Re: [VOTE] Release Apache Log4j 2.22.1 RC1
On Wed, 27 Dec 2023 at 00:54, Matt Sicker wrote: > > While there appears to be some issues with the reproducibility of the build, > it appears to be inconsequential. > > +1 Adding my +1, this vote passes with 3 +1 from: Gary, Matt and me. I will continue the release process. Piotr BTW: reproducibility is not an issue for me (Debian 11, JDK 17).
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
While there appears to be some issues with the reproducibility of the build, it appears to be inconsequential. +1 — Matt Sicker > On Dec 22, 2023, at 12:00, Piotr P. Karwasz wrote: > > This is a vote to release the Apache Log4j 2.22.1. > > Website: https://logging.staged.apache.org/log4j/2.x/ > GitHub: https://github.com/apache/logging-log4j2 > Commit: 8469975a4f2b1f8f1bd4f25ca6d1989a52aefc1b > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1254 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... > > This vote is open for 72 hours and will pass unless getting a > net negative vote count. All votes are welcome and we encourage > everyone to test the release, but only the Logging Services PMC > votes are officially counted. > > == Review Kit > > The minimum set of steps needed to review the uploaded distribution > files in the Subversion repository can be summarized as follows: > ># Check out the distribution >wget --recursive --no-parent --no-host-directories --cut-dirs=5 > https://dist.apache.org/repos/dist/dev/logging/log4j > ># Verify checksums >sha512sum --check *.sha512 > ># Verify signatures >wget -O - https://downloads.apache.org/logging/KEYS | gpg --import >for sigFile in *.asc; do gpg --verify $sigFile; done > ># Verify reproduciblity >umask 0022 >unzip *-src.zip -d src >cd src >export > NEXUS_REPO=https://repository.apache.org/content/repositories/orgapachelogging-1254 >sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO > > == Release Notes > > This release contains only dependency upgrades and bug fixes, which do > not change the behavior of the artifacts. > > While maintaining compatibility with Java 8, the artifacts in this > release where generated using JDK 17, unlike version `2.22.0` that > used JDK 11. > > > [#release-notes-2-22-1-fixed] > === Fixed > > * Mark `JdkMapAdapterStringMap` as frozen if map is immutable. (#2098) > * Fix NPE in `CloseableThreadContext`. (#1426) > * Use the module name of Conversant Media Disruptor from version > `1.2.16+` of the library. > * Fix NPE in `RollingFileManager`. (#1645) > * Fix `log4j-to-slf4j` JPMS and OSGi descriptors. (#1983) > * Workaround a Coursier/Ivy dependency resolution bug affecting > `log4j-slf4j-impl` and `log4j-mongodb3`. (#2065) > > [#release-notes-2-22-1-updated] > === Updated > > * Bumped the minimum Java version required for the build to Java 17. > Runtime requirements remain unchanged. (#2021) > * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2030) > * Update `com.google.guava:guava` to version `33.0.0-jre` (#2110) > * Update `commons-codec:commons-codec` to version `1.16.0` (#2042) > * Update `commons-io:commons-io` to version `2.15.1` (#2034) > * Update `commons-logging:commons-logging` to version `1.3.0` (#2050) > * Update `io.netty:netty-bom` to version `4.1.104.Final` (#2095) > * Update `org.apache.commons:commons-compress` to version `1.25.0` (#2045) > * Update `org.apache.commons:commons-dbcp2` to version `2.11.0` (#2048) > * Update `org.apache.commons:commons-lang3` to version `3.14.0` (#2047) > * Update `org.apache.commons:commons-pool2` to version `2.12.0` (#2057) > * Update `org.apache.kafka:kafka-clients` to version `3.6.1` (#2068) > * Update `org.apache.logging:logging-parent` to version `10.5.0` (#2119) > * Update `org.jctools:jctools-core` to version `4.0.2` (#1984) > * Update `org.springframework.boot:spring-boot` to version `2.7.18` (#1998) > * Update `org.springframework.cloud:spring-cloud-dependencies` to > version `2021.0.9` (#2109)
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
Hi Piotr, I'm pretty sure there aren't any Apache requirements around tagging in git (or svn) but it seems nice to me to have tags for release candidates. Not that big of a deal probably. Gary On Sat, Dec 23, 2023, 2:51 PM Piotr P. Karwasz wrote: > Hi Gary, > > On Sat, 23 Dec 2023 at 17:47, Gary Gregory wrote: > > > > Question: Where is the git tag in these VOTE emails? I see a "Commit" > > but no named tag. > > The CI does not create tags, but it works on a separate branch > `release/x.y.z` and the commit should be the last commit of the > branch. > Of course providing a SHA1 is safer. Should we also add a tag? > > Piotr >
