Hello Andor! Thanks for this great release!
I found two issues with RC0: 1) OWASP CVE check (mvn dependency-check:check) failed with "netty-tcnative-boringssl-static-2.0.61.Final-osx-x86_64.jar: CVE-2011-1797(9.3)" This seems to be a false positive to me (looks to be some security issue affecting old safari / chromium web browser versions?). I didn't get deep into this, but I guess we see this since https://issues.apache.org/jira/browse/ZOOKEEPER-4622 Interestingly, the CI pipeline doesn't catch this CVE ( https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/master/), maybe this is some bug in OWASP that is triggered only with certain maven versions or during building on certain platforms? I ran OWASP on Ubuntu 18.04.2 with maven 3.9.3. 2) Also I see that the website ( https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.0-candidate-0/website/index.html) is still showing "ZooKeeper 3.8 Documentation" on the top What do you think? We shouldn't pass the RC until we are certain about the CVE issue. (unless this is something happening only on my setup... it is strange that OWAPS is green on CI) Beside these, I ran all my usual RC test steps, and found no other issues with the RC: - verified checksum and gpg signature of the artifacts - I built the source code (incl. the C-client, using -Pfull-build) on Ubuntu 18.04.2 using OpenJDK 8u372, maven 3.9.3 and GCC version 7.4.0 - all the unit tests passed (both Java and C-client) - I also built and executed unit tests for zkpython - I also built the java code (without -Pfull-build) using other JDK versions: 11.0.19, 17.0.7, 20.0.1 (but didn't run the tests this time, just used 'clean install -DskipTests') - checkstyle and spotbugs passed - apache-rat passed - fatjar built - I executed quick rolling-upgrade tests (using https://github.com/symat/zk-rolling-upgrade-test): - rolling upgrade from 3.5.10 to 3.9.0 - rolling upgrade from 3.6.4 to 3.9.0 - rolling upgrade from 3.7.1 to 3.9.0 - rolling upgrade from 3.8.2 to 3.9.0 - compared generated release notes ( https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.0-candidate-0/website/releasenotes.html ) with Jira ( https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12351304 ) Best regards, Máté On Mon, Jul 17, 2023 at 3:11 PM Andor Molnar <an...@apache.org> wrote: > Hi team, > > This is a release candidate for 3.9.0. > > It is a major release and it introduces a lot of new features, most > notably: > - Admin server API for taking snapshot and stream out the data > - Communicate the Zxid that triggered a WatchEvent to fire > - TLS - dynamic loading for client trust/key store > - Add Netty-TcNative OpenSSL Support > - Adding SSL support to Zktreeutil > - Improve syncRequestProcessor performance > - Updates to all the third party dependencies to get rid of every known > CVE. > > The full release notes is available at: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12351304 > > *** Please download, test and vote by July 30th 2023, 23:59 UTC+0. *** > > Source files: > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.0-candidate-0/ > > Maven staging repo: > > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.9.0/ > > The release candidate tag in git to be voted upon: release-3.8.0-1 > https://github.com/apache/zookeeper/tree/release-3.9.0-0 > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > https://www.apache.org/dist/zookeeper/KEYS > > The staging version of the website is: > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.0-candidate-0/website/index.html > > > Should we release this candidate? > > > Regards, > Andor > > >
