-1 (non-binding) Hello Mohammad!
Thanks for the great work! Sorry for torpedoing it :( I voted with -1, as the CVE check failed for me on the release candidate: mvn clean package -DskipTests dependency-check:check (...) [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project zookeeper: [ERROR] [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] jetty-server-9.4.38.v20210224.jar: CVE-2021-28165 [ERROR] jetty-http-9.4.38.v20210224.jar: CVE-2021-28165 [ERROR] [ERROR] See the dependency-check report for more details. It seems we have a relatively recent (about three weeks old) CVE error in Jetty: https://nvd.nist.gov/vuln/detail/CVE-2021-28165 " In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame." Looks like we will have to upgrade to jetty-server-9.4.39. Kind regards, Mate On Tue, Apr 6, 2021 at 10:17 AM Mohammad arshad <mohammad.ars...@huawei.com> wrote: > +1 (non-binding) > > -Verified signature and checksum of release artifacts. all ok > -Run Junit test cases with jdk1.8.0_232 on Ubuntu 20.04, total 3137 test > cases, 3 skipped, rest all passed > -Done basic quality checks. run rat, checkstyle, spotbugs > -Built tarball from source code, Verified it is same as the downloaded > tarball > -Installed 3 node cluster and verified basic functionalities from API, > executed few cli commands. No issues observed > -Connected HBase, HDFS and Yarn clusters (all using zk 3.5.6) to ZooKeeper > 3.6.3 cluster, no issues observed. > > Though as a release manager my +1 vote is implicit, voting again to share > few commands I used to verify the release. > > Here are some of the commands I executed while verifying the release. > > Download all the required artifacts > -------------------------------------------------------- > wget > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz > wget > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz.asc > wget > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz.sha512 > > wget > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz > wget > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz.asc > wget > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz.sha512 > > wget https://www.apache.org/dist/zookeeper/KEYS > > Verify Signature > -------------------------------------------------------- > gpg --import KEYS > gpg --verify apache-zookeeper-3.6.3-bin.tar.gz.asc > apache-zookeeper-3.6.3-bin.tar.gz > gpg --verify apache-zookeeper-3.6.3.tar.gz.asc > apache-zookeeper-3.6.3.tar.gz > gpg --fingerprint 68E327C1 > > Verify Checksum > -------------------------------------------------------- > sha512sum --check apache-zookeeper-3.6.3-bin.tar.gz.sha512 > sha512sum --check apache-zookeeper-3.6.3-bin.tar.gz.sha512 > > > Verify license header by executing Apache RAT > -------------------------------------------------------- > tar -xvf apache-zookeeper-3.6.3.tar.gz > cd apache-zookeeper-3.6.3 > mvn clean apache-rat:check -DskipTests > > Perform quality checks, run checkstyle, spotbugs and unit tests > -------------------------------------------------------- > mvn clean install checkstyle:check spotbugs:check -DskipTests > mvn clean test -Dsurefire.rerunFailingTestsCount=2 > -DtestFailureIgnore=true -Dmaven.test.failure.ignore=true > -Dmaven.test.error.ignore=true > NOTE: use -Pfull-build to include ci tests as well > > Build and Cluster Install > -------------------------------------------------------- > Built the tarball from source code and compare that it is same as the > downloaded tarball. Apart from timestamp changes, no other changes are > observed > mvn clean install -DskipTests > Installed the downloaded bin tarball and do some feature sanity tests > > Thanks & Regards > Arshad > > -----Original Message----- > From: Mohammad Arshad [mailto:ars...@apache.org] > Sent: Sunday, April 4, 2021 4:48 PM > To: dev@zookeeper.apache.org > Subject: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 > > This is a bug fix release candidate for 3.6.3. It contains 50 fixes. > > The full release notes is available at: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12348703 > > *** Please download, test and vote by Wednesday, April 7th 2021, 23:59 > UTC+0. *** > > Source and binary files: > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/ > > Maven staging repo: > https://repository.apache.org/content/repositories/orgapachezookeeper-1070 > > The release candidate tag in git to be voted upon: release-3.6.3-1 > https://github.com/apache/zookeeper/tree/release-3.6.3-1 > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > https://www.apache.org/dist/zookeeper/KEYS > > The staging version of the website is: > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/website/ > > *Should we release this candidate?* > > Thanks & Regards > Arshad >