Please don't forget to update the license files also in zookeeper-server resources folder! But better yet I can create the jira and have a PR up soon.
- Norbert On Wed, Apr 7, 2021 at 1:50 PM Andor Molnar <an...@apache.org> wrote: > Good catch Mate! > > Jetty has to be upgraded. > > Andor > > > > > > On 2021. Apr 7., at 13:43, Szalay-Bekő Máté <szalay.beko.m...@gmail.com> > wrote: > > > > -1 (non-binding) > > > > Hello Mohammad! > > > > Thanks for the great work! Sorry for torpedoing it :( > > > > I voted with -1, as the CVE check failed for me on the release candidate: > > > > mvn clean package -DskipTests dependency-check:check > > (...) > > [ERROR] Failed to execute goal > org.owasp:dependency-check-maven:5.3.0:check > > (default-cli) on project zookeeper: > > [ERROR] > > [ERROR] One or more dependencies were identified with vulnerabilities > that > > have a CVSS score greater than or equal to '0.0': > > [ERROR] > > [ERROR] jetty-server-9.4.38.v20210224.jar: CVE-2021-28165 > > [ERROR] jetty-http-9.4.38.v20210224.jar: CVE-2021-28165 > > [ERROR] > > [ERROR] See the dependency-check report for more details. > > > > > > It seems we have a relatively recent (about three weeks old) CVE error in > > Jetty: https://nvd.nist.gov/vuln/detail/CVE-2021-28165 > > " In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and > > 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large > > invalid TLS frame." > > > > Looks like we will have to upgrade to jetty-server-9.4.39. > > > > Kind regards, > > Mate > > > > On Tue, Apr 6, 2021 at 10:17 AM Mohammad arshad < > mohammad.ars...@huawei.com> > > wrote: > > > >> +1 (non-binding) > >> > >> -Verified signature and checksum of release artifacts. all ok > >> -Run Junit test cases with jdk1.8.0_232 on Ubuntu 20.04, total 3137 test > >> cases, 3 skipped, rest all passed > >> -Done basic quality checks. run rat, checkstyle, spotbugs > >> -Built tarball from source code, Verified it is same as the downloaded > >> tarball > >> -Installed 3 node cluster and verified basic functionalities from API, > >> executed few cli commands. No issues observed > >> -Connected HBase, HDFS and Yarn clusters (all using zk 3.5.6) to > ZooKeeper > >> 3.6.3 cluster, no issues observed. > >> > >> Though as a release manager my +1 vote is implicit, voting again to > share > >> few commands I used to verify the release. > >> > >> Here are some of the commands I executed while verifying the release. > >> > >> Download all the required artifacts > >> -------------------------------------------------------- > >> wget > >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz > >> wget > >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz.asc > >> wget > >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz.sha512 > >> > >> wget > >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz > >> wget > >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz.asc > >> wget > >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz.sha512 > >> > >> wget https://www.apache.org/dist/zookeeper/KEYS > >> > >> Verify Signature > >> -------------------------------------------------------- > >> gpg --import KEYS > >> gpg --verify apache-zookeeper-3.6.3-bin.tar.gz.asc > >> apache-zookeeper-3.6.3-bin.tar.gz > >> gpg --verify apache-zookeeper-3.6.3.tar.gz.asc > >> apache-zookeeper-3.6.3.tar.gz > >> gpg --fingerprint 68E327C1 > >> > >> Verify Checksum > >> -------------------------------------------------------- > >> sha512sum --check apache-zookeeper-3.6.3-bin.tar.gz.sha512 > >> sha512sum --check apache-zookeeper-3.6.3-bin.tar.gz.sha512 > >> > >> > >> Verify license header by executing Apache RAT > >> -------------------------------------------------------- > >> tar -xvf apache-zookeeper-3.6.3.tar.gz > >> cd apache-zookeeper-3.6.3 > >> mvn clean apache-rat:check -DskipTests > >> > >> Perform quality checks, run checkstyle, spotbugs and unit tests > >> -------------------------------------------------------- > >> mvn clean install checkstyle:check spotbugs:check -DskipTests > >> mvn clean test -Dsurefire.rerunFailingTestsCount=2 > >> -DtestFailureIgnore=true -Dmaven.test.failure.ignore=true > >> -Dmaven.test.error.ignore=true > >> NOTE: use -Pfull-build to include ci tests as well > >> > >> Build and Cluster Install > >> -------------------------------------------------------- > >> Built the tarball from source code and compare that it is same as the > >> downloaded tarball. Apart from timestamp changes, no other changes are > >> observed > >> mvn clean install -DskipTests > >> Installed the downloaded bin tarball and do some feature sanity tests > >> > >> Thanks & Regards > >> Arshad > >> > >> -----Original Message----- > >> From: Mohammad Arshad [mailto:ars...@apache.org] > >> Sent: Sunday, April 4, 2021 4:48 PM > >> To: dev@zookeeper.apache.org > >> Subject: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 > >> > >> This is a bug fix release candidate for 3.6.3. It contains 50 fixes. > >> > >> The full release notes is available at: > >> > >> > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12348703 > >> > >> *** Please download, test and vote by Wednesday, April 7th 2021, 23:59 > >> UTC+0. *** > >> > >> Source and binary files: > >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/ > >> > >> Maven staging repo: > >> > https://repository.apache.org/content/repositories/orgapachezookeeper-1070 > >> > >> The release candidate tag in git to be voted upon: release-3.6.3-1 > >> https://github.com/apache/zookeeper/tree/release-3.6.3-1 > >> > >> ZooKeeper's KEYS file containing PGP keys we use to sign the release: > >> https://www.apache.org/dist/zookeeper/KEYS > >> > >> The staging version of the website is: > >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/website/ > >> > >> *Should we release this candidate?* > >> > >> Thanks & Regards > >> Arshad > >> > >
