Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
Sorry for missing the notification. I did an rc1 but totally missed one CVE and only realized when doing my final checks. So I will have an rc2 instead shortly. - Norbert On Tue, Jan 5, 2021 at 5:23 PM Enrico Olivelli wrote: > Il giorno mar 5 gen 2021 alle ore 15:48 Norbert Kalmar > ha scritto: > > > It failed due to the CVE, and the fix was not a clean cherry-pick to 3.5. > > > > Thank you Norbert, > I didn't find any official "CANCELLED" response. > no hurry > > Enrico > > > > Then Holidays hit, and I didn't do RC2. Picking it up now, and checking > > what needs to be backported and doing an RC2. > > > > - Norbert > > > > On Tue, Jan 5, 2021 at 12:26 PM Enrico Olivelli > > wrote: > > > > > What's the status of this VOTE ? > > > > > > Enrico > > > > > > Il giorno mar 8 dic 2020 alle ore 21:28 Damien Diederen < > > > ddiede...@sinenomine.net> ha scritto: > > > > > > > > > > > Hi Andor, > > > > > > > > > Is this not the same Jar that I’ve upgraded recently, because of a > > CVE? > > > > > > > > It is. You updated it for CVE-2020-27216, and this is now for > > > > CVE-2020-27218! > > > > > > > > Cheers, -D > > > > > > > > > > > > > > > > > > > > >> On 2020. Dec 5., at 22:03, Patrick Hunt wrote: > > > > >> > > > > >> Thanks Damien! I reviewed and it looks good except for one small > > > > comment I > > > > >> hope we can also address (commented on PR). > > > > >> > > > > >> Regards, > > > > >> > > > > >> Patrick > > > > >> > > > > >> On Sat, Dec 5, 2020 at 12:05 PM Damien Diederen < > > > > ddiede...@sinenomine.net> > > > > >> wrote: > > > > >> > > > > >>> > > > > >>> Hi Patrick, all, > > > > >>> > > > > -1 - the dependency check is failing with a known CVE > > > > > > > > $ mvn clean package -DskipTests dependency-check:check > > > > ... > > > > [ERROR] One or more dependencies were identified with > > > vulnerabilities > > > > >>> that > > > > have a CVSS score greater than or equal to '0.0': > > > > [ERROR] > > > > [ERROR] jetty-server-9.4.34.v20201102.jar: CVE-2020-27218 > > > > [ERROR] jetty-http-9.4.34.v20201102.jar: CVE-2020-27218 > > > > >>> > > > > >>> For the (mailing list) record, I have created: > > > > >>> > > > > >>> https://issues.apache.org/jira/browse/ZOOKEEPER-4023 > > > > >>> https://github.com/apache/zookeeper/pull/1552 > > > > >>> > > > > >>> Best, -D > > > > >>> > > > > > > > > > >
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
Il giorno mar 5 gen 2021 alle ore 15:48 Norbert Kalmar ha scritto: > It failed due to the CVE, and the fix was not a clean cherry-pick to 3.5. > Thank you Norbert, I didn't find any official "CANCELLED" response. no hurry Enrico > Then Holidays hit, and I didn't do RC2. Picking it up now, and checking > what needs to be backported and doing an RC2. > > - Norbert > > On Tue, Jan 5, 2021 at 12:26 PM Enrico Olivelli > wrote: > > > What's the status of this VOTE ? > > > > Enrico > > > > Il giorno mar 8 dic 2020 alle ore 21:28 Damien Diederen < > > ddiede...@sinenomine.net> ha scritto: > > > > > > > > Hi Andor, > > > > > > > Is this not the same Jar that I’ve upgraded recently, because of a > CVE? > > > > > > It is. You updated it for CVE-2020-27216, and this is now for > > > CVE-2020-27218! > > > > > > Cheers, -D > > > > > > > > > > > > > > > >> On 2020. Dec 5., at 22:03, Patrick Hunt wrote: > > > >> > > > >> Thanks Damien! I reviewed and it looks good except for one small > > > comment I > > > >> hope we can also address (commented on PR). > > > >> > > > >> Regards, > > > >> > > > >> Patrick > > > >> > > > >> On Sat, Dec 5, 2020 at 12:05 PM Damien Diederen < > > > ddiede...