[x] +1 Approve the release On Fri, Dec 17, 2021 at 8:12 PM Andy Seaborne <a...@apache.org> wrote:
> Hi, > > ** This is a fast-track release ** > > Here is a vote on the release of Apache Jena 4.3.2. > This is the first proposed release candidate. > > The primary purpose of this release is to update log4j2 2.16.0 to > address CVE-2021-45046 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046 > https://logging.apache.org/log4j/2.x/security.html > > where the severity has been raised to Critical. > > Apache Jena 4.3.1 addressed CVE-44228. > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 > > The deadline is > > Sunday, 19 December 2021 at 06:00 UTC. > > ** Short deadline ** > > Please vote to approve this release: > > [ ] +1 Approve the release > [ ] 0 Don't care > [ ] -1 Don't release, because ... > > ==== Items in this release > > JENA-2214: Update log4j2 to 2.16.0 > > JENA-2216: Depend on jena-cmds as does fuseki-main > JENA-2215: Make log4j impl scope-runtime for war-plugin > JENA-2215: Be clear that log4j is not optional to shading. > > ==== Release Vote > > Everyone, not just committers, is invited to test and vote. > Please download and test the proposed release. > > Staging repository: > https://repository.apache.org/content/repositories/orgapachejena-1047 > > Proposed dist/ area: > https://dist.apache.org/repos/dist/dev/jena/ > > Keys: > https://svn.apache.org/repos/asf/jena/dist/KEYS > > Git commit (browser URL): > https://github.com/apache/jena/commit/7692c4cf4 > Git Commit Hash: > 7692c4cf4a0cad18eb690a33653c8a256e8f424f > Git Commit Tag: > jena-4.3.2 > > This vote will be open until at least > > Sunday, 19 December 2021 at 06:00 UTC. > > ** Short deadline ** > > If you expect to check the release but the time limit does not work > for you, please email within the schedule above. > > Thanks, > > Andy > > Checking needed: > > + are the GPG signatures fine? > + are the checksums correct? > + is there a source archive? > > + can the source archive be built? > (NB This requires a "mvn install" first time) > + is there a correct LICENSE and NOTICE file in each artifact > (both source and binary artifacts)? > + does the NOTICE file contain all necessary attributions? > + have any licenses of dependencies changed due to upgrades? > if so have LICENSE and NOTICE been upgraded appropriately? > + does the tag/commit in the SCM contain reproducible sources? > -- --- Marco Neumann KONA
