4 release
> * minor CVE fixes in Hadoop source
> * CVE fixes in dependencies we know of (protobuf unmarshalling leading to 
> DoS, jackson stack overflow,...)
> * replacement of log4j 1.2.17 to reload4j
> * node.js update
> This is not a release off branch-3.3, it is a fork of 3.3.2 with the changes.
> The next release of branch-3.3 will be numbered hadoop-3.3.4; updating maven 
> versions and JIRA fix versions is part of this release process.
> The changes here are already in branch 3.2.4; this completes the set
> CVEs fixed
> * CVE-2022-26612: Apache Hadoop: Arbitrary file write in 
> FileUtil#unpackEntries on Windows (HADOOP-18155)



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org