+1 (non-binding) - I built the source code (-Pfull-build) in docker on Ubuntu 16.04.6 using OpenJDK 8u275 and maven 3.3.9. - all the unit tests passed (Java and C-client). - I also built zkpython - checkstyle and spotbugs passed - apache-rat passed - owasp (CVE check) passed
The only issue I found was that I was unable to make the python unit tests to start. In 3.5.8 I was able to execute the unit tests (although I had to do some manual hack before, which didn't help this time). I don't know what changed here exactly, maybe just my environment. We might want to create a jira ticket to migrate the zkpython build / test to maven properly. Best regards, Mate On Thu, Dec 3, 2020 at 9:01 PM Damien Diederen <[email protected]> wrote: > > Thank you, Norbert! > > I went through the motions a bit more carefully than usual in > preparation for the upcoming 3.7.0 job, which I am planning to start > soon, but probably after you finalize this release. > > > +1 (advisory) > > * Verified signatures and checksums; > > * Built and tested on Ubuntu 20.04.1 LTS with OpenJDK Runtime > Environment (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04) using: > > mvn -B apache-rat:check verify spotbugs:check checkstyle:check \ > -Pfull-build -Dsurefire-forkcount=1 > > * Built and smoke-tested on NixOS with a slightly adapted version of > this WIP PR: > > https://github.com/NixOS/nixpkgs/pull/104889 > > * Smoke-tested a single instance with Java, C and Perl client; > > * Smoke-tested a 3-ensemble with Java client, including Kerberos auth; > > > I don't believe these points are blockers, but I noticed that the > following commits which are present in the release are not mentioned in > the release notes: > > * commit 0838c6c1613d7902d6c3419dcad2205682223175 > Author: Michael Han <[email protected]> > Date: Mon Jul 6 16:25:38 2020 +0200 > > ZOOKEEPER-1634: hardening security by teaching server to enforce > client authentication > > * commit 54ffaad1b94d72e735fd8fb750117b6ee1550b1b > Author: Andor Molnar <[email protected]> > Date: Tue Oct 6 17:51:15 2020 +0200 > > ZOOKEEPER-3957: Created initial version of owasp-check Jenkinsfile > > * commit db9fed4c95e4828389b30c0f6e94182db26ff99b > Author: Enrico Olivelli <[email protected]> > Date: Tue Oct 20 16:21:30 2020 +0200 > > ZOOKEEPER-3980: Fix Jenkinsfiles with new tool names > > > On the other hand, and just FYI, the following tickets mentioned in the > release notes do not have corresponding commits: > > * ZOOKEEPER-3933: owasp failing with json-simple-1.1.1.jar: > CVE-2020-10663, CVE-2020-7712. > > This was a false positive. Ticket was closed, but no commit was > produced. > > * ZOOKEEPER-3934: upgrade dependency-check to version 6.0.0 > > Same as ZOOKEEPER-3933. > > Cheers, -D > > > > > Norbert Kalmar <[email protected]> writes: > > This is a bugfix release candidate for 3.5.9. It contains 24 fixes, > > including 2 CVE fix. > > > > The full release notes is available at: > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12348201 > > > > *** Please download, test and vote by December 4th 2020, 23:59 UTC+0. *** > > > > Source files: > > https://people.apache.org/~nkalmar/zookeeper-3.5.9-candidate-0/ > > > > Maven staging repo: > > > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.5.9/ > > > > The release candidate tag in git to be voted upon: release-3.5.9-rc0 > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > https://www.apache.org/dist/zookeeper/KEYS > > > > Should we release this candidate? > > > > - Norbert >
