-0 (non-binding). If no ZK changes occurred, then I don't think it's worth the effort and sends the message that ZK is responsible for users' classpath security. I think that's the wrong message to send, because users should be responsible for their classpath.
Instead, I think a message to the user mailing list recommending users update their logging dependencies would be a better action to take, along with a note on the downloads page for the same. That would be a responsible action without sending the wrong message. If this accompanied actual ZK changes, I would say +1, though (still non-binding, of course). On Fri, Aug 8, 2025, 17:07 Andor Molnar <an...@apache.org> wrote: > This is a release candidate for 3.9.4. > > This is a minor release with bug- and security fixes. Important to note > that due to security issues we’ve upgraded logback to 1.3.15 and slf4j to > 2.0.13. No ZooKeeper code changes have been involved in this upgrade, but > the SLF4j upgrade was a major version increase, so keep an eye on that > during your testing. > > The full release notes is available at: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12355230 > > *** Please download, test and vote by August 15th 2025, 23:59 UTC+0. *** > > Source files: > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-1/ > > Maven staging repo: > https://repository.apache.org/content/repositories/orgapachezookeeper-1109/ > > The release candidate tag in git to be voted upon: release-3.9.4-1 > https://github.com/apache/zookeeper/tree/release-3.9.4-1 > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > https://www.apache.org/dist/zookeeper/KEYS > > The staging version of the website is: > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-1/website/index.html > > Should we release this candidate? > > Andor > > >
