The vote passes with 3 +1 votes from Aaron, Bruno, and Andy.
Special mention: Osma, for verifying the log4j2 for Fuseki.
Andy
On 10/12/2021 16:40, Andy Seaborne wrote:
Hi,
Here is a vote on the release of Apache Jena 4.3.1.
This is the first proposed release candidate.
The primary purpose of this release is to update log4j2:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
The deadline is Monday, 13 December 2021 at 17:00 UTC.
Please vote to approve this release:
[ ] +1 Approve the release
[ ] 0 Don't care
[ ] -1 Don't release, because ...
==== Items in this release
JENA-2211: Upgrade to Log4j2 2.15.0
JENA-2209, JENA-2210: xloader improvements
JENA-2207: Fix for SERVICE
==== Release Vote
Everyone, not just committers, is invited to test and vote.
Please download and test the proposed release.
Staging repository:
https://repository.apache.org/content/repositories/orgapachejena-1046
Proposed dist/ area:
https://dist.apache.org/repos/dist/dev/jena/
Keys:
https://svn.apache.org/repos/asf/jena/dist/KEYS
Git commit (browser URL):
https://github.com/apache/jena/commit/7f47eaaf7c
Git Commit Hash:
7f47eaaf7cc0029291ce64790da987ec2d29fdf5
Git Commit Tag:
jena-4.3.1
This vote will be open until at least
Monday, 13 December 2021 at 17:00 UTC.
If you expect to check the release but the time limit does not work
for you, please email within the schedule above with an expected time
and we can extend the vote period.
Thanks,
Andy
Checking needed:
+ are the GPG signatures fine?
+ are the checksums correct?
+ is there a source archive?
+ can the source archive be built?
(NB This requires a "mvn install" first time)
+ is there a correct LICENSE and NOTICE file in each artifact
(both source and binary artifacts)?
+ does the NOTICE file contain all necessary attributions?
+ have any licenses of dependencies changed due to upgrades?
if so have LICENSE and NOTICE been upgraded appropriately?
+ does the tag/commit in the SCM contain reproducible sources?