@sinenomine.net> > > > >> wrote: > > > >> > > > >>> > > > >>> Hi Patrick, all, > > > >>> > > > -1 - the dependency check is failing with a known CVE > > > > > > $ mvn clean package -DskipTests dependency-check:check > > > ... > > > [ERROR] One or more dependencies were identified with > > vulnerabilities > > > >>> that > > > have a CVSS score greater than or equal to '0.0': > > > [ERROR] > > > [ERROR] jetty-server-9.4.34.v20201102.jar: CVE-2020-27218 > > > [ERROR] jetty-http-9.4.34.v20201102.jar: CVE-2020-27218 > > > >>> > > > >>> For the (mailing list) record, I have created: > > > >>> > > > >>> https://issues.apache.org/jira/browse/ZOOKEEPER-4023 > > > >>> https://github.com/apache/zookeeper/pull/1552 > > > >>> > > > >>> Best, -D > > > >>> > > > > > >
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
It failed due to the CVE, and the fix was not a clean cherry-pick to 3.5. Then Holidays hit, and I didn't do RC2. Picking it up now, and checking what needs to be backported and doing an RC2. - Norbert On Tue, Jan 5, 2021 at 12:26 PM Enrico Olivelli wrote: > What's the status of this VOTE ? > > Enrico > > Il giorno mar 8 dic 2020 alle ore 21:28 Damien Diederen < > ddiede...@sinenomine.net> ha scritto: > > > > > Hi Andor, > > > > > Is this not the same Jar that I’ve upgraded recently, because of a CVE? > > > > It is. You updated it for CVE-2020-27216, and this is now for > > CVE-2020-27218! > > > > Cheers, -D > > > > > > > > > > >> On 2020. Dec 5., at 22:03, Patrick Hunt wrote: > > >> > > >> Thanks Damien! I reviewed and it looks good except for one small > > comment I > > >> hope we can also address (commented on PR). > > >> > > >> Regards, > > >> > > >> Patrick > > >> > > >> On Sat, Dec 5, 2020 at 12:05 PM Damien Diederen < > > ddiede...@sinenomine.net> > > >> wrote: > > >> > > >>> > > >>> Hi Patrick, all, > > >>> > > -1 - the dependency check is failing with a known CVE > > > > $ mvn clean package -DskipTests dependency-check:check > > ... > > [ERROR] One or more dependencies were identified with > vulnerabilities > > >>> that > > have a CVSS score greater than or equal to '0.0': > > [ERROR] > > [ERROR] jetty-server-9.4.34.v20201102.jar: CVE-2020-27218 > > [ERROR] jetty-http-9.4.34.v20201102.jar: CVE-2020-27218 > > >>> > > >>> For the (mailing list) record, I have created: > > >>> > > >>> https://issues.apache.org/jira/browse/ZOOKEEPER-4023 > > >>> https://github.com/apache/zookeeper/pull/1552 > > >>> > > >>> Best, -D > > >>> > > >
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
What's the status of this VOTE ? Enrico Il giorno mar 8 dic 2020 alle ore 21:28 Damien Diederen < ddiede...@sinenomine.net> ha scritto: > > Hi Andor, > > > Is this not the same Jar that I’ve upgraded recently, because of a CVE? > > It is. You updated it for CVE-2020-27216, and this is now for > CVE-2020-27218! > > Cheers, -D > > > > > >> On 2020. Dec 5., at 22:03, Patrick Hunt wrote: > >> > >> Thanks Damien! I reviewed and it looks good except for one small > comment I > >> hope we can also address (commented on PR). > >> > >> Regards, > >> > >> Patrick > >> > >> On Sat, Dec 5, 2020 at 12:05 PM Damien Diederen < > ddiede...@sinenomine.net> > >> wrote: > >> > >>> > >>> Hi Patrick, all, > >>> > -1 - the dependency check is failing with a known CVE > > $ mvn clean package -DskipTests dependency-check:check > ... > [ERROR] One or more dependencies were identified with vulnerabilities > >>> that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] jetty-server-9.4.34.v20201102.jar: CVE-2020-27218 > [ERROR] jetty-http-9.4.34.v20201102.jar: CVE-2020-27218 > >>> > >>> For the (mailing list) record, I have created: > >>> > >>> https://issues.apache.org/jira/browse/ZOOKEEPER-4023 > >>> https://github.com/apache/zookeeper/pull/1552 > >>> > >>> Best, -D > >>> >
