Hi, Should we solve CVE problems in this release?
Maven reports many CVE problem caused by dependencies... For example, * Detected 1 vulnerable components: org.apache.thrift:libthrift:jar:0.9.3 * Detected 1 vulnerable components: ch.qos.logback:logback-core:jar:1.1.11 It is easy to fix them by upgrading their version. However, current master branch works in stable, and if we upgrade the version of dependencies, maybe we need more time to test. Therefore, I'd like to ignore them in this release.... Best, ----------------------------------- Xiangdong Huang School of Software, Tsinghua University 黄向东 清华大学 软件学院 Xiangdong Huang <[email protected]> 于2019年7月15日周一 下午9:26写道: > Hi, > > First, I think PR #245, #232 can go into 0.8. The codes have been > reviewed and approved. Hope the authors can finish their tests and merge > them tonight. > > There are many many changes comparing with 0.7. And, there are many data > files and configurations that conflict with 0.7. We need to review recently > issues and PRs to filter them out and form the Changes file. > > Best, > ----------------------------------- > Xiangdong Huang > School of Software, Tsinghua University > > 黄向东 > 清华大学 软件学院 > > > Julian Feinauer <[email protected]> 于2019年7月15日周一 下午8:46写道: > >> Hi all, >> >> first, thanks again to the PPMC to invite me as a Comitter. >> As I have all necessary rights now I can hereby offer to do the release >> manager for the release 0.8 which will be the first official ASF release of >> IoTDB. >> >> As suggested in the other Thread, I think it would be good to start off >> with the release soon just to learn the process together and do all >> necessary checking and clearance. >> For that I am very happy that we have Chris and Justin on the team who >> are very experienced and sharp eyed. >> >> Are there any issues that you think should go into 0.8 (feature) wise >> before spinning up a release branch? >> I will also open a “Release” in jira, so that we can assign and track the >> tickets there. >> >> Julian >> >
