+1 (binding) checksums are good signatures are good LICENSE/NOTICE files are present and look good Source distribution is buildable (MacOS, jdk11) git tag is buildable (MacOS, jdk11)
Aaron On Fri, 17 Dec 2021 at 15:17, Andy Seaborne <a...@apache.org> wrote: > +1 (binding) > > Andy > > On 17/12/2021 20:10, Andy Seaborne wrote: > > Hi, > > > > ** This is a fast-track release ** > > > > Here is a vote on the release of Apache Jena 4.3.2. > > This is the first proposed release candidate. > > > > The primary purpose of this release is to update log4j2 2.16.0 to > > address CVE-2021-45046 > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046 > > https://logging.apache.org/log4j/2.x/security.html > > > > where the severity has been raised to Critical. > > > > Apache Jena 4.3.1 addressed CVE-44228. > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 > > > > The deadline is > > > > Sunday, 19 December 2021 at 06:00 UTC. > > > > ** Short deadline ** > > > > Please vote to approve this release: > > > > [ ] +1 Approve the release > > [ ] 0 Don't care > > [ ] -1 Don't release, because ... > > > > ==== Items in this release > > > > JENA-2214: Update log4j2 to 2.16.0 > > > > JENA-2216: Depend on jena-cmds as does fuseki-main > > JENA-2215: Make log4j impl scope-runtime for war-plugin > > JENA-2215: Be clear that log4j is not optional to shading. > > > > ==== Release Vote > > > > Everyone, not just committers, is invited to test and vote. > > Please download and test the proposed release. > > > > Staging repository: > > https://repository.apache.org/content/repositories/orgapachejena-1047 > > > > Proposed dist/ area: > > https://dist.apache.org/repos/dist/dev/jena/ > > > > Keys: > > https://svn.apache.org/repos/asf/jena/dist/KEYS > > > > Git commit (browser URL): > > https://github.com/apache/jena/commit/7692c4cf4 > > Git Commit Hash: > > 7692c4cf4a0cad18eb690a33653c8a256e8f424f > > Git Commit Tag: > > jena-4.3.2 > > > > This vote will be open until at least > > > > Sunday, 19 December 2021 at 06:00 UTC. > > > > ** Short deadline ** > > > > If you expect to check the release but the time limit does not work > > for you, please email within the schedule above. > > > > Thanks, > > > > Andy > > > > Checking needed: > > > > + are the GPG signatures fine? > > + are the checksums correct? > > + is there a source archive? > > > > + can the source archive be built? > > (NB This requires a "mvn install" first time) > > + is there a correct LICENSE and NOTICE file in each artifact > > (both source and binary artifacts)? > > + does the NOTICE file contain all necessary attributions? > > + have any licenses of dependencies changed due to upgrades? > > if so have LICENSE and NOTICE been upgraded appropriately? > > + does the tag/commit in the SCM contain reproducible sources? >