The vote has passed with three PMC +1s and no -1s.
+1s
Konstantin Gribov
Tilman Hausherr
Tim Allison
Thank you all. I'll try to push the artifacts and update the website
shortly.
Best,
Tim
On Mon, Dec 11, 2023 at 3:45 PM Tim Allison <[email protected]> wrote:
> Thank you, Konstantin!
>
> On Mon, Dec 11, 2023 at 2:22 PM Konstantin Gribov <[email protected]>
> wrote:
>
>> Hi, folks.
>>
>> All the checksums and PGP signatures seem fine to me.
>>
>> Just built Tika 3.0.0-BETA successfully with OpenJDK 17
>> (Temurin 17.0.9+9) on ArchLinux w/ Tesseract 5.3.3-1 and 1.83.1-1.
>>
>> It seems that solr-solrj 8.11.2 dependency in Solr Emitter brought
>> vulnerable logback-core 1.4.13 [1, 2] transitively via Zookeeper
>> dependency. Downstream user will likely either exclude Logback or use a
>> bare tika-emitter-solr jar alongside tika-server/tika-app.
>>
>> Even if user brings tika-emitter-solr with Maven, Gradle or another
>> dependency management solution with transitive dependencies to
>> successfully exploit CVE-2023-6481/CVE-2023-6378 user have to configure
>> receiver [3] to accept logs from remote systems AFICT.
>>
>> So, I say +1 and think that CVE-2023-6481 should be mentioned in the
>> announcement with note that if downstream project make use of Logback
>> centralized logging via receivers that may be vulnerable to this DoS attack.
>>
>> [1]:
>> https://ossindex.sonatype.org/vulnerability/CVE-2023-6481?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
>> [2]: https://logback.qos.ch/news.html#1.3.14
>> [3]: https://logback.qos.ch/manual/receivers.html
>>
>> --
>> Best regards,
>> Konstantin Gribov.
>>
>>
>> On Mon, Dec 11, 2023 at 5:47 PM Tim Allison <[email protected]> wrote:
>>
>>> All,
>>> We have two +1s. We need another +1 for the release. If a fellow dev has
>>> the time to vote, please do! Thank you.
>>>
>>> Best,
>>>
>>> Tim
>>>
>>> On Wed, Dec 6, 2023 at 3:17 PM Tim Allison <[email protected]> wrote:
>>>
>>>> Oops, I forgot to include my +1 for this RC1 for 3.0.0-BETA. Would
>>>> another fellow dev be willing to vote? Thank you!
>>>>
>>>> On Sat, Dec 2, 2023 at 5:39 AM Tilman Hausherr <[email protected]>
>>>> wrote:
>>>>
>>>>> +1
>>>>>
>>>>> successful build on german windows 10 openjdk version "21.0.1"
>>>>> 2023-10-17 LTS
>>>>>
>>>>> Tilman
>>>>>
>>>>>
>>>>>
>>>>> On 01.12.2023 18:25, Tim Allison wrote:
>>>>> > A candidate for the Tika 3.0.0-BETA release is available at:
>>>>> > https://dist.apache.org/repos/dist/dev/tika/3.0.0-BETA
>>>>> >
>>>>> > The release candidate is a zip archive of the sources in:
>>>>> > https://github.com/apache/tika/tree/3.0.0-BETA-rc1/
>>>>> >
>>>>> > The SHA-512 checksum of the archive is
>>>>> >
>>>>> 6a98e19f73e0ccf9c902cf869fb50c0c7314231d1c83d3d84220846d6f46a3983087f6199b14c8bbc62dea54411c7f40d7cf5040efb1ce18b5fd4d61de059736.
>>>>> >
>>>>> > In addition, a staged maven repository is available here:
>>>>> >
>>>>> https://repository.apache.org/content/repositories/orgapachetika-1097/org/apache/tika
>>>>> >
>>>>> > Please vote on releasing this package as Apache Tika 3.0.0-BETA.
>>>>> > The vote is open for the next 72 hours and passes if a majority of at
>>>>> > least three +1 Tika PMC votes are cast.
>>>>> >
>>>>> > [ ] +1 Release this package as Apache Tika 3.0.0-BETA
>>>>> > [ ] -1 Do not release this package because..
>>>>>
>>>>>
>>>>>
