Hello. Le ven. 7 janv. 2022 à 19:49, Thomas Vandahl <t...@apache.org> a écrit : > > Hi folks, > > could I please have one more PMC vote? If you think that the outputTimestamp > issue must be fixed before, then please vote -1 explicitly. > > Bye, Thomas > > > Am 03.01.2022 um 18:24 schrieb Thomas Vandahl <t...@apache.org>: > > > > Hi folks, > > > > We have fixed quite a few bugs and added some significant enhancements > > since Apache Commons JCS 3.0 was released, so I would like to release > > Apache Commons JCS 3.1. > > > > Note that, although the core library of Log4j is an optional dependency to > > commons-jcs, we have addressed CVE-2021-44228 by updating log4j-api and > > log4j-core to version 2.17.1. > > > > Apache Commons JCS 3.1 rc2 is available for review here: > > https://dist.apache.org/repos/dist/dev/commons/jcs/3.1-rc2 (svn revision > > 51880) > > > > The Git tag commons-jcs3-3.1-rc2 commit for this RC is > > 5cd1ad02a8ddd196c9594fbb208d708440f87734 which you can browse here: > > > > https://gitbox.apache.org/repos/asf?p=commons-jcs.git;a=commit;h=5cd1ad02a8ddd196c9594fbb208d708440f87734 > > You may checkout this tag using: > > git clone https://gitbox.apache.org/repos/asf/commons-jcs.git --branch > > commons-jcs3-3.1-rc2 commons-jcs3-3.1-rc2 > > > > Maven artifacts are here: > > > > https://repository.apache.org/content/repositories/orgapachecommons-1576/org/apache/commons/commons-jcs3/3.1/
I only see one ".pom" file and one ".xml" file (with their respective crypto sig). > > > > These are the distribution artifacts and their hashes: > > > > commons-jcs3-dist-3.1-bin.tar.gz > > 2d64ec75177934524353adcc7cccb92b05b4a5b6014f75b10f16dae2265954da0c0f4c0eb68013fee71d4ec53a49b02f7689de5fce6ff34ae90cd83705a56362 > > commons-jcs3-dist-3.1-bin.zip > > cba57f84ce1e0654239b0ea72663c166e47cf582c0ffc4a2743fd583d35eabbbcb03576fb1aac3e425a48a5b55068c554ab13b3b210a4d50151f62fa9e79894c > > commons-jcs3-dist-3.1-src.tar.gz > > d76daa3e8449e711e91e3f3ec73dc00b212d10db28f0f9a726c4df35bb9578cc1649ee8c5f20159f8cda0f58c569fa5821c3736a3f65fc03cfff74da200b790d > > commons-jcs3-dist-3.1-src.zip > > 1990533137ca75dbbfa702bb8dedb680e2f6d96d301cf263794d96da845c2c72072c1e84b6e50b7dd0588f96fd9512be0d7a61cd08463f1e01044a55a75b0ed5 I'd suggest (again) that we agree on simplifying this step, by having the RM uploading a script that would * download the distribution artefacts from the "dist" area * download a checksum "file" (with the above 4 lines) so that the reviewer can run $ sha512sum -c file > > > > I have tested this with ***'mvn clean verify site site:stage'*** using: We should note that this command requires the environment variable JAVA_HOME to be set (otherwise the build will fail). > > > > Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537) > > Java version: 1.8.0_311, vendor: Oracle Corporation, runtime: > > /Library/Java/JavaVirtualMachines/jdk1.8.0_311.jdk/Contents/Home/jre > > Default locale: de_DE, platform encoding: UTF-8 > > OS name: "mac os x", version: "10.16", arch: "x86_64", family: "mac" Two successful builds with: (1) Apache Maven 3.6.0 Maven home: /usr/share/maven Java version: 1.8.0_302, vendor: Oracle Corporation, runtime: /usr/lib/jvm/java-8-openjdk-amd64/jre Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "4.19.0-17-amd64", arch: "amd64", family: "unix" (2) Apache Maven 3.6.0 Maven home: /usr/share/maven Java version: 11.0.11, vendor: Debian, runtime: /usr/lib/jvm/java-11-openjdk-amd64 Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "4.19.0-17-amd64", arch: "amd64", family: "unix" > > > > Details of changes since 3.0 are in the release notes: > > > > https://dist.apache.org/repos/dist/dev/commons/jcs/3.1-rc2/RELEASE-NOTES.txt Shall we stop cluttering what should be a summary of important changes, easily readable by a human, with bot-generated messages and trivial one-liners like "isEmpty()"? Is the Log4j2 version update related to the latest security issue? If so, that may have been important to note. There is a typo: "It is intend to speed up" -> "It is intended to speed up" IMHO, the sentence: "JCS 3.0 and onwards now targets Java 8.0, making use of features that arrived with Java 8.0 such as lambdas." does not really belong to release notes. [And "Java 8.0" -> "Java 8".] Nit-pick: Rather than tagging them with "IMPORTANT CHANGE", it would be clearer that important changes are mentioned in the description, at the top of the release notes. As per recent exchanges on the "security-discuss" ML, we might want that the release notes (of all components) contain a reminder of the policy regarding the report of vulnerability issues. > > > > https://dist.apache.org/repos/dist/dev/commons/jcs/3.1-rc2/site/changes-report.html > > > > Site: > > > > https://dist.apache.org/repos/dist/dev/commons/jcs/3.1-rc2/site/index.html > > (note some *relative* links are broken and the 3.1 directories are not > > yet created - these will be OK once the site is deployed.) > > > > JApiCmp Report (compared to 3.0): > > > > https://dist.apache.org/repos/dist/dev/commons/jcs/3.1-rc2/site/commons-jcs3-core/japicmp.html There are a few changes marked incompatible. Is it expected in a minor release? Best regards, Gilles > > > > RAT Report: > > > > https://dist.apache.org/repos/dist/dev/commons/jcs/3.1-rc2/site/commons-jcs3-core/rat-report.html > > > > KEYS: > > https://www.apache.org/dist/commons/KEYS > > > > Please review the release candidate and vote. > > This vote will close no sooner that 72 hours from now. > > > > [ ] +1 Release these artifacts > > [ ] +0 OK, but... > > [ ] -0 OK, but really should fix... > > [ ] -1 I oppose this release because... > > > > Thank you, > > > > Thomas Vandahl (tv), > > Release Manager (using key 88817402) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
