Re: [VOTE] Release 1.11.6/1.12.7/1.13.5/1.14.2, release candidate #1

[Chesnay Schepler]

Ah actually we may have to merge another commit into the release 
branches for that to be the case for 1.11/1.12.

Anyway, I still wouldn't block the release on that.
On 16/12/2021 02:03, Chesnay Schepler wrote:
That's not a problem as far as I'm concerned, because the 
documentation of these releases is never actually published anywhere.
The documentation at nightlies.apache.org will reference 2.16.0.

On 16/12/2021 02:01, Yun Gao wrote:
Hi,

May I have a double confirmation that it seems we still have log4j 
version written as
2.15.0 in dev/project-configuration.md in the commit corresponding to 
release tags,
which seems to be not consistent with the PR in the github, is it 
expected and would it
have influence?

Best,
Yun



  ------------------Original Mail ------------------
Sender:Stephan Ewen <ewenstep...@gmail.com>
Send Date:Thu Dec 16 08:34:10 2021
Recipients:dev <dev@flink.apache.org>
Subject:Re: [VOTE] Release 1.11.6/1.12.7/1.13.5/1.14.2, release 
candidate #1
+1 (binding)



  - Verified commit history, looks good

  => stumbled over the changes in the "create_release_branch.sh ",

which are present in each release commit. [1]

  => agree that these are not an issue, because this is an out-of-band

release

  - Release notes for 1.14.2 are off, contain incorrect entry 
"FLINK-25222:

Remove NetworkFailureProxy used for Kafka connector tests"

  - Checked that released binaries and jars reference correct Scala 
versions

  - Ran streaming examples against binary releases for 1.12.7, 1.13.5,

1.14.2. Execution logs look correct.

  - Other checks (licenses, no binaries) carry over from previous 
releases



[1]

https://github.com/apache/flink/commit/6fd4b1c0ef2ddd12751889218445ce0e60ff6c80#diff-94c70ce1a0abddcd83314c83b46080d8edbcd919b737f316cd6f72006d464074 






On Wed, Dec 15, 2021 at 5:54 PM Seth Wiesman  wrote:



+1 (non-binding)
- Checked diff of all versions and verified dep upgrade
- Verified checksum and signatures
- Built 1.14 from source
- checked blog post
Seth
On Wed, Dec 15, 2021 at 10:22 AM Yu Li  wrote:
+1
* Verified checksums and signatures
* Reviewed website PR
- Minor: left a comment to mention CVE-2021-45046
* Checked and confirmed new tags only contain log4j version bump
* Checked release notes and found no issues
- I've moved FLINK-25317 to 1.14.3
Thanks for driving these releases Chesnay!
Best Regards,
Yu
On Wed, 15 Dec 2021 at 21:29, Chesnay Schepler
wrote:
FYI; the publication of the python release for 1.11/1.12 will be
delayed
because we hit the project size limit on pypi again, and increasing
that
limit may take a while.
On the positive side, this gives us more time to fix the mac builds.
On 15/12/2021 03:55, Chesnay Schepler wrote:
Hi everyone,
This vote is for the emergency patch releases for 1.11, 1.12, 1.13
and
1.14 to address CVE-2021-44228/CVE-2021-45046.
It covers all 4 releases as they contain the same changes (upgrading
Log4j to 2.16.0) and were prepared simultaneously by the same 
person.
(Hence, if something is broken, it likely applies to all releases)
Note: 1.11/1.12 are still missing the Python Mac releases.
Please review and vote on the release candidate #1 for the versions
1.11.6, 1.12.7, 1.13.5 and 1.14.2, as follows:
[ ] +1, Approve the releases
[ ] -1, Do not approve the releases (please provide specific
comments)
The complete staging area is available for your review, which
includes:
* JIRA release notes [1],
* the official Apache source releases and binary convenience 
releases
to be deployed to dist.apache.org [2], which are signed with the key
with fingerprint C2EED7B111D464BA [3],
* all artifacts to be deployed to the Maven Central Repository [4],
* source code tags [5],
* website pull request listing the new releases and adding
announcement blog post [6].
The vote will be open for at least 24 hours. The minimum vote time
has
been shortened as the changes are minimal and the matter is urgent.
It is adopted by majority approval, with at least 3 PMC affirmative
votes.
Thanks,
Chesnay
[1]
1.11:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351056 

1.12:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351057 

1.13:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351058 

1.14:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351059 

[2]
1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.6-rc1/
1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.7-rc1/
1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.5-rc1/
1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.2-rc1/
[3] https://dist.apache.org/repos/dist/release/flink/KEYS
[4]
1.11:
https://repository.apache.org/content/repositories/orgapacheflink-1460
1.12:
https://repository.apache.org/content/repositories/orgapacheflink-1462
1.13:
https://repository.apache.org/content/repositories/orgapacheflink-1459
1.14:
https://repository.apache.org/content/repositories/orgapacheflink-1461
[5]
1.11:
https://github.com/apache/flink/releases/tag/release-1.11.6-rc1
1.12:
https://github.com/apache/flink/releases/tag/release-1.12.7-rc1
1.13:
https://github.com/apache/flink/releases/tag/release-1.13.5-rc1
1.14:
https://github.com/apache/flink/releases/tag/release-1.14.2-rc1
[6] https://github.com/apache/flink-web/pull/489