Re: [VOTE] Release Apache Log4j 3.0.0-beta1 (RC2)
Adding my +1. With that, the release passes with 4 binding +1 votes from Piotr, Ralph, Matt, and me. I will continue the release process. On Thu, Dec 21, 2023 at 11:52 PM Matt Sicker wrote: > > +1 > > I’ll note that the reproducibility check fails on log4j-bom this time, but > not a blocker. > > > On Dec 19, 2023, at 3:00 PM, Volkan Yazıcı wrote: > > > > This is a vote to release the Apache Log4j 3.0.0-beta1 RC2. > > > > Website: https://logging.staged.apache.org/log4j/3.x > > GitHub: https://github.com/apache/logging-log4j2 > > Commit: 416cd4dcf419b59c88054d2001d34c7fec010560 > > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > > Nexus: > > https://repository.apache.org/content/repositories/orgapachelogging-1252 > > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > > > Please download, test, and cast your votes on this mailing list. > > > > [ ] +1, release the artifacts > > [ ] -1, don't release, because... > > > > This vote is open for 72 hours and will pass unless getting a > > net negative vote count. All votes are welcome and we encourage > > everyone to test the release, but only the Logging Services PMC > > votes are officially counted. > > > > PLEASE USE THIS THREAD ONLY FOR VOTING +1 OR -1. IF YOU HAVE THOUGHTS, > > CONCERNS, QUESTIONS, ETC. SHARE THEM ELSEWHERE. THIS IS A BETA > > RELEASE. WE INTEND TO HAVE SEVERAL OTHER BETA RELEASES. THIS IS NOT > > THE CONCLUSIVE `3.0.0` RELEASE. > > > > == Review Kit > > > > The minimum set of steps needed to review the uploaded distribution > > files in the Subversion repository can be summarized as follows: > > > ># Check out the distribution > >svn co https://dist.apache.org/repos/... && cd $_ > > > ># Verify checksums > >shasum --check *.sha512 > > > ># Verify signatures > >wget -O - https://downloads.apache.org/logging/KEYS | gpg --import > >for sigFile in *.asc; do gpg --verify $sigFile; done > > > ># Verify reproduciblity > >umask 0022 > >unzip *-src.zip -d src > >cd src > >export NEXUS_REPO=https://repository.apache.org/content/... > >sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO > > > > == Release Notes > > > > This is the first beta release of the upcoming major release, i.e., `3.0.0`. > > > > === Added > > > > * Add annotations for nullability. (LOG4J2-1477) > > * Remove deprecated code. (LOG4J2-2493) > > * Add a more generalized dependency injection system to plugins > > inspired by JSR 330. (LOG4J2-2803) > > * Add and enhance structured properties for per-context settings > > outside configuration files. (LOG4J2-3299[LOG4J2-3299], #1473) > > * Automate artifact publishing and release preparation. (LOG4J2-3466) > > * Add support for dependency injection of plugins into container types > > such as `Optional`, `Collection`, `Set`, `Stream`, > > `List`, and `Map`. (LOG4J2-3496) > > * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497) > > > > === Changed > > > > * Remove liquibase-log4j2 maven module (#1193) > > * Make the output of annotation processing reproducible. (#1520) > > * Replace `synchronized` blocks with locks for improved performance > > with virtual threads. (#1532) > > * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550) > > * Ignore exceptions thrown by PropertySources. Eliminate > > ClassCastException when SimpleLoggerContext is used. > > (spring-projects/spring-boot#33450, #1799) > > * Update `com.lmax:disruptor` to version `4.0.0` (#1829) > > * Migrate most tests to JUnit 5. This includes a more powerful set of > > test extensions. (LOG4J2-2653) > > * Make Log4j use its own BOM. (LOG4J2-3511) > > * Change encoding of HTTP Basic Authentication to UTF-8. (#1970) > > * Upgraded the required compiler version to Java 17 > > * Upgraded the required runtime version to Java 17 > > * Update `actions/checkout` to version `4.1.1` (#1869) > > * Update `actions/setup-java` to version `3.13.0` (#1809) > > * Update `actions/setup-python` to version `4.7.1` (#1831) > > * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028) > > * Update `com.datastax.cassandra:cassandra-driver-core` to version > > `3.11.5` (#1889) > > * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974) > > * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2032) > > * Update `com.github.spotbugs:spotbugs-maven-plugin` to version > > `4.7.3.6` (#1879) > > * Update `com.github.tomakehurst:wiremock-jre8` to version `2.35.1` (#1765) > > * Update > > `com.google.code.java-allocation-instrumenter:java-allocation-instrumenter` > > to version `3.3.4` (#2102) > > * Update `com.google.errorprone:error_prone_core` to version `2.23.0` > > (#1871) > > * Update `com.google.guava:guava-testlib` to version `32.1.3-jre` (#1934) > > * Update `com.h2database:h2` to version `2.2.224` (#1917) > > * Update `commons-codec:commons-codec` to version `1.16.0` (#2054) > > * Update `commons-io:commons-io` to ver
Re: [VOTE] Release Apache Log4j 3.0.0-beta1 (RC2)
+1 I’ll note that the reproducibility check fails on log4j-bom this time, but not a blocker. > On Dec 19, 2023, at 3:00 PM, Volkan Yazıcı wrote: > > This is a vote to release the Apache Log4j 3.0.0-beta1 RC2. > > Website: https://logging.staged.apache.org/log4j/3.x > GitHub: https://github.com/apache/logging-log4j2 > Commit: 416cd4dcf419b59c88054d2001d34c7fec010560 > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1252 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... > > This vote is open for 72 hours and will pass unless getting a > net negative vote count. All votes are welcome and we encourage > everyone to test the release, but only the Logging Services PMC > votes are officially counted. > > PLEASE USE THIS THREAD ONLY FOR VOTING +1 OR -1. IF YOU HAVE THOUGHTS, > CONCERNS, QUESTIONS, ETC. SHARE THEM ELSEWHERE. THIS IS A BETA > RELEASE. WE INTEND TO HAVE SEVERAL OTHER BETA RELEASES. THIS IS NOT > THE CONCLUSIVE `3.0.0` RELEASE. > > == Review Kit > > The minimum set of steps needed to review the uploaded distribution > files in the Subversion repository can be summarized as follows: > ># Check out the distribution >svn co https://dist.apache.org/repos/... && cd $_ > ># Verify checksums >shasum --check *.sha512 > ># Verify signatures >wget -O - https://downloads.apache.org/logging/KEYS | gpg --import >for sigFile in *.asc; do gpg --verify $sigFile; done > ># Verify reproduciblity >umask 0022 >unzip *-src.zip -d