+1 (non-binding), With a minor change <https://github.com/apache/hadoop/pull/4272> in hadoop-vote,
* Signature: ok * Checksum : ok * Rat check (1.8.0_301): ok - mvn clean apache-rat:check * Built from source (1.8.0_301): ok - mvn clean install -DskipTests * Built tar from source (1.8.0_301): ok - mvn clean package -Pdist -DskipTests -Dtar -Dmaven.javadoc.skip=true HDFS and MapReduce functional testing looks good. As per PR#4268 <https://github.com/apache/hadoop/pull/4268>, except for a few flakes, TestDistributedShell and TestCsiClient are consistently failing. On Tue, May 3, 2022 at 4:24 AM Steve Loughran <ste...@cloudera.com.invalid> wrote: > I have put together a release candidate (rc0) for Hadoop 3.3.3 > > The RC is available at: > https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/ > > The git tag is release-3.3.3-RC0, commit d37586cbda3 > > The maven artifacts are staged at > https://repository.apache.org/content/repositories/orgapachehadoop-1348/ > > You can find my public key at: > https://dist.apache.org/repos/dist/release/hadoop/common/KEYS > > Change log > https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/CHANGELOG.md > > Release notes > https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/RELEASENOTES.md > > There's a very small number of changes, primarily critical code/packaging > issues and security fixes. > > > - The critical fixes which shipped in the 3.2.3 release. > - CVEs in our code and dependencies > - Shaded client packaging issues. > - A switch from log4j to reload4j > > > reload4j is an active fork of the log4j 1.17 library with the classes which > contain CVEs removed. Even though hadoop never used those classes, they > regularly raised alerts on security scans and concen from users. Switching > to the forked project allows us to ship a secure logging framework. It will > complicate the builds of downstream maven/ivy/gradle projects which exclude > our log4j artifacts, as they need to cut the new dependency instead/as > well. > > See the release notes for details. > > This is my first release through the new docker build process, do please > validate artifact signing &c to make sure it is good. I'll be trying builds > of downstream projects. > > We know there are some outstanding issues with at least one library we are > shipping (okhttp), but I don't want to hold this release up for it. If the > docker based release process works smoothly enough we can do a followup > security release in a few weeks. > > Please try the release and vote. The vote will run for 5 days. > > -Steve >
