I could go either way on this. My questions, which are perhaps not ones we can easily get answers to...
* Do we actually know there are no CVEs against other things we depend on? * Has this Log4J flurry now concluded, or is that software now "under scrutiny" such that there are now going to be a bunch more CVEs and fixes? On Mon, Dec 20, 2021 at 7:27 AM Steve Lawrence <slawre...@apache.org> wrote: > > It looks like another CVE was found that affects Log4J 2.16.0. This seem > less severe then he previous CVE's--it's only a DoS, and I think > Daffodil CLI isn't effected. But I *think* API users of Daffodil could > potentially be affected if they have custom Log4J configs with a special > Pattern Layout. > > Dependabot already has a PR open for Log4J 2.17.0 with a fix. Do we want > to cancel this rc1 vote, merge the patch, and create an rc2? > > (Dependabot also opened a PR to udpate jackson-core, which has a bug fix > for json parsing of quotes which might be worth merging as well?) > > On 12/16/21 4:02 PM, Mike Beckerle wrote: > > Hi all, > > > > I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so > > with an abbreviated approval cycle (to be used only for urgent patch > > releases). > > > > Your vote covers the release as usual, but also due to the urgency of > > this patch release, you are also voting on these 4 deltas from our more > > usual release process: > > > > * You agree the patch release is urgent and this abbreviated approval > > cycle is warranted and appropriate. > > > > * The DISCUSS email thread will be superceded by this VOTE thread. > > > > * Shortened 48 hours of work-day time for lazy consensus on the VOTE > > > > * A minimum of three +1 and zero -1 binding votes are needed > > > > For a summary of the changes in this release, see the release notes page: > > > > https://daffodil.apache.org/releases/3.2.1/ > > > > All distribution packages, including signatures, digests, etc. can be found > > at: > > > > https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/ > > > > Staging artifacts can be found at: > > > > https://repository.apache.org/content/repositories/orgapachedaffodil-1026/ > > > > This release has been signed with PGP key 274B8F1413A680AF, corresponding > > to mbecke...@apache.org, which is included in the KEYS file here: > > > > https://downloads.apache.org/daffodil/KEYS > > > > The release candidate has been tagged in git with v3.2.1-rc1. > > > > For reference, here is a list of all closed JIRAs tagged with 3.2.1: > > > > https://s.apache.org/daffodil-issues-3.2.1 > > > > Please review and vote. > > > > Per the abbreviated process, the vote will be open for 48 hours. > > (Until Monday 20 December 2021 17:00 EST.US). > > > > [ ] +1 approve the release, and this abbreviated release process > > [ ] +0 no opinion > > [ ] -1 disapprove of the release, or of this abbreviated release > > process (and reason why) > > >