src >cd src >export NEXUS_REPO=https://repository.apache.org/content/... >sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO > > == Release Notes > > This is the first beta release of the upcoming major release, i.e., `3.0.0`. > > === Added > > * Add annotations for nullability. (LOG4J2-1477) > * Remove deprecated code. (LOG4J2-2493) > * Add a more generalized dependency injection system to plugins > inspired by JSR 330. (LOG4J2-2803) > * Add and enhance structured properties for per-context settings > outside configuration files. (LOG4J2-3299[LOG4J2-3299], #1473) > * Automate artifact publishing and release preparation. (LOG4J2-3466) > * Add support for dependency injection of plugins into container types > such as `Optional`, `Collection`, `Set`, `Stream`, > `List`, and `Map`. (LOG4J2-3496) > * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497) > > === Changed > > * Remove liquibase-log4j2 maven module (#1193) > * Make the output of annotation processing reproducible. (#1520) > * Replace `synchronized` blocks with locks for improved performance > with virtual threads. (#1532) > * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550) > * Ignore exceptions thrown by PropertySources. Eliminate > ClassCastException when SimpleLoggerContext is used. > (spring-projects/spring-boot#33450, #1799) > * Update `com.lmax:disruptor` to version `4.0.0` (#1829) > * Migrate most tests to JUnit 5. This includes a more powerful set of > test extensions. (LOG4J2-2653) > * Make Log4j use its own BOM. (LOG4J2-3511) > * Change encoding of HTTP Basic Authentication to UTF-8. (#1970) > * Upgraded the required compiler version to Java 17 > * Upgraded the required runtime version to Java 17 > * Update `actions/checkout` to version `4.1.1` (#1869) > * Update `actions/setup-java` to version `3.13.0` (#1809) > * Update `actions/setup-python` to version `4.7.1` (#1831) > * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028) > * Update `com.datastax.cassandra:cassandra-driver-core` to version > `3.11.5` (#1889) > * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974) > * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2032) > * Update `com.github.spotbugs:spotbugs-maven-plugin` to version > `4.7.3.6` (#1879) > * Update `com.github.tomakehurst:wiremock-jre8` to version `2.35.1` (#1765) > * Update > `com.google.code.java-allocation-instrumenter:java-allocation-instrumenter` > to version `3.3.4` (#2102) > * Update `com.google.errorprone:error_prone_core` to version `2.23.0` (#1871) > * Update `com.google.guava:guava-testlib` to version `32.1.3-jre` (#1934) > * Update `com.h2database:h2` to version `2.2.224` (#1917) > * Update `commons-codec:commons-codec` to version `1.16.0` (#2054) > * Update `commons-io:commons-io` to version `2.15.1` (#2035) > * Update `commons-logging:commons-logging` to version `1.3.0` (#2046) > * Update `de.flapdoodle.reverse:de.flapdoodle.reverse` to version > `1.7.2` (#2000) > * Update `io.netty:netty-bom` to version `4.1.104.Final` (#2097) > * Update `net.java.dev.jna:jna` to version `5.14.0` (#2082) > * Update `org.apache.aries.spifly:org.apache.aries.spifly.dynamic.bundle` > to version
Re: [VOTE] Release Apache Log4j 3.0.0-beta1 (RC2)
+1 from me. Everything seems ok. Ralph > On Dec 19, 2023, at 2:00 PM, Volkan Yazıcı wrote: > > This is a vote to release the Apache Log4j 3.0.0-beta1 RC2. > > Website: https://logging.staged.apache.org/log4j/3.x > GitHub: https://github.com/apache/logging-log4j2 > Commit: 416cd4dcf419b59c88054d2001d34c7fec010560 > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1252 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... > > This vote is open for 72 hours and will pass unless getting a > net negative vote count. All votes are welcome and we encourage > everyone to test the release, but only the Logging Services PMC > votes are officially counted. > > PLEASE USE THIS THREAD ONLY FOR VOTING +1 OR -1. IF YOU HAVE THOUGHTS, > CONCERNS, QUESTIONS, ETC. SHARE THEM ELSEWHERE. THIS IS A BETA > RELEASE. WE INTEND TO HAVE SEVERAL OTHER BETA RELEASES. THIS IS NOT > THE CONCLUSIVE `3.0.0` RELEASE. > > == Review Kit > > The minimum set of steps needed to review the uploaded distribution > files in the Subversion repository can be summarized as follows: > ># Check out the distribution >svn co https://dist.apache.org/repos/... && cd $_ > ># Verify checksums >shasum --check *.sha512 > ># Verify signatures >wget -O - https://downloads.apache.org/logging/KEYS | gpg --import >for sigFile in *.asc; do gpg --verify $sigFile; done > ># Verify reproduciblity >umask 0022 >unzip *-src.zip -d src >cd src >export NEXUS_REPO=https://repository.apache.org/content/... >sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO > > == Release Notes > > This is the first beta release of the upcoming major release, i.e., `3.0.0`. > > === Added > > * Add annotations for nullability. (LOG4J2-1477) > * Remove deprecated code. (LOG4J2-2493) > * Add a more generalized dependency injection system to plugins > inspired by JSR 330. (LOG4J2-2803) > * Add and enhance structured properties for per-context settings > outside configuration files. (LOG4J2-3299[LOG4J2-3299], #1473) > * Automate artifact publishing and release preparation. (LOG4J2-3466) > * Add support for dependency injection of plugins into container types > such as `Optional`, `Collection`, `Set`, `Stream`, > `List`, and `Map`. (LOG4J2-3496) > * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497) > > === Changed > > * Remove liquibase-log4j2 maven module (#1193) > * Make the output of annotation processing reproducible. (#1520) > * Replace `synchronized` blocks with locks for improved performance > with virtual threads. (#1532) > * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550) > * Ignore exceptions thrown by PropertySources. Eliminate > ClassCastException when SimpleLoggerContext is used. > (spring-projects/spring-boot#33450, #1799) > * Update `com.lmax:disruptor` to version `4.0.0` (#1829) > * Migrate most tests to JUnit 5. This includes a more powerful set of > test extensions. (LOG4J2-2653) > * Make Log4j use its own BOM. (LOG4J2-3511) > * Change encoding of HTTP Basic Authentication to UTF-8. (#1970) > * Upgraded the required compiler version to Java 17 > * Upgraded the required runtime version to Java 17 > * Update `actions/checkout` to version `4.1.1` (#1869) > * Update `actions/setup-java` to version `3.13.0` (#1809) > * Update `actions/setup-python` to version `4.7.1` (#1831) > * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028) > * Update `com.datastax.cassandra:cassandra-driver-core` to version > `3.11.5` (#1889) > * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974) > * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2032) > * Update `com.github.spotbugs:spotbugs-maven-plugin` to version > `4.7.3.6` (#1879) > * Update `com.github.tomakehurst:wiremock-jre8` to version `2.35.1` (#1765) > * Update > `com.google.code.java-allocation-instrumenter:java-allocation-instrumenter` > to version `3.3.4` (#2102) > * Update `com.google.errorprone:error_prone_core` to version `2.23.0` (#1871) > * Update `com.google.guava:guava-testlib` to version `32.1.3-jre` (#1934) > * Update `com.h2database:h2` to version `2.2.224` (#1917) > * Update `commons-codec:commons-codec` to version `1.16.0` (#2054) > * Update `commons-io:commons-io` to version `2.15.1` (#2035) > * Update `commons-logging:commons-logging` to version `1.3.0` (#2046) > * Update `de.flapdoodle.reverse:de.flapdoodle.reverse` to version > `1.7.2` (#2000) > * Update `io.netty:netty-bom` to version `4.1.104.Final` (#2097) > * Update `net.java.dev.jna:jna` to version `5.14.0` (#2082) > * Update `org.apache.aries.spifly:org.apache.aries.spifly.dynamic.bundle` > to version `1.3.7` (#2053) > * Update `org.apache.commons:commons
Re: [VOTE] Release Apache Log4j 3.0.0-beta1 (RC2)
Hi Volkan, On Tue, 19 Dec 2023 at 22:00, Volkan Yazıcı wrote: > > This is a vote to release the Apache Log4j 3.0.0-beta1 RC2. > > Website: https://logging.staged.apache.org/log4j/3.x > GitHub: https://github.com/apache/logging-log4j2 > Commit: 416cd4dcf419b59c88054d2001d34c7fec010560 > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1252 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... I performed: * hashes checks, * signature checks, * ran the tests, * verified reproducibility, * checked for additional `-test-sources.jar` artifacts or their lack. Everything seems in order: +1 Piotr
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
In these universes (projects): Over the years, many RCs in many projects have created zip and tars with missing files because assembly descriptors for the Maven assembly plugin where not updated correctly or created properly in the first place. The src zip and tar is NOT (usually) a dump of EVERYTHING is a svn/git repository. A project might contain many extra files that are not required to build. For example, IIRC I saw an RC once that included the .git hidden folder. Gary On Wed, Dec 20, 2023, 6:56 AM Jochen Wiedmann wrote: > On Tue, Dec 19, 2023 at 2:05 PM Gary Gregory > wrote: > > > Do note that building from sources, not git, is an Apache requirement. > > Okay, but in what universe is building from a Git tag on the sources > (which is, what the release:perform goal does) different from > "building from sources"? > > Jochen >
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
On Tue, Dec 19, 2023 at 2:05 PM Gary Gregory wrote: > Do note that building from sources, not git, is an Apache requirement. Okay, but in what universe is building from a Git tag on the sources (which is, what the release:perform goal does) different from "building from sources"? Jochen
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Hi On Tue, Dec 19, 2023, at 21:14, Christian Grobmeier wrote: > Hi Ralph > > On Tue, Dec 19, 2023, at 16:20, Ralph Goers wrote: >> The vote has been open for 6 days because we were under the impression >> the vote was going be cancelled based on Piotr’s feedback. I can commit >> to having the review done in 72 hrs if the release is cut today or >> tomorrow. This slow down for me at work this time of the year so >> between now and New Years Day is a great time to get stuff done. > > Volkan must decide, but I assume some of us will be out of the office > starting this Saturday, and I wonder if he will find the time to cut > one (I know what he has left on his plate). > > Could you help out as a release manager in case he can't? > Generally, spreading the knowledge of releasing using the new toy is a > good idea. Disregarding my last message, Volkan found the time it seems. > > Christian > >> Ralph >> >>> On Dec 19, 2023, at 6:12 AM, Christian Grobmeier >>> wrote: >>> >>> Hi Volkan >>> >>> On Tue, Dec 19, 2023, at 13:43, Volkan Yazıcı wrote: I am cancelling this vote. I may try to issue an RC2 this week if time allows. If you think that is inconvenient due to upcoming xmas, and/or you want to issue the RC2 yourself, please let me know. >>> >>> please don't cut an RC2 this week. This vote took 6 days and some nitpicks. >>> I am afraid it might be open over christmas. Apart from that, I know how >>> tight your schedule is, so you may take it as a relief to not cut another >>> one :) >>> >>> Thanks for your hard work! >>> >>> On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı wrote: > This is a vote to release the Apache Log4j 3.0.0-beta1. > > Website: https://logging.staged.apache.org/log4j > GitHub: https://github.com/apache/logging-log4j2 > Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1246 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... > > This vote is open for 72 hours and will pass unless getting a > net negative vote count. All votes are welcome and we encourage > everyone to test the release, but only the Logging Services PMC > votes are officially counted. > > == Review Kit > > The minimum set of steps needed to review the uploaded distribution > files in the Subversion repository can be summarized as follows: > ># Check out the distribution >svn co https://dist.apache.org/repos/... && cd $_ > ># Verify checksums >shasum --check *.sha512 > ># Verify signatures >wget -O - https://downloads.apache.org/logging/KEYS | gpg --import >for sigFile in *.asc; do gpg --verify $sigFile; done > ># Verify reproduciblity >umask 0022 >unzip *-src.zip -d src >cd src >export NEXUS_REPO=https://repository.apache.org/content/... >sh mvnw -Prelease \ >verify artifact:compare \ >-Dreference.repo=$NEXUS_REPO \ >-Dcyclonedx.skip > > Some SBOM discrepancy is causing reproducibility mismatch, hence the > `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I > couldn't > figure out the missing piece yet. > > == Release Notes > > This is the first beta