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
Hi Andor, > Is this not the same Jar that I’ve upgraded recently, because of a CVE? It is. You updated it for CVE-2020-27216, and this is now for CVE-2020-27218! Cheers, -D >> On 2020. Dec 5., at 22:03, Patrick Hunt wrote: >> >> Thanks Damien! I reviewed and it looks good except for one small comment I >> hope we can also address (commented on PR). >> >> Regards, >> >> Patrick >> >> On Sat, Dec 5, 2020 at 12:05 PM Damien Diederen >> wrote: >> >>> >>> Hi Patrick, all, >>> -1 - the dependency check is failing with a known CVE $ mvn clean package -DskipTests dependency-check:check ... [ERROR] One or more dependencies were identified with vulnerabilities >>> that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] jetty-server-9.4.34.v20201102.jar: CVE-2020-27218 [ERROR] jetty-http-9.4.34.v20201102.jar: CVE-2020-27218 >>> >>> For the (mailing list) record, I have created: >>> >>> https://issues.apache.org/jira/browse/ZOOKEEPER-4023 >>> https://github.com/apache/zookeeper/pull/1552 >>> >>> Best, -D >>>
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
Is this not the same Jar that I’ve upgraded recently, because of a CVE? Andor > On 2020. Dec 5., at 22:03, Patrick Hunt wrote: > > Thanks Damien! I reviewed and it looks good except for one small comment I > hope we can also address (commented on PR). > > Regards, > > Patrick > > On Sat, Dec 5, 2020 at 12:05 PM Damien Diederen > wrote: > >> >> Hi Patrick, all, >> >>> -1 - the dependency check is failing with a known CVE >>> >>> $ mvn clean package -DskipTests dependency-check:check >>> ... >>> [ERROR] One or more dependencies were identified with vulnerabilities >> that >>> have a CVSS score greater than or equal to '0.0': >>> [ERROR] >>> [ERROR] jetty-server-9.4.34.v20201102.jar: CVE-2020-27218 >>> [ERROR] jetty-http-9.4.34.v20201102.jar: CVE-2020-27218 >> >> For the (mailing list) record, I have created: >> >> https://issues.apache.org/jira/browse/ZOOKEEPER-4023 >> https://github.com/apache/zookeeper/pull/1552 >> >> Best, -D >>
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
Thanks Damien! I reviewed and it looks good except for one small comment I hope we can also address (commented on PR). Regards, Patrick On Sat, Dec 5, 2020 at 12:05 PM Damien Diederen wrote: > > Hi Patrick, all, > > > -1 - the dependency check is failing with a known CVE > > > > $ mvn clean package -DskipTests dependency-check:check > > ... > > [ERROR] One or more dependencies were identified with vulnerabilities > that > > have a CVSS score greater than or equal to '0.0': > > [ERROR] > > [ERROR] jetty-server-9.4.34.v20201102.jar: CVE-2020-27218 > > [ERROR] jetty-http-9.4.34.v20201102.jar: CVE-2020-27218 > > For the (mailing list) record, I have created: > > https://issues.apache.org/jira/browse/ZOOKEEPER-4023 > https://github.com/apache/zookeeper/pull/1552 > > Best, -D >
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
Hi Patrick, all, > -1 - the dependency check is failing with a known CVE > > $ mvn clean package -DskipTests dependency-check:check > ... > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] jetty-server-9.4.34.v20201102.jar: CVE-2020-27218 > [ERROR] jetty-http-9.4.34.v20201102.jar: CVE-2020-27218 For the (mailing list) record, I have created: https://issues.apache.org/jira/browse/ZOOKEEPER-4023 https://github.com/apache/zookeeper/pull/1552 Best, -D
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
