Re: [VOTE] Apache Jena 4.3.2 RC 1
[x] +1 Approve the release Thanks! Bruno On Saturday, 18 December 2021, 09:11:13 am NZDT, Andy Seaborne wrote: Hi, ** This is a fast-track release ** Here is a vote on the release of Apache Jena 4.3.2. This is the first proposed release candidate. The primary purpose of this release is to update log4j2 2.16.0 to address CVE-2021-45046 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046 https://logging.apache.org/log4j/2.x/security.html where the severity has been raised to Critical. Apache Jena 4.3.1 addressed CVE-44228. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 The deadline is Sunday, 19 December 2021 at 06:00 UTC. ** Short deadline ** Please vote to approve this release: [ ] +1 Approve the release [ ] 0 Don't care [ ] -1 Don't release, because ... Items in this release JENA-2214: Update log4j2 to 2.16.0 JENA-2216: Depend on jena-cmds as does fuseki-main JENA-2215: Make log4j impl scope-runtime for war-plugin JENA-2215: Be clear that log4j is not optional to shading. Release Vote Everyone, not just committers, is invited to test and vote. Please download and test the proposed release. Staging repository: https://repository.apache.org/content/repositories/orgapachejena-1047 Proposed dist/ area: https://dist.apache.org/repos/dist/dev/jena/ Keys: https://svn.apache.org/repos/asf/jena/dist/KEYS Git commit (browser URL): https://github.com/apache/jena/commit/7692c4cf4 Git Commit Hash: 7692c4cf4a0cad18eb690a33653c8a256e8f424f Git Commit Tag: jena-4.3.2 This vote will be open until at least Sunday, 19 December 2021 at 06:00 UTC. ** Short deadline ** If you expect to check the release but the time limit does not work for you, please email within the schedule above. Thanks, Andy Checking needed: + are the GPG signatures fine? + are the checksums correct? + is there a source archive? + can the source archive be built? (NB This requires a "mvn install" first time) + is there a correct LICENSE and NOTICE file in each artifact (both source and binary artifacts)? + does the NOTICE file contain all necessary attributions? + have any licenses of dependencies changed due to upgrades? if so have LICENSE and NOTICE been upgraded appropriately? + does the tag/commit in the SCM contain reproducible sources?
Re: [VOTE] Apache Jena 4.3.2 RC 1
+1 (binding) checksums are good signatures are good LICENSE/NOTICE files are present and look good Source distribution is buildable (MacOS, jdk11) git tag is buildable (MacOS, jdk11) Aaron On Fri, 17 Dec 2021 at 15:17, Andy Seaborne wrote: > +1 (binding) > > Andy > > On 17/12/2021 20:10, Andy Seaborne wrote: > > Hi, > > > > ** This is a fast-track release ** > > > > Here is a vote on the release of Apache Jena 4.3.2. > > This is the first proposed release candidate. > > > > The primary purpose of this release is to update log4j2 2.16.0 to > > address CVE-2021-45046 > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046 > > https://logging.apache.org/log4j/2.x/security.html > > > > where the severity has been raised to Critical. > > > > Apache Jena 4.3.1 addressed CVE-44228. > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 > > > > The deadline is > > > > Sunday, 19 December 2021 at 06:00 UTC. > > > > ** Short deadline ** > > > > Please vote to approve this release: > > > > [ ] +1 Approve the release > > [ ] 0 Don't care > > [ ] -1 Don't release, because ... > > > > Items in this release > > > > JENA-2214: Update log4j2 to 2.16.0 > > > > JENA-2216: Depend on jena-cmds as does fuseki-main > > JENA-2215: Make log4j impl scope-runtime for war-plugin > > JENA-2215: Be clear that log4j is not optional to shading. > > > > Release Vote > > > > Everyone, not just committers, is invited to test and vote. > > Please download and test the proposed release. > > > > Staging repository: > >https://repository.apache.org/content/repositories/orgapachejena-1047 > > > > Proposed dist/ area: > >https://dist.apache.org/repos/dist/dev/jena/ > > > > Keys: > >https://svn.apache.org/repos/asf/jena/dist/KEYS > > > > Git commit (browser URL): > >https://github.com/apache/jena/commit/7692c4cf4 > > Git Commit Hash: > >7692c4cf4a0cad18eb690a33653c8a256e8f424f > > Git Commit Tag: > >jena-4.3.2 > > > > This vote will be open until at least > > > > Sunday, 19 December 2021 at 06:00 UTC. > > > > ** Short deadline ** > > > > If you expect to check the release but the time limit does not work > > for you, please email within the schedule above. > > > > Thanks, > > > >Andy > > > > Checking needed: > > > > + are the GPG signatures fine? > > + are the checksums correct? > > + is there a source archive? > > > > + can the source archive be built? > >(NB This requires a "mvn install" first time) > > + is there a correct LICENSE and NOTICE file in each artifact > >(both source and binary artifacts)? > > + does the NOTICE file contain all necessary attributions? > > + have any licenses of dependencies changed due to upgrades? > > if so have LICENSE and NOTICE been upgraded appropriately? > > + does the tag/commit in the SCM contain reproducible sources? >
