-0 (need to discuss) I verified the following: [OK] verified signature of git tag [OK] verified hashes and signatures of source and helper binaries [OK] verified signatures use key in KEYS with apache email address [OK] verified source has no unexpected binary files [OK] verified source and git tag are same minus KEYS file [OK] verified source and helper binaries include LICENSE/NOTICE/README
However, I found problems when verifying the following: [not OK] verified LICENSE/NOTICE/README look correct I found these problems when I compared the jars in apache-daffodil-3.3.0-bin/lib to the jars in apache-daffodil-3.4.0-bin/lib. We had accounted for direct dependency changes in the release notes, but we had overlooked some jar changes due to indirect (doubly transitive) dependency changes: * Apache Commons Codec 1.15 (update) (used by httpclient5 & log4j) * Apache HttpClient 5.1.3 (new) (used by XML Resolver) * Apache HttpComponents Core HTTP/1.1 5.1.3 (upgrade) (used by XML Resolver) * Apache HttpComponents Core HTTP/2 5.1.3 (upgrade) (used by XML Resolver) * JAXB API 2.2.11 (new) (used by Exificient) * JAXB Core Implementation 2.2.11 (new) (used by Exificient) * JAXB Runtime 2.2.11 (new) (used by Exificient) * JavaBeans Activation Framework Specification 1.1.1 (new) (used by Exificient) * SLF4J API 1.7.25 (new) (used by httpclient5) * XML Resolver & data 4.4.3 (update) (used by Saxon-HE) * XmlPull 1.1.3.1 (new) (used by Exificient) We need to add the following to bin.LICENSE: * activation (new, CDDL) * jaxb (new, CDDL) * slf4j-api (new, MIT license) * xmlpull (new, public domain) We also need to update the following in bin.NOTICE: * commons-codec (update) * commons-logging (remove, no longer used) * httpclient5 (update, different jar name) * httpcore5 (update, different jar name) * httpcore5-h2 (new, different jar name) I think we should cancel the vote, update bin.LICENSE and bin.NOTICE, and create a new release candidate, but let's discuss how serious these problems are. John -----Original Message----- From: Steve Lawrence <slawre...@apache.org> Sent: Monday, October 31, 2022 10:00 AM To: dev@daffodil.apache.org Subject: EXT: [VOTE] Release Apache Daffodil 3.4.0-rc1 WARNING: This email originated from outside of GE. Please validate the sender's email address before clicking on links or attachments as they may not be safe. Hi all, I'd like to call a vote to release Apache Daffodil 3.4.0-rc1. All distribution packages, including signatures, digests, etc. can be found at: https://dist.apache.org/repos/dist/dev/daffodil/3.4.0-rc1/ Staging artifacts can be found at: https://repository.apache.org/content/repositories/orgapachedaffodil-1030/ This release has been signed with PGP key 36F3494B033AE661, corresponding to slawre...@apache.org, which is included in the KEYS file here: https://downloads.apache.org/daffodil/KEYS The release candidate has been tagged in git with v3.4.0-rc1. For reference, here is a list of all closed JIRAs tagged with 3.4.0: https://s.apache.org/daffodil-issues-3.4.0 For a summary of the changes in this release, see: https://daffodil.apache.org/releases/3.4.0/ Please review and vote. The vote will be open for at least 72 hours (Thursday, 3 November 2022, 10:00 EDT). [ ] +1 approve [ ] +0 no opinion [ ] -1 disapprove (and reason why) Thanks, - Steve
