Hi Jihoon, Here're check results on my environment. And there are 3 problems: 1) CVE warning 2) dependency check failure 3) docker startup failure
src package: - verified signature/checksum - LICENSE/NOTICE present - CVE check reports vulnerabilities warning as follows One or more dependencies were identified with known vulnerabilities in druid-core: commons-io-2.6.jar (pkg:maven/commons-io/commons-io@2.6, cpe:2.3:a:apache:commons_io:2.6:*:*:*:*:*:*:*) : CVE-2021-29425 cron-scheduler-0.1.jar (pkg:maven/io.timeandspace/cron-scheduler@0.1, cpe:2.3:a:cron_project:cron:0.1:*:*:*:*:*:*:*) : CVE-2017-9525, CVE-2019-9704, CVE-2019-9705 guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1, cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237, CVE-2020-8908 hibernate-validator-5.2.5.Final.jar (pkg:maven/org.hibernate/hibernate-validator@5.2.5.Final, cpe:2.3:a:hibernate:hibernate-validator:5.2.5:*:*:*:*:*:*:*, cpe:2.3:a:redhat:hibernate_validator:5.2.5:*:*:*:*:*:*:*) : CVE-2020-10693 log4j-core-2.8.2.jar (pkg:maven/org.apache.logging.log4j/log4j-core@2.8.2, cpe:2.3:a:apache:log4j:2.8.2:*:*:*:*:*:*:*) : CVE-2020-9488 netty-3.10.6.Final.jar (pkg:maven/io.netty/netty@3.10.6.Final, cpe:2.3:a:netty:netty:3.10.6:*:*:*:*:*:*:*) : CVE-2021-21290, CVE-2021-21295, CVE-2021-21409 netty-transport-4.1.48.Final.jar (pkg:maven/io.netty/netty-transport@4.1.48.Final, cpe:2.3:a:netty:netty:4.1.48:*:*:*:*:*:*:*) : CVE-2021-21290, CVE-2021-21295, CVE-2021-21409 - Dependency check failed due to "An error occurred with the .NET AssemblyAnalyzer", no more exception message is shown binary package: - verified signature/checksum - LICENSE, NOTICE and README files are present - ingested from kafka and ran some queries, and no exception log output in Druid services log files docker: - failed to start cluster with docker-compose.yml in distribution/docker directory based on apache/druid:0.21.0-rc1 image, all druid nodes unexpected exit with messages like middlemanager | mkdir: can't create directory 'var/tmp': Permission denied middlemanager | mkdir: can't create directory 'var/druid/': Permission denied Jihoon Son <jihoon...@apache.org> 于2021年4月17日周六 上午8:59写道: > Hi all, > > I have created a build for Apache Druid 0.21.0, release > candidate 1. > > Thanks for everyone who has helped contribute to the release! You can read > the proposed release notes here: > https://github.com/apache/druid/issues/10752 > > The release candidate has been tagged in GitHub as > druid-0.21.0-rc1 (733697c25ff22045f14016d83b123fa18556dec8), > available here: > https://github.com/apache/druid/releases/tag/druid-0.21.0-rc1 > > The artifacts to be voted on are located here: > https://dist.apache.org/repos/dist/dev/druid/0.21.0-rc1/ > > A staged Maven repository is available for review at: > https://repository.apache.org/content/repositories/orgapachedruid-1023/ > > Staged druid.apache.org website documentation is available here: > https://druid.staged.apache.org/docs/0.21.0/design/index.html > > A Docker image containing the binary of the release candidate can be > retrieved via: > docker pull apache/druid:0.21.0-rc1 > > artifact checksums > src: > > 8ff3c5ce96b6eff67a68945284e9d2280ea6fbca4ee4a3a023e74685f05dfbed84d1e9071ed5331cb0b1416cb87895d146ce733ae228070a9437375e1baca022 > bin: > > 4c1b9ff4c8d89e1c78f0bc9e414ea4e855a637925959b5e4e4edd79bdbd0311f0b09cc332c6f48f982f10d9d46d2658cee802bac4e60116598d1aaf3deebf9b1 > docker: 33ff4044017f5974f2e250512a1dd2449078dbf1fa18dd2bd4fa511a4c9f2f78 > > Release artifacts are signed with the following key: > https://people.apache.org/keys/committer/jihoonson.asc > > This key and the key of other committers can also be found in the project's > KEYS file here: > https://dist.apache.org/repos/dist/release/druid/KEYS > > (If you are a committer, please feel free to add your own key to that file > by following the instructions in the file's header.) > > > Verify checksums: > diff <(shasum -a512 apache-druid-0.21.0-src.tar.gz | \ > cut -d ' ' -f1) \ > <(cat apache-druid-0.21.0-src.tar.gz.sha512 ; echo) > > diff <(shasum -a512 apache-druid-0.21.0-bin.tar.gz | \ > cut -d ' ' -f1) \ > <(cat apache-druid-0.21.0-bin.tar.gz.sha512 ; echo) > > Verify signatures: > gpg --verify apache-druid-0.21.0-src.tar.gz.asc \ > apache-druid-0.21.0-src.tar.gz > > gpg --verify apache-druid-0.21.0-bin.tar.gz.asc \ > apache-druid-0.21.0-bin.tar.gz > > Please review the proposed artifacts and vote. Note that Apache has > specific requirements that must be met before +1 binding votes can be cast > by PMC members. Please refer to the policy at > http://www.apache.org/legal/release-policy.html#policy for more details. > > As part of the validation process, the release artifacts can be generated > from source by running: > mvn clean install -Papache-release,dist -Dgpg.skip > > The RAT license check can be run from source by: > mvn apache-rat:check -Prat > > This vote will be open for at least 72 hours. The vote will pass if a > majority of at least three +1 PMC votes are cast. > > [ ] +1 Release this package as Apache Druid 0.21.0 > [ ] 0 I don't feel strongly about it, but I'm okay with the release > [ ] -1 Do not release this package because... > > Thanks! > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > For additional commands, e-mail: dev-h...@druid.apache.org > >