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
Hi Gary, On Sat, 23 Dec 2023 at 17:47, Gary Gregory wrote: > > Question: Where is the git tag in these VOTE emails? I see a "Commit" > but no named tag. The CI does not create tags, but it works on a separate branch `release/x.y.z` and the commit should be the last commit of the branch. Of course providing a SHA1 is safer. Should we also add a tag? Piotr
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
TY for the references. Gary On Sat, Dec 23, 2023 at 2:20 PM Piotr P. Karwasz wrote: > > Hi Gary, > > On Sat, 23 Dec 2023 at 16:23, Gary Gregory wrote: > > > > Can this noise be made quiet in the future please (mvn clean verify -U): > > This is a temporary workaround for three `cyclonedx-maven-plugin` limitations. > We are still waiting for two fixes and a release of the plugin: > > https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/419 > https://github.com/CycloneDX/cyclonedx-maven-plugin/pull/428 > > Piotr
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
Hi Gary, On Sat, 23 Dec 2023 at 16:23, Gary Gregory wrote: > > Can this noise be made quiet in the future please (mvn clean verify -U): This is a temporary workaround for three `cyclonedx-maven-plugin` limitations. We are still waiting for two fixes and a release of the plugin: https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/419 https://github.com/CycloneDX/cyclonedx-maven-plugin/pull/428 Piotr
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
Question: Where is the git tag in these VOTE emails? I see a "Commit" but no named tag. Gary On Fri, Dec 22, 2023 at 1:01 PM Piotr P. Karwasz wrote: > > This is a vote to release the Apache Log4j 2.22.1. > > Website: https://logging.staged.apache.org/log4j/2.x/ > GitHub: https://github.com/apache/logging-log4j2 > Commit: 8469975a4f2b1f8f1bd4f25ca6d1989a52aefc1b > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1254 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... > > This vote is open for 72 hours and will pass unless getting a > net negative vote count. All votes are welcome and we encourage > everyone to test the release, but only the Logging Services PMC > votes are officially counted. > > == Review Kit > > The minimum set of steps needed to review the uploaded distribution > files in the Subversion repository can be summarized as follows: > > # Check out the distribution > wget --recursive --no-parent --no-host-directories --cut-dirs=5 > https://dist.apache.org/repos/dist/dev/logging/log4j > > # Verify checksums > sha512sum --check *.sha512 > > # Verify signatures > wget -O - https://downloads.apache.org/logging/KEYS | gpg --import > for sigFile in *.asc; do gpg --verify $sigFile; done > > # Verify reproduciblity > umask 0022 > unzip *-src.zip -d src > cd src > export > NEXUS_REPO=https://repository.apache.org/content/repositories/orgapachelogging-1254 > sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO > > == Release Notes > > This release contains only dependency upgrades and bug fixes, which do > not change the behavior of the artifacts. > > While maintaining compatibility with Java 8, the artifacts in this > release where generated using JDK 17, unlike version `2.22.0` that > used JDK 11. > > > [#release-notes-2-22-1-fixed] > === Fixed > > * Mark `JdkMapAdapterStringMap` as frozen if map is immutable. (#2098) > * Fix NPE in `CloseableThreadContext`. (#1426) > * Use the module name of Conversant Media Disruptor from version > `1.2.16+` of the library. > * Fix NPE in `RollingFileManager`. (#1645) > * Fix `log4j-to-slf4j` JPMS and OSGi descriptors. (#1983) > * Workaround a Coursier/Ivy dependency resolution bug affecting > `log4j-slf4j-impl` and `log4j-mongodb3`. (#2065) > > [#release-notes-2-22-1-updated] > === Updated > > * Bumped the minimum Java version required for the build to Java 17. > Runtime requirements remain unchanged. (#2021) > * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2030) > * Update `com.google.guava:guava` to version `33.0.0-jre` (#2110) > * Update `commons-codec:commons-codec` to version `1.16.0` (#2042) > * Update `commons-io:commons-io` to version `2.15.1` (#2034) > * Update `commons-logging:commons-logging` to version `1.3.0` (#2050) > * Update `io.netty:netty-bom` to version `4.1.104.Final` (#2095) > * Update `org.apache.commons:commons-compress` to version `1.25.0` (#2045) > * Update `org.apache.commons:commons-dbcp2` to version `2.11.0` (#2048) > * Update `org.apache.commons:commons-lang3` to version `3.14.0` (#2047) > * Update `org.apache.commons:commons-pool2` to version `2.12.0` (#2057) > * Update `org.apache.kafka:kafka-clients` to version `3.6.1` (#2068) > * Update `org.apache.logging:logging-parent` to version `10.5.0` (#2119) > * Update `org.jctools:jctools-core` to version `4.0.2` (#1984) > * Update `org.springframework.boot:spring-boot` to version `2.7.18` (#1998) > * Update `org.springframework.cloud:spring-cloud-dependencies` to > version `2021.0.9` (#2109)
