And the PR: https://github.com/apache/zookeeper/pull/2295
> On Aug 15, 2025, at 12:01, Andor Molnar <an...@apache.org> wrote: > > I’ve created a ticket to fix this: > https://issues.apache.org/jira/browse/ZOOKEEPER-4959 > > Andor > > > >> On Aug 11, 2025, at 18:37, Patrick Hunt <ph...@apache.org> wrote: >> >> Andor, I notice a number of license files are inaccurate: >> >> -rw-r--r--@ 1 phunt staff 11359 Aug 8 12:21 >> commons-io-2.11.0.LICENSE.txt >> -rw-r--r--@ 1 phunt staff 515978 Aug 8 12:21 commons-io-2.17.0.jar >> -rw-r--r--@ 1 phunt staff 36274 Aug 8 12:21 >> logback-classic-1.2.13.LICENSE.txt >> -rw-r--r--@ 1 phunt staff 274470 Aug 8 12:21 logback-classic-1.3.15.jar >> -rw-r--r--@ 1 phunt staff 36274 Aug 8 12:21 >> logback-core-1.2.13.LICENSE.txt >> -rw-r--r--@ 1 phunt staff 571734 Aug 8 12:21 logback-core-1.3.15.jar >> -rw-r--r--@ 1 phunt staff 1133 Aug 8 12:21 slf4j-1.7.30.LICENSE.txt >> -rw-r--r--@ 1 phunt staff 68605 Aug 8 12:21 slf4j-api-2.0.13.jar >> >> Might be more than this (if new deps added?) but these are the obvious ones >> I noticed. I think they need to be addressed/new RC. >> >> Regards, >> >> Patrick >> >> On Sat, Aug 9, 2025 at 6:07 PM Andor Molnar <an...@apache.org> wrote: >> >>> Yes, it’s correct, it does include code changes for other issues, but the >>> logging dependency change specifically didn’t involve any code change. >>> Sorry for the confusion. >>> >>> Andor >>> >>> >>> >>>> On Aug 8, 2025, at 23:11, Christopher <ctubb...@apache.org> wrote: >>>> >>>> Looking at the list of changes, I think I misunderstood the wording. This >>>> does include ZK code changes, but the specific logging dependency change >>>> did not involve ZK changes. Other fixes did involve ZK code changes. Is >>>> that correct? >>>> >>>> On Sat, Aug 9, 2025, 00:09 Christopher <ctubb...@apache.org> wrote: >>>> >>>>> -0 (non-binding). If no ZK changes occurred, then I don't think it's >>> worth >>>>> the effort and sends the message that ZK is responsible for users' >>>>> classpath security. I think that's the wrong message to send, because >>> users >>>>> should be responsible for their classpath. >>>>> >>>>> Instead, I think a message to the user mailing list recommending users >>>>> update their logging dependencies would be a better action to take, >>> along >>>>> with a note on the downloads page for the same. That would be a >>> responsible >>>>> action without sending the wrong message. >>>>> >>>>> If this accompanied actual ZK changes, I would say +1, though (still >>>>> non-binding, of course). >>>>> >>>>> On Fri, Aug 8, 2025, 17:07 Andor Molnar <an...@apache.org> wrote: >>>>> >>>>>> This is a release candidate for 3.9.4. >>>>>> >>>>>> This is a minor release with bug- and security fixes. Important to note >>>>>> that due to security issues we’ve upgraded logback to 1.3.15 and slf4j >>> to >>>>>> 2.0.13. No ZooKeeper code changes have been involved in this upgrade, >>> but >>>>>> the SLF4j upgrade was a major version increase, so keep an eye on that >>>>>> during your testing. >>>>>> >>>>>> The full release notes is available at: >>>>>> >>>>>> >>>>>> >>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12355230 >>>>>> >>>>>> *** Please download, test and vote by August 15th 2025, 23:59 UTC+0. >>> *** >>>>>> >>>>>> Source files: >>>>>> >>>>>> >>> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-1/ >>>>>> >>>>>> Maven staging repo: >>>>>> >>>>>> >>> https://repository.apache.org/content/repositories/orgapachezookeeper-1109/ >>>>>> >>>>>> The release candidate tag in git to be voted upon: release-3.9.4-1 >>>>>> https://github.com/apache/zookeeper/tree/release-3.9.4-1 >>>>>> >>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the release: >>>>>> https://www.apache.org/dist/zookeeper/KEYS >>>>>> >>>>>> The staging version of the website is: >>>>>> >>>>>> >>> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-1/website/index.html >>>>>> >>>>>> Should we release this candidate? >>>>>> >>>>>> Andor >>>>>> >>>>>> >>>>>> >>> >>> >