release of the upcoming major release, i.e., > `3.0.0`. > > === Added > > * Add annotations for nullability. (LOG4J2-1477) > * Remove deprecated code. (LOG4J2-2493) > * Add a more generalized dependency injection system to plugins inspired > by JSR 330. (LOG4J2-2803) > * Add and enhance structured properties for per-context settings outside > configuration files. (1473) > * Automate artifact publishing and release preparation. (LOG4J2-3466) > * Add support for dependency injection of plugins into container types > such as `Optional`, `Collection`, `Set`, `Stream`, `List`, > and `Map`. (LOG4J2-3496) > * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497) > > === Changed > > * Remove liquibase-log4j2 maven module (#1193) > * Make the output of annotation processing reproducible. (#1520) > * Replace `synchronized` blocks with locks for improved performance with > virtual threads. (#1532) > * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550) > * Ignore exceptions thrown by PropertySources. Eliminate > ClassCastException when SimpleLoggerContext is used. > (spring-projects/spring-boot#33450, #1799) > * Update `com.lmax:disruptor` to version `4.0.0` (#1829) > * Migrate most tests to
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Hi Ralph On Tue, Dec 19, 2023, at 16:20, Ralph Goers wrote: > The vote has been open for 6 days because we were under the impression > the vote was going be cancelled based on Piotr’s feedback. I can commit > to having the review done in 72 hrs if the release is cut today or > tomorrow. This slow down for me at work this time of the year so > between now and New Years Day is a great time to get stuff done. Volkan must decide, but I assume some of us will be out of the office starting this Saturday, and I wonder if he will find the time to cut one (I know what he has left on his plate). Could you help out as a release manager in case he can't? Generally, spreading the knowledge of releasing using the new toy is a good idea. Christian > Ralph > >> On Dec 19, 2023, at 6:12 AM, Christian Grobmeier >> wrote: >> >> Hi Volkan >> >> On Tue, Dec 19, 2023, at 13:43, Volkan Yazıcı wrote: >>> I am cancelling this vote. I may try to issue an RC2 this week if time >>> allows. If you think that is inconvenient due to upcoming xmas, and/or you >>> want to issue the RC2 yourself, please let me know. >> >> please don't cut an RC2 this week. This vote took 6 days and some nitpicks. >> I am afraid it might be open over christmas. Apart from that, I know how >> tight your schedule is, so you may take it as a relief to not cut another >> one :) >> >> Thanks for your hard work! >> >> >>> >>> On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı wrote: >>> This is a vote to release the Apache Log4j 3.0.0-beta1. Website: https://logging.staged.apache.org/log4j GitHub: https://github.com/apache/logging-log4j2 Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j Nexus: https://repository.apache.org/content/repositories/orgapachelogging-1246 Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 Please download, test, and cast your votes on this mailing list. [ ] +1, release the artifacts [ ] -1, don't release, because... This vote is open for 72 hours and will pass unless getting a net negative vote count. All votes are welcome and we encourage everyone to test the release, but only the Logging Services PMC votes are officially counted. == Review Kit The minimum set of steps needed to review the uploaded distribution files in the Subversion repository can be summarized as follows: # Check out the distribution svn co https://dist.apache.org/repos/... && cd $_ # Verify checksums shasum --check *.sha512 # Verify signatures wget -O - https://downloads.apache.org/logging/KEYS | gpg --import for sigFile in *.asc; do gpg --verify $sigFile; done # Verify reproduciblity umask 0022 unzip *-src.zip -d src cd src export NEXUS_REPO=https://repository.apache.org/content/... sh mvnw -Prelease \ verify artifact:compare \ -Dreference.repo=$NEXUS_REPO \ -Dcyclonedx.skip Some SBOM discrepancy is causing reproducibility mismatch, hence the `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I couldn't figure out the missing piece yet. == Release Notes This is the first beta release of the upcoming major release, i.e., `3.0.0`. === Added * Add annotations for nullability. (LOG4J2-1477) * Remove deprecated code. (LOG4J2-2493) * Add a more generalized dependency injection system to plugins inspired by JSR 330. (LOG4J2-2803) * Add and enhance structured properties for per-context settings outside configuration files. (1473) * Automate artifact publishing and release preparation. (LOG4J2-3466) * Add support for dependency injection of plugins into container types such as `Optional`, `Collection`, `Set`, `Stream`, `List`, and `Map`. (LOG4J2-3496) * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497) === Changed * Remove liquibase-log4j2 maven module (#1193) * Make the output of annotation processing reproducible. (#1520) * Replace `synchronized` blocks with locks for improved performance with virtual threads. (#1532) * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550) * Ignore exceptions thrown by PropertySources. Eliminate ClassCastException when SimpleLoggerContext is used. (spring-projects/spring-boot#33450, #1799) * Update `com.lmax:disruptor` to version `4.0.0` (#1829) * Migrate most tests to JUnit 5. This includes a more powerful set of test extensions. (LOG4J2-2653) * Make Log4j use its own BOM. (LOG4J2-3511) * Change encoding of HTTP Basic Authentication to UTF-8. (#1970) * Upgraded the required compiler version to Java 17 *