More minor: I notice that ./zookeeper-server/src/main/resources/lib/jetty-client-9.4.34.v20201102.LICENSE.txt is included in the release even though the jar is no longer used. It should be removed. Regards, Patrick On Fri, Dec 4, 2020 at 1:53 PM Patrick Hunt wrote: > -1 - the dependency check is failing with a known CVE > > $ mvn clean package -DskipTests dependency-check:check > ... > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] jetty-server-9.4.34.v20201102.jar: CVE-2020-27218 > [ERROR] jetty-http-9.4.34.v20201102.jar: CVE-2020-27218 > [ERROR] > > Patrick > > > On Tue, Dec 1, 2020 at 8:58 AM Norbert Kalmar wrote: > >> This is a bugfix release candidate for 3.5.9. It contains 24 fixes, >> including 2 CVE fix. >> >> The full release notes is available at: >> >> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12348201 >> >> *** Please download, test and vote by December 4th 2020, 23:59 UTC+0. *** >> >> Source files: >> https://people.apache.org/~nkalmar/zookeeper-3.5.9-candidate-0/ >> >> Maven staging repo: >> >> https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.5.9/ >> >> The release candidate tag in git to be voted upon: release-3.5.9-rc0 >> >> ZooKeeper's KEYS file containing PGP keys we use to sign the release: >> https://www.apache.org/dist/zookeeper/KEYS >> >> Should we release this candidate? >> >> - Norbert >> >
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
-1 - the dependency check is failing with a known CVE $ mvn clean package -DskipTests dependency-check:check ... [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] jetty-server-9.4.34.v20201102.jar: CVE-2020-27218 [ERROR] jetty-http-9.4.34.v20201102.jar: CVE-2020-27218 [ERROR] Patrick On Tue, Dec 1, 2020 at 8:58 AM Norbert Kalmar wrote: > This is a bugfix release candidate for 3.5.9. It contains 24 fixes, > including 2 CVE fix. > > The full release notes is available at: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12348201 > > *** Please download, test and vote by December 4th 2020, 23:59 UTC+0. *** > > Source files: > https://people.apache.org/~nkalmar/zookeeper-3.5.9-candidate-0/ > > Maven staging repo: > > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.5.9/ > > The release candidate tag in git to be voted upon: release-3.5.9-rc0 > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > https://www.apache.org/dist/zookeeper/KEYS > > Should we release this candidate? > > - Norbert >
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
Thank you all for the review. Damien: I don't think jenkins jira's are even worth noting in release notes, but the other 2 is of a bigger interest. ZOOKEEPER-1634 - the jira is missing any 3.5 fix tag. I can fix it in the jira, but I wouldn't do a new rc to have it in releasenotes. Now the missing commits, again, what is more interesting is ZOOKEEPER-3933. Looking at the jira it was a false positive alert, so no change were made. Same as ZOOKEEPER-3934, false positive, no change. So thankfully we are not actually missing any commits, but rather have false positive alert jiras closed with fix versions in them. Thanks for the thorough review, after looking at these cases I agree it is not a deal breaker for rc0. Let's wait for more PMC to vote. I will also try to look into Máté's findings with Python. -Norbert On Fri, Dec 4, 2020 at 9:18 AM Szalay-Bekő Máté wrote: > +1 (non-binding) > > - I built the source code (-Pfull-build) in docker on Ubuntu 16.04.6 using > OpenJDK 8u275 and maven 3.3.9. > - all the unit tests passed (Java and C-client). > - I also built zkpython > - checkstyle and spotbugs passed > - apache-rat passed > - owasp (CVE check) passed > > The only issue I found was that I was unable to make the python unit tests > to start. In 3.5.8 I was able to execute the unit tests (although I had to > do some manual hack before, which didn't help this time). I don't know what > changed here