Thanks Andor! > Since we don't have better idea, I opened a pull request to upgrade OWASP to the latest (8.3.1) version.
Yes, I tested the PR, upgrading OWASP is solving the issue also on my machine. I approved the PR. Regards, Máté On Tue, Jul 18, 2023 at 1:45 PM Andor Molnar <an...@apache.org> wrote: > Hi Mate, > > I take your e-mail as a -1 vote, so this RC VOTE is CANCELLED. > I'll prepare another rc. > > Regards, > Andor > > > On Mon, 2023-07-17 at 22:50 +0200, Szalay-Bekő Máté wrote: > > Hello Andor! > > > > Thanks for this great release! > > > > I found two issues with RC0: > > > > 1) OWASP CVE check (mvn dependency-check:check) failed with > > "netty-tcnative-boringssl-static-2.0.61.Final-osx-x86_64.jar: > > CVE-2011-1797(9.3)" > > > > This seems to be a false positive to me (looks to be some security > > issue > > affecting old safari / chromium web browser versions?). I didn't get > > deep > > into this, but I guess we see this since > > https://issues.apache.org/jira/browse/ZOOKEEPER-4622 > > > > Interestingly, the CI pipeline doesn't catch this CVE ( > > > https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/master/ > ), > > maybe this is some bug in OWASP that is triggered only with certain > > maven > > versions or during building on certain platforms? I ran OWASP on > > Ubuntu > > 18.04.2 with maven 3.9.3. > > > > 2) Also I see that the website ( > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.0-candidate-0/website/index.html > ) > > is still showing "ZooKeeper 3.8 Documentation" on the top > > > > > > What do you think? We shouldn't pass the RC until we are certain > > about the > > CVE issue. (unless this is something happening only on my setup... it > > is > > strange that OWAPS is green on CI) > > > > > > Beside these, I ran all my usual RC test steps, and found no other > > issues > > with the RC: > > - verified checksum and gpg signature of the artifacts > > - I built the source code (incl. the C-client, using -Pfull-build) on > > Ubuntu 18.04.2 using OpenJDK 8u372, maven 3.9.3 and GCC version 7.4.0 > > - all the unit tests passed (both Java and C-client) > > - I also built and executed unit tests for zkpython > > - I also built the java code (without -Pfull-build) using other JDK > > versions: 11.0.19, 17.0.7, 20.0.1 (but didn't run the tests this > > time, just > > used 'clean install -DskipTests') > > - checkstyle and spotbugs passed > > - apache-rat passed > > - fatjar built > > - I executed quick rolling-upgrade tests (using > > https://github.com/symat/zk-rolling-upgrade-test): > > - rolling upgrade from 3.5.10 to 3.9.0 > > - rolling upgrade from 3.6.4 to 3.9.0 > > - rolling upgrade from 3.7.1 to 3.9.0 > > - rolling upgrade from 3.8.2 to 3.9.0 > > - compared generated release notes ( > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.0-candidate-0/website/releasenotes.html > > ) with Jira ( > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12351304 > > ) > > > > > > Best regards, > > Máté > > > > On Mon, Jul 17, 2023 at 3:11 PM Andor Molnar <an...@apache.org> > > wrote: > > > > > Hi team, > > > > > > This is a release candidate for 3.9.0. > > > > > > It is a major release and it introduces a lot of new features, most > > > notably: > > > - Admin server API for taking snapshot and stream out the data > > > - Communicate the Zxid that triggered a WatchEvent to fire > > > - TLS - dynamic loading for client trust/key store > > > - Add Netty-TcNative OpenSSL Support > > > - Adding SSL support to Zktreeutil > > > - Improve syncRequestProcessor performance > > > - Updates to all the third party dependencies to get rid of every > > > known > > > CVE. > > > > > > The full release notes is available at: > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12351304 > > > > > > *** Please download, test and vote by July 30th 2023, 23:59 UTC+0. > > > *** > > > > > > Source files: > > > > > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.0-candidate-0/ > > > > > > Maven staging repo: > > > > > > > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.9.0/ > > > > > > The release candidate tag in git to be voted upon: release-3.8.0-1 > > > https://github.com/apache/zookeeper/tree/release-3.9.0-0 > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the > > > release: > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > The staging version of the website is: > > > > > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.0-candidate-0/website/index.html > > > > > > > > > Should we release this candidate? > > > > > > > > > Regards, > > > Andor > > > > > > > > > > >
