I am also checking the release, and the dependency-check maven task just failed for me:
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] commons-io-2.11.0.jar: CVE-2024-47554(8.7) the CVE is a new one, about XmlStreamReader class: https://nvd.nist.gov/vuln/detail/CVE-2024-47554 I had no time to check the code if we use this from commons-io, but regardless I think we should consider a new RC. What do you think? Best Regards, Máté On Tue, Oct 8, 2024 at 12:37 AM tison <wander4...@gmail.com> wrote: > +1 (binding) > > - download link valid > - checksum matches > - signature valid > > gpg: Signature made 二 10/ 1 14:32:16 2024 MDT > gpg: using RSA key 3F7A1D16FA4217B1DC75E1C9FFE35B7F15DFA1BA > gpg: issuer "an...@apache.org" > gpg: Good signature from "Andor Molnar <an...@apache.org>" [unknown] > gpg: WARNING: The key's User ID is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 3F7A 1D16 FA42 17B1 DC75 E1C9 FFE3 5B7F 15DF A1BA > > - license and notice ok > - can build from sources > - play with binary doesn't fail > > Best, > tison. > > Andor Molnar <an...@apache.org> 于2024年10月7日周一 16:08写道: > > > > +1 (binding) > > > > - release notes looks good > > - signatures and checksum OK > > - Java and CPP build and unit tests passed on Ubuntu 24.04 with OpenJDK > > version "11.0.12" > > - spotbugs check OK > > - checkstyle check OK > > - owasp dependency check OK > > - quorum created successfully with quorum TLS and client TLS (both from > > source and binary) > > - some basic smoke tests OK (create, get, set, etc.) > > - zk-smoketests.py, zk-latencies.py OK > > > > Confirmed that full-build and unit tests doesn't work with JDK 17. Not > > a showstopper, but ticket should be opened if you want to support it. > > > > Andor > > > > > > > > > > On Tue, 2024-10-01 at 16:28 -0500, Andor Molnar wrote: > > > This is a release candidate for 3.9.3. > > > > > > This is a bugfix release for the 3.9 release line. Includes important > > > dependency upgrades to address CVEs, several bug- and performance > > > fixes. > > > > > > The full release notes is available at: > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12354432 > > > > > > *** Please download, test and vote by October 7th 2024, 23:59 UTC+0. > > > *** > > > > > > Source files: > > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.3-candidate-0/ > > > > > > Maven staging repo: > > > > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.9.3/ > > > > > > The release candidate tag in git to be voted upon: release-3.9.3-0 > > > https://github.com/apache/zookeeper/tree/release-3.9.3-0 > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > The staging version of the website is: > > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.3-candidate-0/website/index.html > > > > > > > > > Should we release this candidate? > > > > > > Andor > > > > > > > > >
