[x] +1 Approve the release Thanks! Bruno On Saturday, 18 December 2021, 09:11:13 am NZDT, Andy Seaborne <a...@apache.org> wrote: Hi,
** This is a fast-track release ** Here is a vote on the release of Apache Jena 4.3.2. This is the first proposed release candidate. The primary purpose of this release is to update log4j2 2.16.0 to address CVE-2021-45046 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046 https://logging.apache.org/log4j/2.x/security.html where the severity has been raised to Critical. Apache Jena 4.3.1 addressed CVE-44228. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 The deadline is Sunday, 19 December 2021 at 06:00 UTC. ** Short deadline ** Please vote to approve this release: [ ] +1 Approve the release [ ] 0 Don't care [ ] -1 Don't release, because ... ==== Items in this release JENA-2214: Update log4j2 to 2.16.0 JENA-2216: Depend on jena-cmds as does fuseki-main JENA-2215: Make log4j impl scope-runtime for war-plugin JENA-2215: Be clear that log4j is not optional to shading. ==== Release Vote Everyone, not just committers, is invited to test and vote. Please download and test the proposed release. Staging repository: https://repository.apache.org/content/repositories/orgapachejena-1047 Proposed dist/ area: https://dist.apache.org/repos/dist/dev/jena/ Keys: https://svn.apache.org/repos/asf/jena/dist/KEYS Git commit (browser URL): https://github.com/apache/jena/commit/7692c4cf4 Git Commit Hash: 7692c4cf4a0cad18eb690a33653c8a256e8f424f Git Commit Tag: jena-4.3.2 This vote will be open until at least Sunday, 19 December 2021 at 06:00 UTC. ** Short deadline ** If you expect to check the release but the time limit does not work for you, please email within the schedule above. Thanks, Andy Checking needed: + are the GPG signatures fine? + are the checksums correct? + is there a source archive? + can the source archive be built? (NB This requires a "mvn install" first time) + is there a correct LICENSE and NOTICE file in each artifact (both source and binary artifacts)? + does the NOTICE file contain all necessary attributions? + have any licenses of dependencies changed due to upgrades? if so have LICENSE and NOTICE been upgraded appropriately? + does the tag/commit in the SCM contain reproducible sources?