Adding my +1. With that, the release passes with 3 binding +1 votes from Gary, Piotr, and myself. I will continue the release process.
On Fri, Nov 17, 2023 at 1:07 PM Volkan Yazıcı <vol...@yazi.ci> wrote: > This is a vote to release the Apache Log4j 2.22.0. > > Website: https://logging.staged.apache.org/log4j > GitHub: https://github.com/apache/logging-log4j2 > Commit: a1634d695e5702ecab505fea5aadaf9890641487 > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1238 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... > > This vote is open for 72 hours and will pass unless getting a > net negative vote count. All votes are welcome and we encourage > everyone to test the release, but only the Logging Services PMC > votes are officially counted. > > == Review kit > > The minimum set of steps needed to review the uploaded distribution > files can be summarized as follows: > > # Verify checksums > shasum --check *.sha512 > > # Verify signatures > for sigFile in *.asc; do gpg --verify $sigFile; done > > # Verify reproduciblity > umask 0022 > unzip *-src.zip -d src > cd src > export NEXUS_REPO= > https://repository.apache.org/content/repositories/orgapachelogging-1238 > sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO > > == Release notes > > This release provides a CycloneDX Software Bill of Materials (SBOM)[1] > along with each artifact and contains bug fixes addressing issues in > the JPMS & OSGi infrastructure overhauled in `2.21.0`, dependency > updates, and some other minor fixes and improvements. > > [1] https://cyclonedx.org/capabilities/sbom > > === CycloneDX Software Bill of Materials (SBOM) > > This is the first Log4j release that provides a CycloneDX Software > Bill of Materials (SBOM)[1] along with each artifact. Generated SBOMs > are attached as artifacts with `cyclonedx` classifier and XML > extensions, that is, `<artifactId>-<version>-cyclonedx.xml`. They > contain `vulnerability-assertion` references to a CycloneDX > Vulnerability Disclosure Report (VDR)[2] that Apache Logging Services > uses for all projects it maintains. This VDR is accessible through the > following URL: https://logging.apache.org/cyclonedx/vdr.xml > > SBOM generation is streamlined by `logging-parent`, see its website[3] > for details. > > [2] https://cyclonedx.org/capabilities/vdr > [3] https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom > > === Changed > > * Change the order of evaluation of `FormattedMessage` formatters. > Messages are evaluated using `java.util.Format` only if they don't > comply to the `java.text.MessageFormat` or `ParameterizedMessage` > format. (#1223) > * Change default encoding of HTTP Basic Authentication to UTF-8 and > add `log4j2.configurationAuthorizationEncoding` property to overwrite > it. (#1970) > * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974) > * Update `com.github.luben:zstd-jni` to version `1.5.5-10` (#1940) > * Update `com.google.guava:guava` to version `32.1.3-jre` (#1875) > * Update `io.netty:netty-bom` to version `4.1.101.Final` (#1960) > * Update `org.eclipse.persistence:org.eclipse.persistence.jpa` to > version `2.7.13` (#1900) > * Update `org.fusesource.jansi:jansi` to version `2.4.1` (#1907) > * Update `org.mongodb:bson` to version `4.11.1` (#1957) > * Update `org.springframework:spring-framework-bom` to version `5.3.30` > * Update `org.springframework.boot:spring-boot` to version `2.7.17` (#1874) > * Update `org.springframework:spring-framework-bom` to version `5.3.31` > (#1973) > * Update `org.zeromq:jeromq` to version `0.5.4` (#1878) > > === Removed > > * Removed unused `FastDateParser` which was causing unnecessary heap > overhead (LOG4J2-3672, #1848) > > === Fixed > > * Fix MDC pattern converter causing issues for `%notEmpty` (#1922) > * Export missing OSGi & JPMS modules in `log4j-layout-template-json` > and `log4j-1.2-api` (#1895) > * Fix `spring-test` dependency scope change (LOG4J2-3675) > * Fix JPMS descriptors causing `jlink` issues (#1896) > * Add missing `Implementation-` and `Specification-` entries to > `MANIFEST.MF` (implemented by `logging-parent` version `10.3.0` > update) (#1923) > * Fix `NotSerializableException` thrown when `Logger` is serialized > with a `ReusableMessageFactory` (#1884) >