exactly, maybe just my environment. We might want to create a > jira ticket to migrate the zkpython build / test to maven properly. > > Best regards, > Mate > > On Thu, Dec 3, 2020 at 9:01 PM Damien Diederen > wrote: > > > > > Thank you, Norbert! > > > > I went through the motions a bit more carefully than usual in > > preparation for the upcoming 3.7.0 job, which I am planning to start > > soon, but probably after you finalize this release. > > > > > > +1 (advisory) > > > > * Verified signatures and checksums; > > > > * Built and tested on Ubuntu 20.04.1 LTS with OpenJDK Runtime > > Environment (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04) using: > > > > mvn -B apache-rat:check verify spotbugs:check checkstyle:check \ > > -Pfull-build -Dsurefire-forkcount=1 > > > > * Built and smoke-tested on NixOS with a slightly adapted version of > > this WIP PR: > > > > https://github.com/NixOS/nixpkgs/pull/104889 > > > > * Smoke-tested a single instance with Java, C and Perl client; > > > > * Smoke-tested a 3-ensemble with Java client, including Kerberos auth; > > > > > > I don't believe these points are blockers, but I noticed that the > > following commits which are present in the release are not mentioned in > > the release notes: > > > > * commit 0838c6c1613d7902d6c3419dcad2205682223175 > > Author: Michael Han > > Date: Mon Jul 6 16:25:38 2020 +0200 > > > > ZOOKEEPER-1634: hardening security by teaching server to enforce > > client authentication > > > > * commit 54ffaad1b94d72e735fd8fb750117b6ee1550b1b > > Author: Andor Molnar > > Date: Tue Oct 6 17:51:15 2020 +0200 > > > > ZOOKEEPER-3957: Created initial version of owasp-check > Jenkinsfile > > > > * commit db9fed4c95e4828389b30c0f6e94182db26ff99b > > Author: Enrico Olivelli > > Date: Tue Oct 20 16:21:30 2020 +0200 > > > > ZOOKEEPER-3980: Fix Jenkinsfiles with new tool names > > > > > > On the other hand, and just FYI, the following tickets mentioned in the > > release notes do not have corresponding commits: > > > > * ZOOKEEPER-3933: owasp failing with json-simple-1.1.1.jar: > > CVE-2020-10663, CVE-2020-7712. > > > > This was a false positive. Ticket was closed, but no commit was > > produced. > > > > * ZOOKEEPER-3934: upgrade dependency-check to version 6.0.0 > > > > Same as ZOOKEEPER-3933. > > > > Cheers, -D > > > > > > > > > > Norbert Kalmar writes: > > > This is a bugfix release candidate for 3.5.9. It contains 24 fixes, > > > including 2 CVE fix. > > > > > > The full release notes is available at: > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12348201 > > > > > > *** Please download, test and vote by December 4th 2020, 23:59 UTC+0. > *** > > > > > > Source files: > > > https://people.apache.org/~nkalmar/zookeeper-3.5.9-candidate-0/ > > > > > > Maven staging repo: > > > > > > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.5.9/ > > > > > > The release candidate tag in git to be voted upon: release-3.5.9-rc0 > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > Should we release this candidate? > > > > > > - Norbert > > >
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
+1 (non-binding) - I built the source code (-Pfull-build) in docker on Ubuntu 16.04.6 using OpenJDK 8u275 and maven 3.3.9. - all the unit tests passed (Java and C-client). - I also built zkpython - checkstyle and spotbugs passed - apache-rat passed - owasp (CVE check) passed The only issue I found was that I was unable to make the python unit tests to start. In 3.5.8 I was able to execute the unit tests (although I had to do some manual hack before, which didn't help this time). I don't know what changed here exactly, maybe just my environment. We might want to create a jira ticket to migrate