Even if I agree with Romain, I cancelled this release and I'm moving forward fast on new vote (later today).

On 14/12/2021 10:32, Romain Manni-Bucau wrote:
What's the difference between cutting a new release right after the
release and just postponing this release (again) to include this log4j
version?
I'd rather have a 4.3.4 accepted by our consumers instead of everyone just
waiting for the 4.3.5 ;)

(just my 2cts and experience feedback about willing a perfect release)
Consumers waiting for something unrelated to log4j2 can adopt it 1 week
before ;), and as JB said, there is no security enhancement in 2.16 - and
some other parts of the JVM/libs are way more dangerous :p - so guess it is
better to release and move forward than keeping postponing which can delay
for more than 1 month the adoption (keep in mind we are in the last work
week in a lot of country since Xmas is coming ;)).

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>


Le mar. 14 déc. 2021 à 10:26, Jean-Baptiste Onofré <j...@nanthrax.net> a
écrit :

OK, so, let me prepare Pax Logging 2.0.12 then and cancel this vote to
include this new Pax Logging version.

Regards
JB

On 14/12/2021 10:20, Achim Nierbeck wrote:
tbh. What's the difference between cutting a new release right after the
release and just postponing this release (again) to include this log4j
version?
I'd rather have a 4.3.4 accepted by our consumers instead of everyone
just
waiting for the 4.3.5 ;)

my 2 cents :)

regards, Achim


Am Di., 14. Dez. 2021 um 10:09 Uhr schrieb Jean-Baptiste Onofré <
j...@nanthrax.net>:

There's no big change between log4j 2.15 and 2.16 (in term of CVE). So,
I would leave this vote running, and prepare Pax Logging/Karaf new
release after (pretty soon).

Regards
JB

On 14/12/2021 09:30, Bernd Eckenfels wrote:
If you have any reason to delay it some more, a new pax logging with
log4j 2.0.16 should be close by ,) Log4j finally disabled JNDI and
removed
the lookup code. Otherwise another minor release would also be an
option.
--
http://bernd.eckenfels.net
________________________________
Von: Francois Papon <francois.pa...@openobject.fr>
Gesendet: Tuesday, December 14, 2021 8:49:24 AM
An: dev@karaf.apache.org <dev@karaf.apache.org>
Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1 (binding)

Thanks JB!

regards,

Francois

On 13/12/2021 16:24, Jean-Baptiste Onofré wrote:
Hi everyone,

I submit Apache Karaf runtime 4.3.4 to your vote (take #2).

This release includes dependency upgrades, fixes, and improvements,
especially:

- upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing
important security issue (CVE-2021-44228)
- align dependencies versions between Karaf and Pax *
- fix missing system export packages
- fix on Karaf features json support
- fix features autoRefresh configuration handling
- fix on sshd session handling
- update to sshd 2.8.0
- lot of pax * updates
- and much more !

Please take a look on Release Notes for details !

Release Notes:


https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547


Staging Maven Repository:

https://repository.apache.org/content/repositories/orgapachekaraf-1164/

Staging Dist Repository:
https://dist.apache.org/repos/dist/dev/karaf/4.3.4/

Git tag:
karaf-4.3.4

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)

This vote will be open for at least 72 hours.

Regards
JB






Reply via email to