Hi all, Due to license file issues and the lack of minimum number of votes, this vote is CANCELLED. I’ll put together rc2 in the next couple of days with recent fixes.
Regards, Andor > On Aug 11, 2025, at 18:37, Patrick Hunt <[email protected]> wrote: > > Andor, I notice a number of license files are inaccurate: > > -rw-r--r--@ 1 phunt staff 11359 Aug 8 12:21 > commons-io-2.11.0.LICENSE.txt > -rw-r--r--@ 1 phunt staff 515978 Aug 8 12:21 commons-io-2.17.0.jar > -rw-r--r--@ 1 phunt staff 36274 Aug 8 12:21 > logback-classic-1.2.13.LICENSE.txt > -rw-r--r--@ 1 phunt staff 274470 Aug 8 12:21 logback-classic-1.3.15.jar > -rw-r--r--@ 1 phunt staff 36274 Aug 8 12:21 > logback-core-1.2.13.LICENSE.txt > -rw-r--r--@ 1 phunt staff 571734 Aug 8 12:21 logback-core-1.3.15.jar > -rw-r--r--@ 1 phunt staff 1133 Aug 8 12:21 slf4j-1.7.30.LICENSE.txt > -rw-r--r--@ 1 phunt staff 68605 Aug 8 12:21 slf4j-api-2.0.13.jar > > Might be more than this (if new deps added?) but these are the obvious ones > I noticed. I think they need to be addressed/new RC. > > Regards, > > Patrick > > On Sat, Aug 9, 2025 at 6:07 PM Andor Molnar <[email protected]> wrote: > >> Yes, it’s correct, it does include code changes for other issues, but the >> logging dependency change specifically didn’t involve any code change. >> Sorry for the confusion. >> >> Andor >> >> >> >>> On Aug 8, 2025, at 23:11, Christopher <[email protected]> wrote: >>> >>> Looking at the list of changes, I think I misunderstood the wording. This >>> does include ZK code changes, but the specific logging dependency change >>> did not involve ZK changes. Other fixes did involve ZK code changes. Is >>> that correct? >>> >>> On Sat, Aug 9, 2025, 00:09 Christopher <[email protected]> wrote: >>> >>>> -0 (non-binding). If no ZK changes occurred, then I don't think it's >> worth >>>> the effort and sends the message that ZK is responsible for users' >>>> classpath security. I think that's the wrong message to send, because >> users >>>> should be responsible for their classpath. >>>> >>>> Instead, I think a message to the user mailing list recommending users >>>> update their logging dependencies would be a better action to take, >> along >>>> with a note on the downloads page for the same. That would be a >> responsible >>>> action without sending the wrong message. >>>> >>>> If this accompanied actual ZK changes, I would say +1, though (still >>>> non-binding, of course). >>>> >>>> On Fri, Aug 8, 2025, 17:07 Andor Molnar <[email protected]> wrote: >>>> >>>>> This is a release candidate for 3.9.4. >>>>> >>>>> This is a minor release with bug- and security fixes. Important to note >>>>> that due to security issues we’ve upgraded logback to 1.3.15 and slf4j >> to >>>>> 2.0.13. No ZooKeeper code changes have been involved in this upgrade, >> but >>>>> the SLF4j upgrade was a major version increase, so keep an eye on that >>>>> during your testing. >>>>> >>>>> The full release notes is available at: >>>>> >>>>> >>>>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12355230 >>>>> >>>>> *** Please download, test and vote by August 15th 2025, 23:59 UTC+0. >> *** >>>>> >>>>> Source files: >>>>> >>>>> >> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-1/ >>>>> >>>>> Maven staging repo: >>>>> >>>>> >> https://repository.apache.org/content/repositories/orgapachezookeeper-1109/ >>>>> >>>>> The release candidate tag in git to be voted upon: release-3.9.4-1 >>>>> https://github.com/apache/zookeeper/tree/release-3.9.4-1 >>>>> >>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the release: >>>>> https://www.apache.org/dist/zookeeper/KEYS >>>>> >>>>> The staging version of the website is: >>>>> >>>>> >> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-1/website/index.html >>>>> >>>>> Should we release this candidate? >>>>> >>>>> Andor >>>>> >>>>> >>>>> >> >>
