Thank you, Norbert!
I went through the motions a bit more carefully than usual in
preparation for the upcoming 3.7.0 job, which I am planning to start
soon, but probably after you finalize this release.
+1 (advisory)
* Verified signatures and checksums;
* Built and tested on Ubuntu 20.04.1 LTS with OpenJDK Runtime
Environment (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04) using:
mvn -B apache-rat:check verify spotbugs:check checkstyle:check \
-Pfull-build -Dsurefire-forkcount=1
* Built and smoke-tested on NixOS with a slightly adapted version of
this WIP PR:
https://github.com/NixOS/nixpkgs/pull/104889
* Smoke-tested a single instance with Java, C and Perl client;
* Smoke-tested a 3-ensemble with Java client, including Kerberos auth;
I don't believe these points are blockers, but I noticed that the
following commits which are present in the release are not mentioned in
the release notes:
* commit 0838c6c1613d7902d6c3419dcad2205682223175
Author: Michael Han <[email protected]>
Date: Mon Jul 6 16:25:38 2020 +0200
ZOOKEEPER-1634: hardening security by teaching server to enforce client
authentication
* commit 54ffaad1b94d72e735fd8fb750117b6ee1550b1b
Author: Andor Molnar <[email protected]>
Date: Tue Oct 6 17:51:15 2020 +0200
ZOOKEEPER-3957: Created initial version of owasp-check Jenkinsfile
* commit db9fed4c95e4828389b30c0f6e94182db26ff99b
Author: Enrico Olivelli <[email protected]>
Date: Tue Oct 20 16:21:30 2020 +0200
ZOOKEEPER-3980: Fix Jenkinsfiles with new tool names
On the other hand, and just FYI, the following tickets mentioned in the
release notes do not have corresponding commits:
* ZOOKEEPER-3933: owasp failing with json-simple-1.1.1.jar: CVE-2020-10663,
CVE-2020-7712.
This was a false positive. Ticket was closed, but no commit was
produced.
* ZOOKEEPER-3934: upgrade dependency-check to version 6.0.0
Same as ZOOKEEPER-3933.
Cheers, -D
Norbert Kalmar <[email protected]> writes:
> This is a bugfix release candidate for 3.5.9. It contains 24 fixes,
> including 2 CVE fix.
>
> The full release notes is available at:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12348201
>
> *** Please download, test and vote by December 4th 2020, 23:59 UTC+0. ***
>
> Source files:
> https://people.apache.org/~nkalmar/zookeeper-3.5.9-candidate-0/
>
> Maven staging repo:
> https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.5.9/
>
> The release candidate tag in git to be voted upon: release-3.5.9-rc0
>
> ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> https://www.apache.org/dist/zookeeper/KEYS
>
> Should we release this candidate?
>
> - Norbert