the zkpython build / test to maven properly. Best regards, Mate On Thu, Dec 3, 2020 at 9:01 PM Damien Diederen wrote: > > Thank you, Norbert! > > I went through the motions a bit more carefully than usual in > preparation for the upcoming 3.7.0 job, which I am planning to start > soon, but probably after you finalize this release. > > > +1 (advisory) > > * Verified signatures and checksums; > > * Built and tested on Ubuntu 20.04.1 LTS with OpenJDK Runtime > Environment (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04) using: > > mvn -B apache-rat:check verify spotbugs:check checkstyle:check \ > -Pfull-build -Dsurefire-forkcount=1 > > * Built and smoke-tested on NixOS with a slightly adapted version of > this WIP PR: > > https://github.com/NixOS/nixpkgs/pull/104889 > > * Smoke-tested a single instance with Java, C and Perl client; > > * Smoke-tested a 3-ensemble with Java client, including Kerberos auth; > > > I don't believe these points are blockers, but I noticed that the > following commits which are present in the release are not mentioned in > the release notes: > > * commit 0838c6c1613d7902d6c3419dcad2205682223175 > Author: Michael Han > Date: Mon Jul 6 16:25:38 2020 +0200 > > ZOOKEEPER-1634: hardening security by teaching server to enforce > client authentication > > * commit 54ffaad1b94d72e735fd8fb750117b6ee1550b1b > Author: Andor Molnar > Date: Tue Oct 6 17:51:15 2020 +0200 > > ZOOKEEPER-3957: Created initial version of owasp-check Jenkinsfile > > * commit db9fed4c95e4828389b30c0f6e94182db26ff99b > Author: Enrico Olivelli > Date: Tue Oct 20 16:21:30 2020 +0200 > > ZOOKEEPER-3980: Fix Jenkinsfiles with new tool names > > > On the other hand, and just FYI, the following tickets mentioned in the > release notes do not have corresponding commits: > > * ZOOKEEPER-3933: owasp failing with json-simple-1.1.1.jar: > CVE-2020-10663, CVE-2020-7712. > > This was a false positive. Ticket was closed, but no commit was > produced. > > * ZOOKEEPER-3934: upgrade dependency-check to version 6.0.0 > > Same as ZOOKEEPER-3933. > > Cheers, -D > > > > > Norbert Kalmar writes: > > This is a bugfix release candidate for 3.5.9. It contains 24 fixes, > > including 2 CVE fix. > > > > The full release notes is available at: > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12348201 > > > > *** Please download, test and vote by December 4th 2020, 23:59 UTC+0. *** > > > > Source files: > > https://people.apache.org/~nkalmar/zookeeper-3.5.9-candidate-0/ > > > > Maven staging repo: > > > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.5.9/ > > > > The release candidate tag in git to be voted upon: release-3.5.9-rc0 > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > https://www.apache.org/dist/zookeeper/KEYS > > > > Should we release this candidate? > > > > - Norbert >
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
Thank you, Norbert! I went through the motions a bit more carefully than usual in preparation for the upcoming 3.7.0 job, which I am planning to start soon, but probably after you finalize this release. +1 (advisory) * Verified signatures and checksums; * Built and tested on Ubuntu 20.04.1 LTS with OpenJDK Runtime Environment (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04) using: mvn -B apache-rat:check verify spotbugs:check checkstyle:check \ -Pfull-build -Dsurefire-forkcount=1 * Built and smoke-tested on NixOS with a slightly adapted version of this WIP PR: https://github.com/NixOS/nixpkgs/pull/104889 * Smoke-tested a single instance with Java, C and Perl client; * Smoke-tested a 3-ensemble with Java client, including Kerberos auth; I don't believe these points are blockers, but I noticed that the following