Re: [VOTE] Apache Jena 4.3.2 RC 1
+1 (binding) Andy On 17/12/2021 20:10, Andy Seaborne wrote: Hi, ** This is a fast-track release ** Here is a vote on the release of Apache Jena 4.3.2. This is the first proposed release candidate. The primary purpose of this release is to update log4j2 2.16.0 to address CVE-2021-45046 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046 https://logging.apache.org/log4j/2.x/security.html where the severity has been raised to Critical. Apache Jena 4.3.1 addressed CVE-44228. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 The deadline is Sunday, 19 December 2021 at 06:00 UTC. ** Short deadline ** Please vote to approve this release: [ ] +1 Approve the release [ ] 0 Don't care [ ] -1 Don't release, because ... Items in this release JENA-2214: Update log4j2 to 2.16.0 JENA-2216: Depend on jena-cmds as does fuseki-main JENA-2215: Make log4j impl scope-runtime for war-plugin JENA-2215: Be clear that log4j is not optional to shading. Release Vote Everyone, not just committers, is invited to test and vote. Please download and test the proposed release. Staging repository: https://repository.apache.org/content/repositories/orgapachejena-1047 Proposed dist/ area: https://dist.apache.org/repos/dist/dev/jena/ Keys: https://svn.apache.org/repos/asf/jena/dist/KEYS Git commit (browser URL): https://github.com/apache/jena/commit/7692c4cf4 Git Commit Hash: 7692c4cf4a0cad18eb690a33653c8a256e8f424f Git Commit Tag: jena-4.3.2 This vote will be open until at least Sunday, 19 December 2021 at 06:00 UTC. ** Short deadline ** If you expect to check the release but the time limit does not work for you, please email within the schedule above. Thanks, Andy Checking needed: + are the GPG signatures fine? + are the checksums correct? + is there a source archive? + can the source archive be built? (NB This requires a "mvn install" first time) + is there a correct LICENSE and NOTICE file in each artifact (both source and binary artifacts)? + does the NOTICE file contain all necessary attributions? + have any licenses of dependencies changed due to upgrades? if so have LICENSE and NOTICE been upgraded appropriately? + does the tag/commit in the SCM contain reproducible sources?
Re: [VOTE] Apache Jena 4.3.2 RC 1
[x] +1 Approve the release On Fri, Dec 17, 2021 at 8:12 PM Andy Seaborne wrote: > Hi, > > ** This is a fast-track release ** > > Here is a vote on the release of Apache Jena 4.3.2. > This is the first proposed release candidate. > > The primary purpose of this release is to update log4j2 2.16.0 to > address CVE-2021-45046 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046 > https://logging.apache.org/log4j/2.x/security.html > > where the severity has been raised to Critical. > > Apache Jena 4.3.1 addressed CVE-44228. > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 > > The deadline is > > Sunday, 19 December 2021 at 06:00 UTC. > > ** Short deadline ** > > Please vote to approve this release: > > [ ] +1 Approve the release > [ ] 0 Don't care > [ ] -1 Don't release, because ... > > Items in this release > > JENA-2214: Update log4j2 to 2.16.0 > > JENA-2216: Depend on jena-cmds as does fuseki-main > JENA-2215: Make log4j impl scope-runtime for war-plugin > JENA-2215: Be clear that log4j is not optional to shading. > > Release Vote > > Everyone, not just committers, is invited to test and vote. > Please download and test the proposed release. > > Staging repository: >https://repository.apache.org/content/repositories/orgapachejena-1047 > > Proposed dist/ area: >https://dist.apache.org/repos/dist/dev/jena/ > > Keys: >https://svn.apache.org/repos/asf/jena/dist/KEYS > > Git commit (browser URL): >https://github.com/apache/jena/commit/7692c4cf4 > Git Commit Hash: >7692c4cf4a0cad18eb690a33653c8a256e8f424f > Git Commit Tag: >jena-4.3.2 > > This vote will be open until at least > > Sunday, 19 December 2021 at 06:00 UTC. > > ** Short deadline ** > > If you expect to check the release but the time limit does not work > for you, please email within the schedule above. > > Thanks, > >Andy > > Checking needed: > > + are the GPG signatures fine? > + are the checksums correct? > + is there a source archive? > > + can the source archive be built? >(NB This requires a "mvn install" first time) > + is there a correct LICENSE and NOTICE file in each artifact >(both source and binary artifacts)? > + does the NOTICE file contain all necessary attributions? > + have any licenses of dependencies changed due to upgrades? > if so have LICENSE and NOTICE been upgraded appropriately? > + does the tag/commit in the SCM contain reproducible sources? > -- --- Marco Neumann KONA