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Christian, The vote has been open for 6 days because we were under the impression the vote was going be cancelled based on Piotr’s feedback. I can commit to having the review done in 72 hrs if the release is cut today or tomorrow. This slow down for me at work this time of the year so between now and New Years Day is a great time to get stuff done. Ralph > On Dec 19, 2023, at 6:12 AM, Christian Grobmeier wrote: > > Hi Volkan > > On Tue, Dec 19, 2023, at 13:43, Volkan Yazıcı wrote: >> I am cancelling this vote. I may try to issue an RC2 this week if time >> allows. If you think that is inconvenient due to upcoming xmas, and/or you >> want to issue the RC2 yourself, please let me know. > > please don't cut an RC2 this week. This vote took 6 days and some nitpicks. I > am afraid it might be open over christmas. Apart from that, I know how tight > your schedule is, so you may take it as a relief to not cut another one :) > > Thanks for your hard work! > > >> >> On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı wrote: >> >>> This is a vote to release the Apache Log4j 3.0.0-beta1. >>> >>> Website: https://logging.staged.apache.org/log4j >>> GitHub: https://github.com/apache/logging-log4j2 >>> Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd >>> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j >>> Nexus: >>> https://repository.apache.org/content/repositories/orgapachelogging-1246 >>> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 >>> >>> Please download, test, and cast your votes on this mailing list. >>> >>> [ ] +1, release the artifacts >>> [ ] -1, don't release, because... >>> >>> This vote is open for 72 hours and will pass unless getting a >>> net negative vote count. All votes are welcome and we encourage >>> everyone to test the release, but only the Logging Services PMC >>> votes are officially counted. >>> >>> == Review Kit >>> >>> The minimum set of steps needed to review the uploaded distribution >>> files in the Subversion repository can be summarized as follows: >>> >>># Check out the distribution >>>svn co https://dist.apache.org/repos/... && cd $_ >>> >>># Verify checksums >>>shasum --check *.sha512 >>> >>># Verify signatures >>>wget -O - https://downloads.apache.org/logging/KEYS | gpg --import >>>for sigFile in *.asc; do gpg --verify $sigFile; done >>> >>># Verify reproduciblity >>>umask 0022 >>>unzip *-src.zip -d src >>>cd src >>>export NEXUS_REPO=https://repository.apache.org/content/... >>>sh mvnw -Prelease \ >>>verify artifact:compare \ >>>-Dreference.repo=$NEXUS_REPO \ >>>-Dcyclonedx.skip >>> >>> Some SBOM discrepancy is causing reproducibility mismatch, hence the >>> `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I couldn't >>> figure out the missing piece yet. >>> >>> == Release Notes >>> >>> This is the first beta release of the upcoming major release, i.e., >>> `3.0.0`. >>> >>> === Added >>> >>> * Add annotations for nullability. (LOG4J2-1477) >>> * Remove deprecated code. (LOG4J2-2493) >>> * Add a more generalized dependency injection system to plugins inspired >>> by JSR 330. (LOG4J2-2803) >>> * Add and enhance structured properties for per-context settings outside >>> configuration files. (1473) >>> * Automate artifact publishing and release preparation. (LOG4J2-3466) >>> * Add support for dependency injection of plugins into container types >>> such as `Optional`, `Collection`, `Set`, `Stream`, `List`, >>> and `Map`. (LOG4J2-3496) >>> * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497) >>> >>> === Changed >>> >>> * Remove liquibase-log4j2 maven module (#1193) >>> * Make the output of annotation processing reproducible. (#1520) >>> * Replace `synchronized` blocks with locks for improved performance with >>> virtual threads. (#1532) >>> * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550) >>> * Ignore exceptions thrown by PropertySources. Eliminate >>> ClassCastException when SimpleLoggerContext is used. >>> (spring-projects/spring-boot#33450, #1799) >>> * Update `com.lmax:disruptor` to version `4.0.0` (#1829) >>> * Migrate most tests to JUnit 5. This includes a more powerful set of test >>> extensions. (LOG4J2-2653) >>> * Make Log4j use its own BOM. (LOG4J2-3511) >>> * Change encoding of HTTP Basic Authentication to UTF-8. (#1970) >>> * Upgraded the required compiler version to Java 17 >>> * Upgraded the required runtime version to Java 17 >>> * Update `actions/checkout` to version `4.1.1` (#1869) >>> * Update `actions/setup-java` to version `3.13.0` (#1809) >>> * Update `actions/setup-python` to version `4.7.1` (#1831) >>> * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028) >>> * Update `com.datastax.cassandra:cassandra-driver-core` to version >>> `3.11.5` (#1889) >>> * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974) >>> * Update `com.github.luben:zstd-j
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Hi Gary, On Tue, 19 Dec 2023 at 14:05, Gary Gregory wrote: > Do note that building from sources, not git, is an Apache requirement. IIRC > reproducibility is a nice-to-have for Apache, but are we making this a > Logging or Log4J requirement? Reproducibility is a requirement from the Apache Security team to allow publishing CI-generated artifacts. Since we don't own the machine that generates the artifacts, we must check the results it gives us. Of course I am taking reproducibility to an extreme: nobody (even `jvm-repo-rebuild/reproducible-central`) cares if Javadoc or source JARs are reproducible. And this is the case of 3.0.0-beta1 RC1: the `test-sources.jar` files are not reproducible, while the rest is. Piotr
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Hi Volkan On Tue, Dec 19, 2023, at 13:43, Volkan Yazıcı wrote: > I am cancelling this vote. I may try to issue an RC2 this week if time > allows. If you think that is inconvenient due to upcoming xmas, and/or you > want to issue the RC2 yourself, please let me know. please don't cut an RC2 this week. This vote took 6 days and some nitpicks. I am afraid it might be open over christmas. Apart from that, I know how tight your schedule is, so you may take it as a relief to not cut another one :) Thanks for your hard work! > > On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı wrote: > >> This is a vote to release the Apache Log4j 3.0.0-beta1. >> >> Website: https://logging.staged.apache.org/log4j >> GitHub: https://github.com/apache/logging-log4j2 >> Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd >> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j >> Nexus: >> https://repository.apache.org/content/repositories/orgapachelogging-1246 >> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 >> >> Please download, test, and cast your votes on this mailing list. >> >> [ ] +1, release the artifacts >> [ ] -1, don't release, because... >> >> This vote is open for 72 hours and will pass unless getting a >> net negative vote count. All votes are welcome and we encourage >> everyone to test the release, but only the Logging Services PMC >> votes are officially counted. >> >> == Review Kit >> >> The minimum