Andor, I notice a number of license files are inaccurate: -rw-r--r--@ 1 phunt staff 11359 Aug 8 12:21 commons-io-2.11.0.LICENSE.txt -rw-r--r--@ 1 phunt staff 515978 Aug 8 12:21 commons-io-2.17.0.jar -rw-r--r--@ 1 phunt staff 36274 Aug 8 12:21 logback-classic-1.2.13.LICENSE.txt -rw-r--r--@ 1 phunt staff 274470 Aug 8 12:21 logback-classic-1.3.15.jar -rw-r--r--@ 1 phunt staff 36274 Aug 8 12:21 logback-core-1.2.13.LICENSE.txt -rw-r--r--@ 1 phunt staff 571734 Aug 8 12:21 logback-core-1.3.15.jar -rw-r--r--@ 1 phunt staff 1133 Aug 8 12:21 slf4j-1.7.30.LICENSE.txt -rw-r--r--@ 1 phunt staff 68605 Aug 8 12:21 slf4j-api-2.0.13.jar
Might be more than this (if new deps added?) but these are the obvious ones I noticed. I think they need to be addressed/new RC. Regards, Patrick On Sat, Aug 9, 2025 at 6:07 PM Andor Molnar <an...@apache.org> wrote: > Yes, it’s correct, it does include code changes for other issues, but the > logging dependency change specifically didn’t involve any code change. > Sorry for the confusion. > > Andor > > > > > On Aug 8, 2025, at 23:11, Christopher <ctubb...@apache.org> wrote: > > > > Looking at the list of changes, I think I misunderstood the wording. This > > does include ZK code changes, but the specific logging dependency change > > did not involve ZK changes. Other fixes did involve ZK code changes. Is > > that correct? > > > > On Sat, Aug 9, 2025, 00:09 Christopher <ctubb...@apache.org> wrote: > > > >> -0 (non-binding). If no ZK changes occurred, then I don't think it's > worth > >> the effort and sends the message that ZK is responsible for users' > >> classpath security. I think that's the wrong message to send, because > users > >> should be responsible for their classpath. > >> > >> Instead, I think a message to the user mailing list recommending users > >> update their logging dependencies would be a better action to take, > along > >> with a note on the downloads page for the same. That would be a > responsible > >> action without sending the wrong message. > >> > >> If this accompanied actual ZK changes, I would say +1, though (still > >> non-binding, of course). > >> > >> On Fri, Aug 8, 2025, 17:07 Andor Molnar <an...@apache.org> wrote: > >> > >>> This is a release candidate for 3.9.4. > >>> > >>> This is a minor release with bug- and security fixes. Important to note > >>> that due to security issues we’ve upgraded logback to 1.3.15 and slf4j > to > >>> 2.0.13. No ZooKeeper code changes have been involved in this upgrade, > but > >>> the SLF4j upgrade was a major version increase, so keep an eye on that > >>> during your testing. > >>> > >>> The full release notes is available at: > >>> > >>> > >>> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12355230 > >>> > >>> *** Please download, test and vote by August 15th 2025, 23:59 UTC+0. > *** > >>> > >>> Source files: > >>> > >>> > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-1/ > >>> > >>> Maven staging repo: > >>> > >>> > https://repository.apache.org/content/repositories/orgapachezookeeper-1109/ > >>> > >>> The release candidate tag in git to be voted upon: release-3.9.4-1 > >>> https://github.com/apache/zookeeper/tree/release-3.9.4-1 > >>> > >>> ZooKeeper's KEYS file containing PGP keys we use to sign the release: > >>> https://www.apache.org/dist/zookeeper/KEYS > >>> > >>> The staging version of the website is: > >>> > >>> > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-1/website/index.html > >>> > >>> Should we release this candidate? > >>> > >>> Andor > >>> > >>> > >>> > >
