FWIW, I think it's a waste of time to cancel the vote on the basis of a known false positive... you can just ignore the false positive and +1 a vote anyway. I don't see this as "pushing it downstream" onto users. Users are likely to not run the CVE check, because it's only useful at a point in time. But, if they do, it's only ever useful at a specific point in time. If users run it in the future, they could have any amount of false or true positives.
Worst case scenario: mention the false positive in the release notes. On Wed, May 4, 2022 at 2:21 PM Mohammad Arshad <ars...@apache.org> wrote: > Thanks Patrick Hunt for your feedback. I am cancelling this VOTE. Thanks > Mate and Enrico for your quick votes. Thanks & Regards Arshad > > On Wed, May 4, 2022 at 11:03 PM Patrick Hunt <ph...@apache.org> wrote: > > > The dependency checker is failing. We had a similar discussion about the > > impact of this on a recent release candidate > > <https://lists.apache.org/thread/79g19xxovm1gntqq4p1m1ynfzfk822hp>. The > > decision was to address the problem rather than push it downstream to end > > users. iow this type of error results in all consumers having a question > as > > to whether there is a problem or not. Better to fix it now by spinning > > another RC rather than have to deal with it magnified later. > > > > [ERROR] One or more dependencies were identified with vulnerabilities > that > > have a CVSS score greater than or equal to '0.0': > > [ERROR] > > [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307 > > [ERROR] > > [ERROR] See the dependency-check report for more details. > > > > On Sun, Apr 24, 2022 at 6:25 PM Mohammad Arshad <ars...@apache.org> > wrote: > > > > > This is a bug fix release candidate for 3.7.1. It contains 61 fixes. > > > > > > The full release notes is available at: > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12350030 > > > > > > *** Please download, test and vote by Sunday, 01 May, 2022, 23:59 > UTC+0. > > > *** > > > > > > Source files: > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/ > > > > > > Maven staging repo: > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1075 > > > > > > The release candidate tag in git to be voted upon: release-3.7.1-0 > > > https://github.com/apache/zookeeper/tree/release-3.7.1-0 > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > The staging version of the website is: > > > > > > > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/website/index.html > > > > > > > > > Should we release this candidate? > > > > > > > > > -Arshad > > > > > >