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
+1 - Tested src zip file - ASC OK - SHA512 OK - `mvn clean verify` OK - Using: Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae) Maven home: /usr/local/Cellar/maven/3.9.6/libexec Java version: 17.0.9, vendor: Homebrew, runtime: /usr/local/Cellar/openjdk@17/17.0.9/libexec/openjdk.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "14.2.1", arch: "x86_64", family: "mac" Darwin 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:54:10 PST 2023; root:xnu-10002.61.3~2/RELEASE_X86_64 x86_64 Gary On Fri, Dec 22, 2023 at 1:01 PM Piotr P. Karwasz wrote: > > This is a vote to release the Apache Log4j 2.22.1. > > Website: https://logging.staged.apache.org/log4j/2.x/ > GitHub: https://github.com/apache/logging-log4j2 > Commit: 8469975a4f2b1f8f1bd4f25ca6d1989a52aefc1b > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1254 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... > > This vote is open for 72 hours and will pass unless getting a > net negative vote count. All votes are welcome and we encourage > everyone to test the release, but only the Logging Services PMC > votes are officially counted. > > == Review Kit > > The minimum set of steps needed to review the uploaded distribution > files in the Subversion repository can be summarized as follows: > > # Check out the distribution > wget --recursive --no-parent --no-host-directories --cut-dirs=5 > https://dist.apache.org/repos/dist/dev/logging/log4j > > # Verify checksums > sha512sum --check *.sha512 > > # Verify signatures > wget -O - https://downloads.apache.org/logging/KEYS | gpg --import > for sigFile in *.asc; do gpg --verify $sigFile; done > > # Verify reproduciblity > umask 0022 > unzip *-src.zip -d src > cd src > export > NEXUS_REPO=https://repository.apache.org/content/repositories/orgapachelogging-1254 > sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO > > == Release Notes > > This release contains only dependency upgrades and bug fixes, which do > not change the behavior of the artifacts. > > While maintaining compatibility with Java 8, the artifacts in this > release where generated using JDK 17, unlike version `2.22.0` that > used JDK 11. > > > [#release-notes-2-22-1-fixed] > === Fixed > > * Mark `JdkMapAdapterStringMap` as frozen if map is immutable. (#2098) > * Fix NPE in `CloseableThreadContext`. (#1426) > * Use the module name of Conversant Media Disruptor from version > `1.2.16+` of the library. > * Fix NPE in `RollingFileManager`. (#1645) > * Fix `log4j-to-slf4j` JPMS and OSGi descriptors. (#1983) > * Workaround a Coursier/Ivy dependency resolution bug affecting > `log4j-slf4j-impl` and `log4j-mongodb3`. (#2065) > > [#release-notes-2-22-1-updated] > === Updated > > * Bumped the minimum Java version required for the build to Java 17. > Runtime requirements remain unchanged. (#2021) > * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2030) > * Update `com.google.guava:guava` to version `33.0.0-jre` (#2110) > * Update `commons-codec:commons-codec` to version `1.16.0` (#2042) > * Update `commons-io:commons-io` to version `2.15.1` (#2034) > * Update `commons-logging:commons-logging` to version `1.3.0` (#2050) > * Update `io.netty:netty-bom` to version `4.1.104.Final` (#2095) > * Update `org.apache.commons:commons-compress` to version `1.25.0` (#2045) > * Update `org.apache.commons:commons-dbcp2` to version `2.11.0` (#2048) > * Update `org.apache.commons:commons-lang3` to version `3.14.0` (#2047) > * Update `org.apache.commons:commons-pool2` to version `2.12.0` (#2057) > * Update `org.apache.kafka:kafka-clients` to version `3.6.1` (#2068) > * Update `org.apache.logging:logging-parent` to version `10.5.0` (#2119) > * Update `org.jctools:jctools-core` to version `4.0.2` (#1984) > * Update `org.springframework.boot:spring-boot` to version `2.7.18` (#1998) > * Update `org.springframework.cloud:spring-cloud-dependencies` to > version `2021.0.9` (#2109)
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
Can this noise be made quiet in the future please (mvn clean verify -U):
...