commits which are present in the release are not mentioned in the release notes: * commit 0838c6c1613d7902d6c3419dcad2205682223175 Author: Michael Han Date: Mon Jul 6 16:25:38 2020 +0200 ZOOKEEPER-1634: hardening security by teaching server to enforce client authentication * commit 54ffaad1b94d72e735fd8fb750117b6ee1550b1b Author: Andor Molnar Date: Tue Oct 6 17:51:15 2020 +0200 ZOOKEEPER-3957: Created initial version of owasp-check Jenkinsfile * commit db9fed4c95e4828389b30c0f6e94182db26ff99b Author: Enrico Olivelli Date: Tue Oct 20 16:21:30 2020 +0200 ZOOKEEPER-3980: Fix Jenkinsfiles with new tool names On the other hand, and just FYI, the following tickets mentioned in the release notes do not have corresponding commits: * ZOOKEEPER-3933: owasp failing with json-simple-1.1.1.jar: CVE-2020-10663, CVE-2020-7712. This was a false positive. Ticket was closed, but no commit was produced. * ZOOKEEPER-3934: upgrade dependency-check to version 6.0.0 Same as ZOOKEEPER-3933. Cheers, -D Norbert Kalmar writes: > This is a bugfix release candidate for 3.5.9. It contains 24 fixes, > including 2 CVE fix. > > The full release notes is available at: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12348201 > > *** Please download, test and vote by December 4th 2020, 23:59 UTC+0. *** > > Source files: > https://people.apache.org/~nkalmar/zookeeper-3.5.9-candidate-0/ > > Maven staging repo: > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.5.9/ > > The release candidate tag in git to be voted upon: release-3.5.9-rc0 > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > https://www.apache.org/dist/zookeeper/KEYS > > Should we release this candidate? > > - Norbert
Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0
+1 (binding) - verified signatures and checksums - run smoke tests with server binaries on Linux Fedora (with JDK15) - built with JDK8 and run tests (even C-client) - verified rat and checkstyle - checked license files - run thru the release notes We have still a few inconsistencies in the way we handle licence files, we should have a consistent approach and add some automatic check. For instance we have only one LICENSE file for slfj4 and one file per each Jetty jar thank you Norbert for putting this together Enrico Il giorno mar 1 dic 2020 alle ore 17:58 Norbert Kalmar ha scritto: > This is a bugfix release candidate for 3.5.9. It contains 24 fixes, > including 2 CVE fix. > > The full release notes is available at: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12348201 > > *** Please download, test and vote by December 4th 2020, 23:59 UTC+0. *** > > Source files: > https://people.apache.org/~nkalmar/zookeeper-3.5.9-candidate-0/ > > Maven staging repo: > > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.5.9/ > > The release candidate tag in git to be voted upon: release-3.5.9-rc0 > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > https://www.apache.org/dist/zookeeper/KEYS > > Should we release this candidate? > > - Norbert >
[VOTE] Apache ZooKeeper release 3.5.9 candidate 0
This is a bugfix release candidate for 3.5.9. It contains 24 fixes, including 2 CVE fix. The full release notes is available at: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12348201 *** Please download, test and vote by December 4th 2020, 23:59 UTC+0. *** Source files: https://people.apache.org/~nkalmar/zookeeper-3.5.9-candidate-0/ Maven staging repo: https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.5.9/ The release candidate tag in git to be voted upon: release-3.5.9-rc0 ZooKeeper's KEYS file containing PGP keys we use to sign the release: https://www.apache.org/dist/zookeeper/KEYS Should we release this candidate? - Norbert