set of steps needed to review the uploaded distribution >> files in the Subversion repository can be summarized as follows: >> >> # Check out the distribution >> svn co https://dist.apache.org/repos/... && cd $_ >> >> # Verify checksums >> shasum --check *.sha512 >> >> # Verify signatures >> wget -O - https://downloads.apache.org/logging/KEYS | gpg --import >> for sigFile in *.asc; do gpg --verify $sigFile; done >> >> # Verify reproduciblity >> umask 0022 >> unzip *-src.zip -d src >> cd src >> export NEXUS_REPO=https://repository.apache.org/content/... >> sh mvnw -Prelease \ >> verify artifact:compare \ >> -Dreference.repo=$NEXUS_REPO \ >> -Dcyclonedx.skip >> >> Some SBOM discrepancy is causing reproducibility mismatch, hence the >> `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I couldn't >> figure out the missing piece yet. >> >> == Release Notes >> >> This is the first beta release of the upcoming major release, i.e., >> `3.0.0`. >> >> === Added >> >> * Add annotations for nullability. (LOG4J2-1477) >> * Remove deprecated code. (LOG4J2-2493) >> * Add a more generalized dependency injection system to plugins inspired >> by JSR 330. (LOG4J2-2803) >> * Add and enhance structured properties for per-context settings outside >> configuration files. (1473) >> * Automate artifact publishing and release preparation. (LOG4J2-3466) >> * Add support for dependency injection of plugins into container types >> such as `Optional`, `Collection`, `Set`, `Stream`, `List`, >> and `Map`. (LOG4J2-3496) >> * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497) >> >> === Changed >> >> * Remove liquibase-log4j2 maven module (#1193) >> * Make the output of annotation processing reproducible. (#1520) >> * Replace `synchronized` blocks with locks for improved performance with >> virtual threads. (#1532) >> * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550) >> * Ignore exceptions thrown by PropertySources. Eliminate >> ClassCastException when SimpleLoggerContext is used. >> (spring-projects/spring-boot#33450, #1799) >> * Update `com.lmax:disruptor` to version `4.0.0` (#1829) >> * Migrate most tests to JUnit 5. This includes a more powerful set of test >> extensions. (LOG4J2-2653) >> * Make Log4j use its own BOM. (LOG4J2-3511) >> * Change encoding of HTTP Basic Authentication to UTF-8. (#1970) >> * Upgraded the required compiler version to Java 17 >> * Upgraded the required runtime version to Java 17 >> * Update `actions/checkout` to version `4.1.1` (#1869) >> * Update `actions/setup-java` to version `3.13.0` (#1809) >> * Update `actions/setup-python` to version `4.7.1` (#1831) >> * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028) >> * Update `com.datastax.cassandra:cassandra-driver-core` to version >> `3.11.5` (#1889) >> * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974) >> * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2032) >> * Update `com.github.spotbugs:spotbugs-maven-plugin` to version `4.7.3.6` >> (#1879) >> * Update `com.github.tomakehurst:wiremock-jre8` to version `2.35.1` (#1765) >> * Update `com.google.errorprone:error_prone_core` to version `2.23.0` >> (#1871) >> * Update `com.google.guava:guava-testlib` to version `32.1.3-jre` (#1934) >> * Update `com.h2database:h2` to version `2.2.224` (#1917) >> * Update `commons-codec:commons-codec` to version `1.16.0` (#2054) >> * Update `commons-io:commons-io` to version `2.15.1` (
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Hi all, Do note that building from sources, not git, is an Apache requirement. IIRC reproducibility is a nice-to-have for Apache, but are we making this a Logging or Log4J requirement? So a review should not be based on a git tag IMO, it should be based on downloading the src zip or tar and building from that, which is what a Linux distribution that builds everything from first principles would do. Gary On Tue, Dec 19, 2023, 3:31 AM Piotr P. Karwasz wrote: > Hi Gary, > > On Thu, 14 Dec 2023 at 21:39, Gary Gregory wrote: > > If you write "Please don't release this.", then you should vote -1. Or > am I > > missing something? > > You are right. I am voting -1, because of the `*-test-sources.jar` > artifacts in the Maven repository. > > Reproducibility is not an issue, we just need to use the Git tag > instead of the source archive. > > Piotr >
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
I am cancelling this vote. I may try to issue an RC2 this week if time allows. If you think that is inconvenient due to upcoming xmas, and/or you want to issue the RC2 yourself, please let me know. On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı wrote: > This is a vote to release the Apache Log4j 3.0.0-beta1. > > Website: https://logging.staged.apache.org/log4j > GitHub: https://github.com/apache/logging-log4j2 > Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1246 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... > > This vote is open for 72 hours and will pass unless getting a > net negative vote count. All votes are welcome and we encourage > everyone to test the release, but only the Logging Services PMC > votes are officially counted. > > == Review Kit > > The minimum set of steps needed to review the uploaded distribution > files in the Subversion repository can be summarized as follows: > > # Check out the distribution > svn co https://dist.apache.org/repos/... && cd $_ > > # Verify checksums > shasum --check *.sha512 > > # Verify signatures > wget -O - https://downloads.apache.org/logging/KEYS | gpg --import > for sigFile in *.asc; do gpg --verify $sigFile; done > > # Verify reproduciblity > umask 0022 > unzip *-src.zip -d src > cd src > export NEXUS_REPO=https://repository.apache.org/content/... > sh mvnw -Prelease \ > verify artifact:compare \ > -Dreference.repo=$NEXUS_REPO \ > -Dcyclonedx.skip > > Some SBOM discrepancy is causing reproducibility mismatch, hence the > `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I couldn't > figure out the missing piece yet. > > == Release Notes > > This is the first beta release of the upcoming major release, i.e., > `3.0.0`. > > === Added > > * Add annotations for nullability. (LOG4J2-1477) > * Remove deprecated code. (LOG4J2-2493) > * Add a more generalized dependency injection system to plugins inspired > by JSR 330. (LOG4J2-2803) > * Add and enhance structured properties for per-context settings outside > configuration files. (1473) > * Automate artifact publishing and release preparation. (LOG4J2-3466) > * Add support for dependency injection of plugins into container types > such as `Optional`, `Collection`, `Set`, `Stream`, `List`, > and `Map`. (LOG4J2-3496) > * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497) > > === Changed > > * Remove liquibase-log4j2 maven module (#1193) > * Make the output of annotation processing reproducible. (#1520) > * Replace `synchronized` blocks with locks for improved performance with > virtual threads. (#1532) > * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550) > * Ignore exceptions thrown by PropertySources. Eliminate > ClassCastException when SimpleLoggerContext is used. > (spring-projects/spring-boot#33450, #1799) > * Update `com.lmax:disruptor` to version `4.0.0` (#1829) > * Migrate most tests to JUnit 5. This includes a more powerful set of test > extensions. (LOG4J2-2653) > * Make Log4j use its own BOM. (LOG4J2-3511) > * Change encoding of HTTP Basic Authentication to UTF-8. (#1970) > * Upgraded the required compiler version to Java 17 > * Upgraded the required runtime version to Java 17 > * Update `actions/checkout` to version `4.1.1` (#1869) > * Update `actions/setup-java` to version `3.13.0` (#1809) > * Update `actions/setup-python` to version `4.7.1` (#1831) > * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028) > * Update `com.datastax.cassandra:cassandra-driver-core` to version > `3.11.5` (#1889) > * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974) > * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2032) > * Update `com.github.spotbugs:spotbugs-maven-plugin` to version `4.7.3.6` > (#1879) > * Update `com.github.tomakehurst:wiremock-jre8` to version `2.35.1` (#1765) > * Update `com.google.errorprone:error_prone_core` to version `2.23.0` > (#1871) > * Update `com.google.guava:guava-testlib` to version `32.1.3-jre` (#1934) > * Update `com.h2database:h2` to version `2.2.224` (#1917) > * Update `commons-codec:commons-codec` to version `1.16.0` (#2054) > * Update `commons-io:commons-io` to version `2.15.1` (#2035) > * Update `commons-logging:commons-logging` to version `1.3.0` (#2046) > * Update `de.flapdoodle.reverse:de.flapdoodle.reverse` to version `1.7.2` > (#2000) > * Update `io.netty:netty-bom` to version `4.1.101.Final` (#1999) > * Update `net.java.dev.jna:jna` to version `5.14.0` (#2082) > * Update `org.apache.aries.spifly:org.apache.aries.spifly.dynamic.bundle` > to version `1.3.7` (#2053) > * Update `org.apache.commons:commons-c
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Hi Gary, On Thu, 14 Dec 2023 at 21:39, Gary Gregory wrote: > If you write "Please don't release this.", then you should vote -1. Or am I > missing something? You are right. I am voting -1, because of the `*-test-sources.jar` artifacts in the Maven repository. Reproducibility is not an issue, we just need to use the Git tag instead of the source archive. Piotr
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
+1 > On Dec 18, 2023, at 2:45 PM, Matt Sicker wrote: > > We can review this without doing a reproducibility check. The signatures of > everything look good; just doing some final validations before voting. > >> On Dec 18, 2023, at 6:38 AM, Gary Gregory wrote: >> >> Since Piotr asked for a fix and Matt can reproduce the issue, I'm not going >> to take the time.to review this RC. >> >> Gary >> >> On Mon, Dec 18, 2023, 3:21 AM Volkan Yazıcı wrote: >> >>> Even though the vote was intended for 72 hours, it has been 5 days and >>> there hasn't been any official votes on the release. I will wait for >>> another 24 hours and cancel the release. I will appreciate PMC members' >>> participation in the voting. >>> >>> On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı wrote: >>> This is a vote to release the Apache Log4j 3.0.0-beta1. Website: https://logging.staged.apache.org/log4j GitHub: https://github.com/apache/logging-log4j2 Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j Nexus: https://repository.apache.org/content/repositories/orgapachelogging-1246 Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 Please download, test, and cast your votes on this mailing list. [ ] +1, release the artifacts [ ] -1, don't release, because... This vote is open for 72 hours and will pass unless getting a net negative vote count. All votes are welcome and we encourage everyone to test the release, but only the Logging Services PMC votes are officially counted. == Review Kit The minimum set of steps needed to review the uploaded distribution files in the Subversion repository can be summarized as follows: # Check out the distribution svn co https://dist.apache.org/repos/... && cd $_ # Verify checksums shasum --check *.sha512 # Verify signatures wget -O - https://downloads.apache.org/logging/KEYS | gpg --import for sigFile in *.asc; do gpg --verify $sigFile; done # Verify reproduciblity umask 0022 unzip *-src.zip -d src cd src export NEXUS_REPO=https://repository.apache.org/content/... sh mvnw -Prelease \ verify artifact:compare \ -Dreference.repo=$NEXUS_REPO \ -Dcyclonedx.skip Some SBOM discrepancy is causing reproducibility mismatch, hence the `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I >>> couldn't figure out the missing piece yet. == Release Notes This is the first beta release of the upcoming major release, i.e., `3.0.0`. === Added * Add annotations for nullability. (LOG4J2-1477) * Remove deprecated code. (LOG4J2-2493) * Add a more generalized dependency injection system to plugins inspired by JSR 330. (LOG4J2-2803) * Add and enhance structured properties for per-context settings outside configuration files. (1473) * Automate artifact publishing and release preparation. (LOG4J2-3466) * Add support for dependency injection of plugins into container types such as `Optional`, `Collection`, `Set`, `Stream`, `List`, and `Map`. (LOG4J2-3496) * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497) === Changed * Remove liquibase-log4j2 maven module (#1193) * Make the output of annotation processing reproducible. (#1520) * Replace `synchronized` blocks with locks for improved performance with virtual threads. (#1532) * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550) * Ignore exceptions thrown by PropertySources. Eliminate ClassCastException when SimpleLoggerContext is used. (spring-projects/spring-boot#33450, #1799) * Update `com.lmax:disruptor` to version `4.0.0` (#1829) * Migrate most tests to JUnit 5. This includes a more powerful set of >>> test extensions. (LOG4J2-2653) * Make Log4j use its own BOM. (LOG4J2-3511) * Change encoding of HTTP Basic Authentication to UTF-8. (#1970) * Upgraded the required compiler version to Java 17 * Upgraded the required runtime version to Java 17 * Update `actions/checkout` to version `4.1.1` (#1869) * Update `actions/setup-java` to version `3.13.0` (#1809) * Update `actions/setup-python` to version `4.7.1` (#1831) * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028) * Update `com.datastax.cassandra:cassandra-driver-core` to version `3.11.5` (#1889) * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974) * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2032) * Update `com.github.spotbugs:spotbugs-maven-plugin` to version `4.7.3.6` (#1879) * Update `com.github.tomakehurst:wiremock-j
