Thanks Mate and Damien for testing the release! Mate, you have to run the dependency check with JDK 11 or above, but as you mentioned, we have a CI job for that: https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/
I had to upgrade the Owasp library to a version which doesn’t support JDK8 anymore. One more binding vote and the release is good to go. Thanks, Andor > On Aug 24, 2025, at 07:23, Szalay-Bekő Máté <szalay.beko.m...@gmail.com> > wrote: > > > +1 (binding) > > I did the following tests for the release candidate: > - verified checksum and gpg signature of the artifacts > - I built the source code (incl. the C-client, using -Pfull-build) on Ubuntu > 22.04.4 using OpenJDK 8u402, maven 3.6.3 and GCC version 11.4.0 > - all the java unit tests passed for me > - I built the C-Client, and also all the C-client tests passed for me. (for > the first try) > - I also built and executed unit tests for zkpython > - I also built the java code (without -Pfull-build) using other JDK versions: > 11.0.22, 17.0.10, 21.0.1 (but didn't run the tests this time, just used > 'clean install -DskipTests') > - checkstyle and spotbugs passed > - apache-rat passed > - fatjar built > - I executed quick rolling-upgrade tests without SSL (using > https://github.com/symat/zk-rolling-upgrade-test): > - rolling upgrade from 3.6.4 to 3.9.4 RC2 > - rolling upgrade from 3.7.2 to 3.9.4 RC2 > - rolling upgrade from 3.8.4 to 3.9.4 RC2 > - rolling upgrade from 3.9.3 RC0 to 3.9.4 RC2 > - checked the uploaded documentation > (https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-2/website/index.html) > - compared generated release notes > (https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-2/website/releasenotes.html) > with Jira > (https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12354432) > The two lists seem to me identical. I assume the issues found by Damien > were missing from both lists, but I don't consider this a blocker. > > > - Unfortunately I was unable to run the dependency check (owasp), I got a > NullPointerException / NoDataException. > I assume it might have been some local issue at my machine. I hope that CI > or some of you were able to execute it. > (I registered an NVD API KEY, tried with more recent java/maven versions > and also tried to purge my local cahce, but these didn't help and I had no > more time to investigate) > > Anyway, the candidate looks good to me, thank you for the work! > > Best regards, > Máté > > On Thu, Aug 21, 2025 at 12:41 PM Damien Diederen <ddiede...@apache.org> wrote: > > Hi Andor, all, > > +1 (binding). > > I went through my usual set of checks: > > - Tarball contents match repository tag; > > - Verified checksums and signatures; > > - Ran `dependency-check:check`; > > - Built and smoke-tested on NixOS with a slightly adapted version of > the Nix recipe and test case; > > - Smoke-tested a standalone server with the (corresponding) Java, C > and Perl clients, as well as the zkfuse contrib; > > *NOTE* (Minor) My recipe failed to compiled the Perl client with the > latest GCC, so I used a previous version. I will look into it and > may create a ticket. This is not a blocker as the Perl client is a > `-contrib`; > > - Smoke-tested a 3-ensemble with the (corresponding) Java client and > SASL/GSSAPI. > > *NOTE* (Minor) It seems the release notes are technically missing > entries for these two tickets—but they're only about dependency > upgrades: > > - ZOOKEEPER-4890, "Update Netty to fix CVE-2024-47535"; > > - ZOOKEEPER-4932, "The newest version of zookeeper includes Jetty > versiob 9.4.57.x which has CVE-2024-6763 issue." > > All in all: LGTM—thank you! > > Cheers, > Damien > > > > Andor Molnar <an...@apache.org> writes: > > This is a release candidate for 3.9.4. > > > > This is a minor release with bug- and security fixes. Important to > > note that due to security issues we’ve upgraded logback to 1.3.15 and > > slf4j to 2.0.13. No ZooKeeper code changes have been involved in this > > upgrade, but the SLF4j upgrade was a major version increase, so keep > > an eye on that during your testing. > > > > The full release notes is available at: > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12355230 > > > > *** Please download, test and vote by August 26th 2025, 23:59 UTC+0. *** > > > > Source files: > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-2/ > > > > Maven staging repo: > > https://repository.apache.org/content/repositories/orgapachezookeeper-1110/ > > > > The release candidate tag in git to be voted upon: release-3.9.4-2 > > https://github.com/apache/zookeeper/tree/release-3.9.4-2 > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > https://www.apache.org/dist/zookeeper/KEYS > > > > The staging version of the website is: > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-2/website/index.html > > > > Should we release this candidate? > > > > Andor
