I’ve created a ticket to fix this: https://issues.apache.org/jira/browse/ZOOKEEPER-4959
Andor > On Aug 11, 2025, at 18:37, Patrick Hunt <ph...@apache.org> wrote: > > Andor, I notice a number of license files are inaccurate: > > -rw-r--r--@ 1 phunt staff 11359 Aug 8 12:21 > commons-io-2.11.0.LICENSE.txt > -rw-r--r--@ 1 phunt staff 515978 Aug 8 12:21 commons-io-2.17.0.jar > -rw-r--r--@ 1 phunt staff 36274 Aug 8 12:21 > logback-classic-1.2.13.LICENSE.txt > -rw-r--r--@ 1 phunt staff 274470 Aug 8 12:21 logback-classic-1.3.15.jar > -rw-r--r--@ 1 phunt staff 36274 Aug 8 12:21 > logback-core-1.2.13.LICENSE.txt > -rw-r--r--@ 1 phunt staff 571734 Aug 8 12:21 logback-core-1.3.15.jar > -rw-r--r--@ 1 phunt staff 1133 Aug 8 12:21 slf4j-1.7.30.LICENSE.txt > -rw-r--r--@ 1 phunt staff 68605 Aug 8 12:21 slf4j-api-2.0.13.jar > > Might be more than this (if new deps added?) but these are the obvious ones > I noticed. I think they need to be addressed/new RC. > > Regards, > > Patrick > > On Sat, Aug 9, 2025 at 6:07 PM Andor Molnar <an...@apache.org> wrote: > >> Yes, it’s correct, it does include code changes for other issues, but the >> logging dependency change specifically didn’t involve any code change. >> Sorry for the confusion. >> >> Andor >> >> >> >>> On Aug 8, 2025, at 23:11, Christopher <ctubb...@apache.org> wrote: >>> >>> Looking at the list of changes, I think I misunderstood the wording. This >>> does include ZK code changes, but the specific logging dependency change >>> did not involve ZK changes. Other fixes did involve ZK code changes. Is >>> that correct? >>> >>> On Sat, Aug 9, 2025, 00:09 Christopher <ctubb...@apache.org> wrote: >>> >>>> -0 (non-binding). If no ZK changes occurred, then I don't think it's >> worth >>>> the effort and sends the message that ZK is responsible for users' >>>> classpath security. I think that's the wrong message to send, because >> users >>>> should be responsible for their classpath. >>>> >>>> Instead, I think a message to the user mailing list recommending users >>>> update their logging dependencies would be a better action to take, >> along >>>> with a note on the downloads page for the same. That would be a >> responsible >>>> action without sending the wrong message. >>>> >>>> If this accompanied actual ZK changes, I would say +1, though (still >>>> non-binding, of course). >>>> >>>> On Fri, Aug 8, 2025, 17:07 Andor Molnar <an...@apache.org> wrote: >>>> >>>>> This is a release candidate for 3.9.4. >>>>> >>>>> This is a minor release with bug- and security fixes. Important to note >>>>> that due to security issues we’ve upgraded logback to 1.3.15 and slf4j >> to >>>>> 2.0.13. No ZooKeeper code changes have been involved in this upgrade, >> but >>>>> the SLF4j upgrade was a major version increase, so keep an eye on that >>>>> during your testing. >>>>> >>>>> The full release notes is available at: >>>>> >>>>> >>>>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12355230 >>>>> >>>>> *** Please download, test and vote by August 15th 2025, 23:59 UTC+0. >> *** >>>>> >>>>> Source files: >>>>> >>>>> >> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-1/ >>>>> >>>>> Maven staging repo: >>>>> >>>>> >> https://repository.apache.org/content/repositories/orgapachezookeeper-1109/ >>>>> >>>>> The release candidate tag in git to be voted upon: release-3.9.4-1 >>>>> https://github.com/apache/zookeeper/tree/release-3.9.4-1 >>>>> >>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the release: >>>>> https://www.apache.org/dist/zookeeper/KEYS >>>>> >>>>> The staging version of the website is: >>>>> >>>>> >> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-1/website/index.html >>>>> >>>>> Should we release this candidate? >>>>> >>>>> Andor >>>>> >>>>> >>>>> >> >>