[INFO] --- bsh:1.4:run (process-sbom) @ log4j-api-java9 ---
[INFO] Executing Script
[INFO] file class java.lang.Object
[INFO] script class java.lang.String
[INFO] evaluating script import java.io.*;
import java.nio.file.*;
import java.util.*;
import javax.xml.transform.*;
import javax.xml.transform.stream.*;
import org.apache.commons.codec.digest.*;
// Compute parameters
final String xslt = project.getProperties().getProperty("sbom.xslt");
final File pomFile = project.getModel().getPomFile();
final byte[] digest = new
DigestUtils(MessageDigestAlgorithms.SHA_256).digest(pomFile);
final UUID bomSerialNumber = UUID.nameUUIDFromBytes(digest);
final String vdrUrl =
Objects.requireNonNull(project.getProperties().getProperty("vdr.url"),
"vdr.url");
// Move original SBOM file
final Path basedir = project.getBasedir().toPath();
final Path destPath = basedir.resolve("target/bom.xml");
final Path sourcePath = basedir.resolve("target/bom.orig.xml");
if (!Files.isReadable(destPath)) {
System.out.println("No CycloneDX SBOM file found, skipping
transformation.");
return;
}
Files.move(destPath, sourcePath, new CopyOption[]
{StandardCopyOption.REPLACE_EXISTING});
// Apply XSLT transformation
final StreamSource xsltSource = new StreamSource(new StringReader(xslt));
final TransformerFactory factory = TransformerFactory.newInstance();
final Transformer transformer = factory.newTransformer(xsltSource);
transformer.setParameter("sbom.serialNumber", bomSerialNumber.toString());
transformer.setParameter("vdr.url", vdrUrl);
final StreamSource source = new
StreamSource(sourcePath.toUri().toASCIIString());
final StreamResult result = new
StreamResult(destPath.toUri().toASCIIString());
transformer.transform(source, result);
No CycloneDX SBOM file found, skipping transformation.
[INFO]
[INFO] >>> spotbugs:4.8.2.0:check (default-spotbugs) > :spotbugs @
log4j-api-java9 >>>
Gary
On Fri, Dec 22, 2023 at 1:01 PM Piotr P. Karwasz
wrote:
>
> This is a vote to release the Apache Log4j 2.22.1.
>
> Website: https://logging.staged.apache.org/log4j/2.x/
> GitHub: https://github.com/apache/logging-log4j2
> Commit: 8469975a4f2b1f8f1bd4f25ca6d1989a52aefc1b
> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j
> Nexus:
> https://repository.apache.org/content/repositories/orgapachelogging-1254
> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
>
> Please download, test, and cast your votes on this mailing list.
>
> [ ] +1, release the artifacts
> [ ] -1, don't release, because...
>
> This vote is open for 72 hours and will pass unless getting a
> net negative vote count. All votes are welcome and we encourage
> everyone to test the release, but only the Logging Services PMC
> votes are officially counted.
>
> == Review Kit
>
> The minimum set of steps needed to review the uploaded distribution
> files in the Subversion repository can be summarized as follows:
>
> # Check out the distribution
> wget --recursive --no-parent --no-host-directories --cut-dirs=5
> https://dist.apache.org/repos/dist/dev/logging/log4j
>
> # Verify checksums
> sha512sum --check *.sha512
>
> # Verify signatures
> wget -O - https://downloads.apache.org/logging/KEYS | gpg --import
> for sigFile in *.asc; do gpg --verify $sigFile; done
>
> # Verify reproduciblity
> umask 0022
> unzip *-src.zip -d src
> cd src
> export
> NEXUS_REPO=https://repository.apache.org/content/repositories/orgapachelogging-1254
> sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO
>
> == Release Notes
>
> This release contains only dependency upgrades and bug fixes, which do
> not change the behavior of the artifacts.
>
> While maintaining compatibility with Java 8, the artifacts in this
> release where generated using JDK 17, unlike version `2.22.0` that
> used JDK 11.
