+1 (non-binding) * Downloaded all artifacts (tar.gz, Helm chart) * Fetched sources and compiled locally * Verified SHA512 checksums & GPG certification for source and Helm chart * Checked that all POMs have the right expected version * Verified Docker image digest and cosign signature * Validated Helm chart syntax with helm lint
On Thu, 5 Feb 2026 at 11:37 AM, James Busche <[email protected]> wrote: > Thanks Gyula > > +1 (non-binding) > > > I tested on two OpenShift clusters: OC 4.20.8 and a FIPS OC 4.18.30. > > > * The helm install went well > > * > Tested port-forward looking at the basic-example-rest UI, looked good. > * > checksums looked good > * > GPG signatures looked good > * > I tried an OLM build and deploy, it looked good. > * > Tested the basic.yaml, basic-session-deployment-only.yaml, > basic-session-job-only.yaml, savepoint-already-exists.yaml > > The only two things I'm not sure about are: > > 1. I see there's a new crd: flinkbluegreendeployments, but I'm not sure > how to test that. > > 2. > I did a Twistlock scan of the > ghcr.io/apache/flink-kubernetes-operator:f504138 image and saw that it > had 4 items flagged for the Java 17.0.17 > 3. https://nvd.nist.gov/vuln/detail/CVE-2026-21945 (Low) > > 4. https://nvd.nist.gov/vuln/detail/CVE-2026-21932 (High) > > 5. https://nvd.nist.gov/vuln/detail/CVE-2026-21925 (Low) > > 6. https://nvd.nist.gov/vuln/detail/CVE-2026-21933 (Medium) > > 7. > > 8. > and one for the org.apache.logging.log4j_log4j-core > 9. > https://nvd.nist.gov/vuln/detail/CVE-2025-68161 (Medium) > > I'm out of practice with Ubuntu and how to update the Java and the log4j, > but I can try to look closer tomorrow if you'd like. > > Thanks, Jim Busche > > > 1. > > 2. > > >
