Re: [VOTE] Apache ZooKeeper release 3.9.4 candidate 2

Thu, 21 Aug 2025 03:41:13 -0700 


Hi Andor, all,

+1 (binding).

I went through my usual set of checks:

  - Tarball contents match repository tag;
  
  - Verified checksums and signatures;
  
  - Ran `dependency-check:check`;
  
  - Built and smoke-tested on NixOS with a slightly adapted version of
    the Nix recipe and test case;
  
  - Smoke-tested a standalone server with the (corresponding) Java, C
    and Perl clients, as well as the zkfuse contrib;
  
    *NOTE* (Minor) My recipe failed to compiled the Perl client with the
    latest GCC, so I used a previous version. I will look into it and
    may create a ticket. This is not a blocker as the Perl client is a
    `-contrib`;
  
  - Smoke-tested a 3-ensemble with the (corresponding) Java client and
    SASL/GSSAPI.
  
*NOTE* (Minor) It seems the release notes are technically missing
entries for these two tickets—but they're only about dependency
upgrades:
  
  - ZOOKEEPER-4890, "Update Netty to fix CVE-2024-47535";
  
  - ZOOKEEPER-4932, "The newest version of zookeeper includes Jetty
    versiob 9.4.57.x which has CVE-2024-6763 issue."

All in all: LGTM—thank you!

Cheers,
Damien



Andor Molnar <an...@apache.org> writes:
> This is a release candidate for 3.9.4.
>
> This is a minor release with bug- and security fixes. Important to
> note that due to security issues we’ve upgraded logback to 1.3.15 and
> slf4j to 2.0.13. No ZooKeeper code changes have been involved in this
> upgrade, but the SLF4j upgrade was a major version increase, so keep
> an eye on that during your testing.
>
> The full release notes is available at:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12355230
>
> *** Please download, test and vote by August 26th 2025, 23:59 UTC+0. ***
>
> Source files:
> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-2/
>
> Maven staging repo:
> https://repository.apache.org/content/repositories/orgapachezookeeper-1110/
>
> The release candidate tag in git to be voted upon: release-3.9.4-2
> https://github.com/apache/zookeeper/tree/release-3.9.4-2
>
> ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> https://www.apache.org/dist/zookeeper/KEYS
>
> The staging version of the website is:
> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-2/website/index.html
>
> Should we release this candidate?
>
> Andor

Reply via email to