Re: [VOTE] Apache Jena 4.3.2 RC 1

[Bruno P. Kinoshita]

         [x] +1 Approve the release
Thanks!
Bruno

    On Saturday, 18 December 2021, 09:11:13 am NZDT, Andy Seaborne 
<a...@apache.org> wrote:  
 
 Hi,

** This is a fast-track release **

Here is a vote on the release of Apache Jena 4.3.2.
This is the first proposed release candidate.

The primary purpose of this release is to update log4j2 2.16.0 to 
address CVE-2021-45046

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
https://logging.apache.org/log4j/2.x/security.html

where the severity has been raised to Critical.

Apache Jena 4.3.1 addressed CVE-44228.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

The deadline is

      Sunday, 19 December 2021 at 06:00 UTC.

** Short deadline **

Please vote to approve this release:

        [ ] +1 Approve the release
        [ ]  0 Don't care
        [ ] -1 Don't release, because ...

==== Items in this release

JENA-2214: Update log4j2 to 2.16.0

JENA-2216: Depend on jena-cmds as does fuseki-main
JENA-2215: Make log4j impl scope-runtime for war-plugin
JENA-2215: Be clear that log4j is not optional to shading.

==== Release Vote

Everyone, not just committers, is invited to test and vote.
Please download and test the proposed release.

Staging repository:
  https://repository.apache.org/content/repositories/orgapachejena-1047

Proposed dist/ area:
  https://dist.apache.org/repos/dist/dev/jena/

Keys:
  https://svn.apache.org/repos/asf/jena/dist/KEYS

Git commit (browser URL):
  https://github.com/apache/jena/commit/7692c4cf4
Git Commit Hash:
  7692c4cf4a0cad18eb690a33653c8a256e8f424f
Git Commit Tag:
  jena-4.3.2

This vote will be open until at least

      Sunday, 19 December 2021 at 06:00 UTC.

** Short deadline **

If you expect to check the release but the time limit does not work
for you, please email within the schedule above.

Thanks,

      Andy

Checking needed:

+ are the GPG signatures fine?
+ are the checksums correct?
+ is there a source archive?

+ can the source archive be built?
          (NB This requires a "mvn install" first time)
+ is there a correct LICENSE and NOTICE file in each artifact
          (both source and binary artifacts)?
+ does the NOTICE file contain all necessary attributions?
+ have any licenses of dependencies changed due to upgrades?
            if so have LICENSE and NOTICE been upgraded appropriately?
+ does the tag/commit in the SCM contain reproducible sources?