There is an issue logged for this problem: https://github.com/jeremylong/DependencyCheck/issues/3306
On Wed, Apr 21, 2021 at 7:25 PM Jihoon Son <jihoon...@apache.org> wrote: > Thanks Will, Hopefully the problem can be solved soon. > > On Wed, Apr 21, 2021 at 4:58 PM Will Lauer > <wla...@verizonmedia.com.invalid> wrote: > > > > We've seen that problem here in builds of multiple products today. We > > believe it's due to a bad definition file from NIST, and not the products > > themselves. > > > > Will > > > > On Wed, Apr 21, 2021, 6:14 PM Atul Mohan <a...@apache.org> wrote: > > > > > I'm in the process of verification, but the dependency-check failed > for me > > > with the following error: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Caused by: org.owasp.dependencycheck.data.nvdcve.DatabaseException: > Unable > > > to parse CPE: cpe:2.3:a:perl:file::path:1.08:*:*:*:*:*:*:* at > > > org.owasp.dependencycheck.data.nvdcve.CveDB.parseCpe (CveDB.java:1341) > > > at org.owasp.dependencycheck.data.nvdcve.CveDB.lambda$parseCpes$3 > > > (CveDB.java:1298) at java.util.ArrayList.forEach > (ArrayList.java:1257) > > > at org.owasp.dependencycheck.data.nvdcve.CveDB.parseCpes > > > (CveDB.java:1297) at > > > org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability > > > (CveDB.java:880) at > > > org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse > > > (NvdCveParser.java:99) at > > > org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON > > > (ProcessTask.java:139) at > > > org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles > > > (ProcessTask.java:152) at > > > org.owasp.dependencycheck.data.update.nvd.ProcessTask.call > > > (ProcessTask.java:113) at > > > org.owasp.dependencycheck.data.update.nvd.ProcessTask.call > > > (ProcessTask.java:40) at java.util.concurrent.FutureTask.run > > > (FutureTask.java:266) at > > > java.util.concurrent.ThreadPoolExecutor.runWorker > > > (ThreadPoolExecutor.java:1149) at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run > > > (ThreadPoolExecutor.java:624) at java.lang.Thread.run > (Thread.java:748)* > > > > > > Am I missing something? > > > > > > On Mon, Apr 19, 2021 at 4:33 PM Clint Wylie <cwy...@apache.org> wrote: > > > > > > > +1 (binding) > > > > > > > > src package: > > > > - verified signature/checksum > > > > - LICENSE/NOTICE present > > > > - compiled, ran checks, unit tests > > > > - built binary distribution, ingested some data and ran some queries > > > > > > > > binary package: > > > > - verified signature/checksum > > > > - LICENSE/NOTICE present > > > > - ingested some data and ran some queries > > > > > > > > docker: > > > > - verified checksum > > > > - started cluster with docker-compose, ingested some data and ran > some > > > > queries > > > > > > > > Thanks for putting the release together Jihoon! > > > > > > > > On Fri, Apr 16, 2021 at 5:59 PM Jihoon Son <jihoon...@apache.org> > wrote: > > > > > > > > > Hi all, > > > > > > > > > > I have created a build for Apache Druid 0.21.0, release > > > > > candidate 1. > > > > > > > > > > Thanks for everyone who has helped contribute to the release! You > can > > > > read > > > > > the proposed release notes here: > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_issues_10752&d=DwIBaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=ULseRJUsY5gTBgFA9-BUxg&m=r3FUVcK_gRFSGHYST7TdoEJUKRy6r8Fs-GljbjSBeh8&s=3glZYUiMVphoin9jejQzxvDHpV5njS8sZo94Py1hs14&e= > > > > > > > > > > The release candidate has been tagged in GitHub as > > > > > druid-0.21.0-rc1 (733697c25ff22045f14016d83b123fa18556dec8), > > > > > available here: > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_releases_tag_druid-2D0.21.0-2Drc1&d=DwIBaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=ULseRJUsY5gTBgFA9-BUxg&m=r3FUVcK_gRFSGHYST7TdoEJUKRy6r8Fs-GljbjSBeh8&s=_mTLWD2vl-ZszMCZClaSl3F2nnCxNHd3lbUwfcM2JVI&e= > > > > > > > > > > The artifacts to be voted on are located here: > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__dist.apache.org_repos_dist_dev_druid_0.21.0-2Drc1_&d=DwIBaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=ULseRJUsY5gTBgFA9-BUxg&m=r3FUVcK_gRFSGHYST7TdoEJUKRy6r8Fs-GljbjSBeh8&s=-uiRpPGJoNYuFvEXUyM3RyLIoo85afwG2RVDkLmg8Cg&e= > > > > > > > > > > A staged Maven repository is available for review at: > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__repository.apache.org_content_repositories_orgapachedruid-2D1023_&d=DwIBaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=ULseRJUsY5gTBgFA9-BUxg&m=r3FUVcK_gRFSGHYST7TdoEJUKRy6r8Fs-GljbjSBeh8&s=OAQ1QS-O5ns8rmhtmK_oT3B14z-OGnyg6lS2DKZX82M&e= > > > > > > > > > > Staged druid.apache.org website documentation is available here: > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__druid.staged.apache.org_docs_0.21.0_design_index.html&d=DwIBaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=ULseRJUsY5gTBgFA9-BUxg&m=r3FUVcK_gRFSGHYST7TdoEJUKRy6r8Fs-GljbjSBeh8&s=IKBV30tEa3bs1TFvZ_lPI3cr54jF9DG-PPG2sJL9yNQ&e= > > > > > > > > > > A Docker image containing the binary of the release candidate can > be > > > > > retrieved via: > > > > > docker pull apache/druid:0.21.0-rc1 > > > > > > > > > > artifact checksums > > > > > src: > > > > > > > > > > > > > > > > > > 8ff3c5ce96b6eff67a68945284e9d2280ea6fbca4ee4a3a023e74685f05dfbed84d1e9071ed5331cb0b1416cb87895d146ce733ae228070a9437375e1baca022 > > > > > bin: > > > > > > > > > > > > > > > > > > 4c1b9ff4c8d89e1c78f0bc9e414ea4e855a637925959b5e4e4edd79bdbd0311f0b09cc332c6f48f982f10d9d46d2658cee802bac4e60116598d1aaf3deebf9b1 > > > > > docker: > > > 33ff4044017f5974f2e250512a1dd2449078dbf1fa18dd2bd4fa511a4c9f2f78 > > > > > > > > > > Release artifacts are signed with the following key: > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__people.apache.org_keys_committer_jihoonson.asc&d=DwIBaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=ULseRJUsY5gTBgFA9-BUxg&m=r3FUVcK_gRFSGHYST7TdoEJUKRy6r8Fs-GljbjSBeh8&s=1pOwieBsGGqkp99HXjNxwj8Bfla-9h2laHYJYuNjyAc&e= > > > > > > > > > > This key and the key of other committers can also be found in the > > > > project's > > > > > KEYS file here: > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__dist.apache.org_repos_dist_release_druid_KEYS&d=DwIBaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=ULseRJUsY5gTBgFA9-BUxg&m=r3FUVcK_gRFSGHYST7TdoEJUKRy6r8Fs-GljbjSBeh8&s=eBC5qeMlG3AvP-TEPsKGhCY0WFZtWc3LiCbB1KqEE9E&e= > > > > > > > > > > (If you are a committer, please feel free to add your own key to > that > > > > file > > > > > by following the instructions in the file's header.) > > > > > > > > > > > > > > > Verify checksums: > > > > > diff <(shasum -a512 apache-druid-0.21.0-src.tar.gz | \ > > > > > cut -d ' ' -f1) \ > > > > > <(cat apache-druid-0.21.0-src.tar.gz.sha512 ; echo) > > > > > > > > > > diff <(shasum -a512 apache-druid-0.21.0-bin.tar.gz | \ > > > > > cut -d ' ' -f1) \ > > > > > <(cat apache-druid-0.21.0-bin.tar.gz.sha512 ; echo) > > > > > > > > > > Verify signatures: > > > > > gpg --verify apache-druid-0.21.0-src.tar.gz.asc \ > > > > > apache-druid-0.21.0-src.tar.gz > > > > > > > > > > gpg --verify apache-druid-0.21.0-bin.tar.gz.asc \ > > > > > apache-druid-0.21.0-bin.tar.gz > > > > > > > > > > Please review the proposed artifacts and vote. Note that Apache has > > > > > specific requirements that must be met before +1 binding votes can > be > > > > cast > > > > > by PMC members. Please refer to the policy at > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.apache.org_legal_release-2Dpolicy.html-23policy&d=DwIBaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=ULseRJUsY5gTBgFA9-BUxg&m=r3FUVcK_gRFSGHYST7TdoEJUKRy6r8Fs-GljbjSBeh8&s=lw_SXs0SOPM34AsbkLFC1Z1epoTibNMcjotdFJlGvgU&e= > > > for more details. > > > > > > > > > > As part of the validation process, the release artifacts can be > > > generated > > > > > from source by running: > > > > > mvn clean install -Papache-release,dist -Dgpg.skip > > > > > > > > > > The RAT license check can be run from source by: > > > > > mvn apache-rat:check -Prat > > > > > > > > > > This vote will be open for at least 72 hours. The vote will pass > if a > > > > > majority of at least three +1 PMC votes are cast. > > > > > > > > > > [ ] +1 Release this package as Apache Druid 0.21.0 > > > > > [ ] 0 I don't feel strongly about it, but I'm okay with the release > > > > > [ ] -1 Do not release this package because... > > > > > > > > > > Thanks! > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > > > > > For additional commands, e-mail: dev-h...@druid.apache.org > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > For additional commands, e-mail: dev-h...@druid.apache.org > >