+1 (binding) I did the following tests for the release candidate: - verified checksum and gpg signature of the artifacts - I built the source code (incl. the C-client, using -Pfull-build) on Ubuntu 22.04.4 using OpenJDK 8u402, maven 3.6.3 and GCC version 11.4.0 - all the java unit tests passed for me - I built the C-Client, and also all the C-client tests passed for me. (for the first try) - I also built and executed unit tests for zkpython - I also built the java code (without -Pfull-build) using other JDK versions: 11.0.22, 17.0.10, 21.0.1 (but didn't run the tests this time, just used 'clean install -DskipTests') - checkstyle and spotbugs passed - apache-rat passed - fatjar built - I executed quick rolling-upgrade tests without SSL (using https://github.com/symat/zk-rolling-upgrade-test): - rolling upgrade from 3.6.4 to 3.9.4 RC2 - rolling upgrade from 3.7.2 to 3.9.4 RC2 - rolling upgrade from 3.8.4 to 3.9.4 RC2 - rolling upgrade from 3.9.3 RC0 to 3.9.4 RC2 - checked the uploaded documentation ( https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-2/website/index.html ) - compared generated release notes ( https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-2/website/releasenotes.html) with Jira ( https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12354432 ) The two lists seem to me identical. I assume the issues found by Damien were missing from both lists, but I don't consider this a blocker.
- Unfortunately I was unable to run the dependency check (owasp), I got a NullPointerException / NoDataException. I assume it might have been some local issue at my machine. I hope that CI or some of you were able to execute it. (I registered an NVD API KEY, tried with more recent java/maven versions and also tried to purge my local cahce, but these didn't help and I had no more time to investigate) Anyway, the candidate looks good to me, thank you for the work! Best regards, Máté On Thu, Aug 21, 2025 at 12:41 PM Damien Diederen <[email protected]> wrote: > > Hi Andor, all, > > +1 (binding). > > I went through my usual set of checks: > > - Tarball contents match repository tag; > > - Verified checksums and signatures; > > - Ran `dependency-check:check`; > > - Built and smoke-tested on NixOS with a slightly adapted version of > the Nix recipe and test case; > > - Smoke-tested a standalone server with the (corresponding) Java, C > and Perl clients, as well as the zkfuse contrib; > > *NOTE* (Minor) My recipe failed to compiled the Perl client with the > latest GCC, so I used a previous version. I will look into it and > may create a ticket. This is not a blocker as the Perl client is a > `-contrib`; > > - Smoke-tested a 3-ensemble with the (corresponding) Java client and > SASL/GSSAPI. > > *NOTE* (Minor) It seems the release notes are technically missing > entries for these two tickets—but they're only about dependency > upgrades: > > - ZOOKEEPER-4890, "Update Netty to fix CVE-2024-47535"; > > - ZOOKEEPER-4932, "The newest version of zookeeper includes Jetty > versiob 9.4.57.x which has CVE-2024-6763 issue." > > All in all: LGTM—thank you! > > Cheers, > Damien > > > > Andor Molnar <[email protected]> writes: > > This is a release candidate for 3.9.4. > > > > This is a minor release with bug- and security fixes. Important to > > note that due to security issues we’ve upgraded logback to 1.3.15 and > > slf4j to 2.0.13. No ZooKeeper code changes have been involved in this > > upgrade, but the SLF4j upgrade was a major version increase, so keep > > an eye on that during your testing. > > > > The full release notes is available at: > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12355230 > > > > *** Please download, test and vote by August 26th 2025, 23:59 UTC+0. *** > > > > Source files: > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-2/ > > > > Maven staging repo: > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1110/ > > > > The release candidate tag in git to be voted upon: release-3.9.4-2 > > https://github.com/apache/zookeeper/tree/release-3.9.4-2 > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > https://www.apache.org/dist/zookeeper/KEYS > > > > The staging version of the website is: > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.4-candidate-2/website/index.html > > > > Should we release this candidate? > > > > Andor >