>
>
> [#release-notes-2-22-1-fixed]
> === Fixed
>
> * Mark `JdkMapAdapterStringMap` as frozen if map is immutable. (#2098)
> * Fix NPE in `CloseableThreadContext`. (#1426)
> * Use the module name of Conversant Media Disruptor from version
> `1.2.16+` of the library.
> * Fix NPE in `RollingFileManager`. (#1645)
> * Fix `log4j-to-slf4j` JPMS and OSGi descriptors. (#1983)
> * Workaround a Coursier/Ivy dependency resolution bug affecting
> `log4j-slf4j-impl` and `log4j-mongodb3`. (#2065)
>
> [#release-notes-2-22-1-updated]
> === Updated
>
> * Bumped the minimum Java version required for the build to Java 17.
> Runtime requirements remain unchanged. (#2021)
> * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2030)
> * Update `com.google.guava:guava` to version `33.0.0-jre` (#2110)
> * Update `commons-codec:commons-codec` to version `1.16.0` (#2042)
> * Update `commons-io:commons-io` to version `2.15.1` (#2034)
> * Update `commons-logging:commons-logging` t
[VOTE] Release Apache Log4j 2.22.1 RC1
This is a vote to release the Apache Log4j 2.22.1. Website: https://logging.staged.apache.org/log4j/2.x/ GitHub: https://github.com/apache/logging-log4j2 Commit: 8469975a4f2b1f8f1bd4f25ca6d1989a52aefc1b Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j Nexus: https://repository.apache.org/content/repositories/orgapachelogging-1254 Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 Please download, test, and cast your votes on this mailing list. [ ] +1, release the artifacts [ ] -1, don't release, because... This vote is open for 72 hours and will pass unless getting a net negative vote count. All votes are welcome and we encourage everyone to test the release, but only the Logging Services PMC votes are officially counted. == Review Kit The minimum set of steps needed to review the uploaded distribution files in the Subversion repository can be summarized as follows: # Check out the distribution wget --recursive --no-parent --no-host-directories --cut-dirs=5 https://dist.apache.org/repos/dist/dev/logging/log4j # Verify checksums sha512sum --check *.sha512 # Verify signatures wget -O - https://downloads.apache.org/logging/KEYS | gpg --import for sigFile in *.asc; do gpg --verify $sigFile; done # Verify reproduciblity umask 0022 unzip *-src.zip -d src cd src export NEXUS_REPO=https://repository.apache.org/content/repositories/orgapachelogging-1254 sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO == Release Notes This release contains only dependency upgrades and bug fixes, which do not change the behavior of the artifacts. While maintaining compatibility with Java 8, the artifacts in this release where generated using JDK 17, unlike version `2.22.0` that used JDK 11. [#release-notes-2-22-1-fixed] === Fixed * Mark `JdkMapAdapterStringMap` as frozen if map is immutable. (#2098) * Fix NPE in `CloseableThreadContext`. (#1426) * Use the module name of Conversant Media Disruptor from version `1.2.16+` of the library. * Fix NPE in `RollingFileManager`. (#1645) * Fix `log4j-to-slf4j` JPMS and OSGi descriptors. (#1983) * Workaround a Coursier/Ivy dependency resolution bug affecting `log4j-slf4j-impl` and `log4j-mongodb3`. (#2065) [#release-notes-2-22-1-updated] === Updated * Bumped the minimum Java version required for the build to Java 17. Runtime requirements remain unchanged. (#2021) * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2030) * Update `com.google.guava:guava` to version `33.0.0-jre` (#2110) * Update `commons-codec:commons-codec` to version `1.16.0` (#2042) * Update `commons-io:commons-io` to version `2.15.1` (#2034) * Update `commons-logging:commons-logging` to version `1.3.0` (#2050) * Update `io.netty:netty-bom` to version `4.1.104.Final` (#2095) * Update `org.apache.commons:commons-compress` to version `1.25.0` (#2045) * Update `org.apache.commons:commons-dbcp2` to version `2.11.0` (#2048) * Update `org.apache.commons:commons-lang3` to version `3.14.0` (#2047) * Update `org.apache.commons:commons-pool2` to version `2.12.0` (#2057) * Update `org.apache.kafka:kafka-clients` to version `3.6.1` (#2068) * Update `org.apache.logging:logging-parent` to version `10.5.0` (#2119) * Update `org.jctools:jctools-core` to version `4.0.2` (#1984) * Update `org.springframework.boot:spring-boot` to version `2.7.18` (#1998) * Update `org.springframework.cloud:spring-cloud-dependencies` to version `2021.0.9` (#2109)
