+1 (non-binding) * Reviewed the blog post. * Verified each version could run normally with example jobs. * Checked each version only contains the log4j2 fix.
Thanks Chesnay for driving the emergency fix releases! Best, Yun ------------------------------------------------------------------ From:Yun Tang <myas...@live.com> Send Time:2021 Dec. 14 (Tue.) 18:25 To:dev@flink.apache.org <dev@flink.apache.org>; Till Rohrmann <trohrm...@apache.org> Subject:Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1 + 1 (non-binding) for releasing flink-1.13.4 and flink-1.14.1 currently * reviewed blog post * checked that the hot fix verion only contains the log4j2 version bump Best Yun Tang ________________________________ From: Chesnay Schepler <ches...@apache.org> Sent: Tuesday, December 14, 2021 17:12 To: dev@flink.apache.org <dev@flink.apache.org>; Till Rohrmann <trohrm...@apache.org> Subject: Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1 I think that should be possible. On 14/12/2021 10:06, Till Rohrmann wrote: > +1 (binding) > > - reviewed blog post > - verified shasum and signatures > - checked that diff only contains the log4j version bump > > Can we simply add the missing Python binaries for MacOS after the release > of the other artifacts? > > Cheers, > Till > > On Tue, Dec 14, 2021 at 4:56 AM Yun Tang <myas...@live.com> wrote: > >> Hi Chesnay, >> >> Thanks a lot for driving these emergency patch releases! >> >> I just noticed that current flink-1.11.4 offers python files on mac os >> [1]. Is it okay to release Flink-1.11.5 and flink-1.12.6 without those >> python binaries on mac os? >> >> >> [1] https://pypi.org/project/apache-flink/1.11.4/#files >> >> Best >> Yun Tang >> ________________________________ >> From: Zhu Zhu <reed...@gmail.com> >> Sent: Tuesday, December 14, 2021 11:00 >> To: dev <dev@flink.apache.org> >> Subject: Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate >> #1 >> >> +1 (binding) >> >> - verified the differences of source releases to the corresponding latest >> releases, there are only dependency updates and release version update >> commits >> - verified versions of log4j dependencies in the all binary releases are >> 2.15.0 >> - ran example jobs against all the binary releases, logs look good >> - release notes and blogpost look good >> >> Thanks, >> Zhu >> >> Xintong Song <tonysong...@gmail.com> 于2021年12月14日周二 10:23写道: >> >>> +1 (binding) >>> >>> - verified checksum and signature >>> - verified that release candidates only contain the log4j dependency >>> changes compared to previous releases. >>> - release notes and blogpost LGTM >>> >>> Thanks a lot for driving these emergency patch releases, Chesnay! >>> >>> Thank you~ >>> >>> Xintong Song >>> >>> >>> >>> On Tue, Dec 14, 2021 at 7:45 AM Chesnay Schepler <ches...@apache.org> >>> wrote: >>> >>>> I forgot to mention something important: >>>> >>>> The 1.11/1.12 releases do *NOT* contain flink-python releases for *mac* >>>> due to compile problems. >>>> >>>> On 13/12/2021 20:28, Chesnay Schepler wrote: >>>>> Hi everyone, >>>>> >>>>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13 >> and >>>>> 1.14 to address CVE-2021-44228. >>>>> It covers all 4 releases as they contain the same changes (upgrading >>>>> Log4j to 2.15.0) and were prepared simultaneously by the same person. >>>>> (Hence, if something is broken, it likely applies to all releases) >>>>> >>>>> Please review and vote on the release candidate #1 for the versions >>>>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows: >>>>> [ ] +1, Approve the releases >>>>> [ ] -1, Do not approve the releases (please provide specific >> comments) >>>>> The complete staging area is available for your review, which >> includes: >>>>> * JIRA release notes [1], >>>>> * the official Apache source releases and binary convenience releases >>>>> to be deployed to dist.apache.org [2], which are signed with the key >>>>> with fingerprint C2EED7B111D464BA [3], >>>>> * all artifacts to be deployed to the Maven Central Repository [4], >>>>> * *the jars for 1.13/1.14 are still being built* >>>>> * source code tags [5], >>>>> * website pull request listing the new releases and adding >>>>> announcement blog post [6]. >>>>> >>>>> The vote will be open for at least 24 hours. The minimum vote time >> has >>>>> been shortened as the changes are minimal and the matter is urgent. >>>>> It is adopted by majority approval, with at least 3 PMC affirmative >>>>> votes. >>>>> >>>>> Thanks, >>>>> Chesnay >>>>> >>>>> [1] >>>>> 1.11: >>>>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327 >>>>> 1.12: >>>>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328 >>>>> 1.13: >>>>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686 >>>>> 1.14: >>>>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512 >>>>> [2] >>>>> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/ >>>>> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/ >>>>> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/ >>>>> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/ >>>>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS >>>>> [4] >>>>> 1.11/1.12: >>>>> >> https://repository.apache.org/content/repositories/orgapacheflink-1455 >>>>> 1.13: >>>>> >> https://repository.apache.org/content/repositories/orgapacheflink-1457 >>>>> 1.14: >>>>> >> https://repository.apache.org/content/repositories/orgapacheflink-1456 >>>>> [5] >>>>> 1.11: >> https://github.com/apache/flink/releases/tag/release-1.11.5-rc1 >>>>> 1.12: >> https://github.com/apache/flink/releases/tag/release-1.12.6-rc1 >>>>> 1.13: >> https://github.com/apache/flink/releases/tag/release-1.13.4-rc1 >>>>> 1.14: >> https://github.com/apache/flink/releases/tag/release-1.14.1-rc1 >>>>> [6] https://github.com/apache/flink-web/pull/489 >>>>>
