Thank you all for the review. Damien: I don't think jenkins jira's are even worth noting in release notes, but the other 2 is of a bigger interest. ZOOKEEPER-1634 - the jira is missing any 3.5 fix tag. I can fix it in the jira, but I wouldn't do a new rc to have it in releasenotes.
Now the missing commits, again, what is more interesting is ZOOKEEPER-3933. Looking at the jira it was a false positive alert, so no change were made. Same as ZOOKEEPER-3934, false positive, no change. So thankfully we are not actually missing any commits, but rather have false positive alert jiras closed with fix versions in them. Thanks for the thorough review, after looking at these cases I agree it is not a deal breaker for rc0. Let's wait for more PMC to vote. I will also try to look into Máté's findings with Python. -Norbert On Fri, Dec 4, 2020 at 9:18 AM Szalay-Bekő Máté <szalay.beko.m...@gmail.com> wrote: > +1 (non-binding) > > - I built the source code (-Pfull-build) in docker on Ubuntu 16.04.6 using > OpenJDK 8u275 and maven 3.3.9. > - all the unit tests passed (Java and C-client). > - I also built zkpython > - checkstyle and spotbugs passed > - apache-rat passed > - owasp (CVE check) passed > > The only issue I found was that I was unable to make the python unit tests > to start. In 3.5.8 I was able to execute the unit tests (although I had to > do some manual hack before, which didn't help this time). I don't know what > changed here exactly, maybe just my environment. We might want to create a > jira ticket to migrate the zkpython build / test to maven properly. > > Best regards, > Mate > > On Thu, Dec 3, 2020 at 9:01 PM Damien Diederen <ddiede...@sinenomine.net> > wrote: > > > > > Thank you, Norbert! > > > > I went through the motions a bit more carefully than usual in > > preparation for the upcoming 3.7.0 job, which I am planning to start > > soon, but probably after you finalize this release. > > > > > > +1 (advisory) > > > > * Verified signatures and checksums; > > > > * Built and tested on Ubuntu 20.04.1 LTS with OpenJDK Runtime > > Environment (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04) using: > > > > mvn -B apache-rat:check verify spotbugs:check checkstyle:check \ > > -Pfull-build -Dsurefire-forkcount=1 > > > > * Built and smoke-tested on NixOS with a slightly adapted version of > > this WIP PR: > > > > https://github.com/NixOS/nixpkgs/pull/104889 > > > > * Smoke-tested a single instance with Java, C and Perl client; > > > > * Smoke-tested a 3-ensemble with Java client, including Kerberos auth; > > > > > > I don't believe these points are blockers, but I noticed that the > > following commits which are present in the release are not mentioned in > > the release notes: > > > > * commit 0838c6c1613d7902d6c3419dcad2205682223175 > > Author: Michael Han <l...@twitter.com> > > Date: Mon Jul 6 16:25:38 2020 +0200 > > > > ZOOKEEPER-1634: hardening security by teaching server to enforce > > client authentication > > > > * commit 54ffaad1b94d72e735fd8fb750117b6ee1550b1b > > Author: Andor Molnar <an...@apache.org> > > Date: Tue Oct 6 17:51:15 2020 +0200 > > > > ZOOKEEPER-3957: Created initial version of owasp-check > Jenkinsfile > > > > * commit db9fed4c95e4828389b30c0f6e94182db26ff99b > > Author: Enrico Olivelli <eolive...@apache.org> > > Date: Tue Oct 20 16:21:30 2020 +0200 > > > > ZOOKEEPER-3980: Fix Jenkinsfiles with new tool names > > > > > > On the other hand, and just FYI, the following tickets mentioned in the > > release notes do not have corresponding commits: > > > > * ZOOKEEPER-3933: owasp failing with json-simple-1.1.1.jar: > > CVE-2020-10663, CVE-2020-7712. > > > > This was a false positive. Ticket was closed, but no commit was > > produced. > > > > * ZOOKEEPER-3934: upgrade dependency-check to version 6.0.0 > > > > Same as ZOOKEEPER-3933. > > > > Cheers, -D > > > > > > > > > > Norbert Kalmar <nkal...@apache.org> writes: > > > This is a bugfix release candidate for 3.5.9. It contains 24 fixes, > > > including 2 CVE fix. > > > > > > The full release notes is available at: > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12348201 > > > > > > *** Please download, test and vote by December 4th 2020, 23:59 UTC+0. > *** > > > > > > Source files: > > > https://people.apache.org/~nkalmar/zookeeper-3.5.9-candidate-0/ > > > > > > Maven staging repo: > > > > > > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.5.9/ > > > > > > The release candidate tag in git to be voted upon: release-3.5.9-rc0 > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > Should we release this candidate? > > > > > > - Norbert > > >