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
We can review this without doing a reproducibility check. The signatures of everything look good; just doing some final validations before voting. > On Dec 18, 2023, at 6:38 AM, Gary Gregory wrote: > > Since Piotr asked for a fix and Matt can reproduce the issue, I'm not going > to take the time.to review this RC. > > Gary > > On Mon, Dec 18, 2023, 3:21 AM Volkan Yazıcı wrote: > >> Even though the vote was intended for 72 hours, it has been 5 days and >> there hasn't been any official votes on the release. I will wait for >> another 24 hours and cancel the release. I will appreciate PMC members' >> participation in the voting. >> >> On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı wrote: >> >>> This is a vote to release the Apache Log4j 3.0.0-beta1. >>> >>> Website: https://logging.staged.apache.org/log4j >>> GitHub: https://github.com/apache/logging-log4j2 >>> Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd >>> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j >>> Nexus: >>> https://repository.apache.org/content/repositories/orgapachelogging-1246 >>> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 >>> >>> Please download, test, and cast your votes on this mailing list. >>> >>> [ ] +1, release the artifacts >>> [ ] -1, don't release, because... >>> >>> This vote is open for 72 hours and will pass unless getting a >>> net negative vote count. All votes are welcome and we encourage >>> everyone to test the release, but only the Logging Services PMC >>> votes are officially counted. >>> >>> == Review Kit >>> >>> The minimum set of steps needed to review the uploaded distribution >>> files in the Subversion repository can be summarized as follows: >>> >>># Check out the distribution >>>svn co https://dist.apache.org/repos/... && cd $_ >>> >>># Verify checksums >>>shasum --check *.sha512 >>> >>># Verify signatures >>>wget -O - https://downloads.apache.org/logging/KEYS | gpg --import >>>for sigFile in *.asc; do gpg --verify $sigFile; done >>> >>># Verify reproduciblity >>>umask 0022 >>>unzip *-src.zip -d src >>>cd src >>>export NEXUS_REPO=https://repository.apache.org/content/... >>>sh mvnw -Prelease \ >>>verify artifact:compare \ >>>-Dreference.repo=$NEXUS_REPO \ >>>-Dcyclonedx.skip >>> >>> Some SBOM discrepancy is causing reproducibility mismatch, hence the >>> `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I >> couldn't >>> figure out the missing piece yet. >>> >>> == Release Notes >>> >>> This is the first beta release of the upcoming major release, i.e., >>> `3.0.0`. >>> >>> === Added >>> >>> * Add annotations for nullability. (LOG4J2-1477) >>> * Remove deprecated code. (LOG4J2-2493) >>> * Add a more generalized dependency injection system to plugins inspired >>> by JSR 330. (LOG4J2-2803) >>> * Add and enhance structured properties for per-context settings outside >>> configuration files. (1473) >>> * Automate artifact publishing and release preparation. (LOG4J2-3466) >>> * Add support for dependency injection of plugins into container types >>> such as `Optional`, `Collection`, `Set`, `Stream`, `List`, >>> and `Map`. (LOG4J2-3496) >>> * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497) >>> >>> === Changed >>> >>> * Remove liquibase-log4j2 maven module (#1193) >>> * Make the output of annotation processing reproducible. (#1520) >>> * Replace `synchronized` blocks with locks for improved performance with >>> virtual threads. (#1532) >>> * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550) >>> * Ignore exceptions thrown by PropertySources. Eliminate >>> ClassCastException when SimpleLoggerContext is used. >>> (spring-projects/spring-boot#33450, #1799) >>> * Update `com.lmax:disruptor` to version `4.0.0` (#1829) >>> * Migrate most tests to JUnit 5. This includes a more powerful set of >> test >>> extensions. (LOG4J2-2653) >>> * Make Log4j use its own BOM. (LOG4J2-3511) >>> * Change encoding of HTTP Basic Authentication to UTF-8. (#1970) >>> * Upgraded the required compiler version to Java 17 >>> * Upgraded the required runtime version to Java 17 >>> * Update `actions/checkout` to version `4.1.1` (#1869) >>> * Update `actions/setup-java` to version `3.13.0` (#1809) >>> * Update `actions/setup-python` to version `4.7.1` (#1831) >>> * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028) >>> * Update `com.datastax.cassandra:cassandra-driver-core` to version >>> `3.11.5` (#1889) >>> * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974) >>> * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2032) >>> * Update `com.github.spotbugs:spotbugs-maven-plugin` to version `4.7.3.6` >>> (#1879) >>> * Update `com.github.tomakehurst:wiremock-jre8` to version `2.35.1` >> (#1765) >>> * Update `com.google.errorprone:error_prone_core` to version `2.23.0` >>> (#1871) >>> * Update `com.google.guava:guava-tes
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Since Piotr asked for a fix and Matt can reproduce the issue, I'm not going to take the time.to review this RC. Gary On Mon, Dec 18, 2023, 3:21 AM Volkan Yazıcı wrote: > Even though the vote was intended for 72 hours, it has been 5 days and > there hasn't been any official votes on the release. I will wait for > another 24 hours and cancel the release. I will appreciate PMC members' > participation in the voting. > > On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı wrote: > > > This is a vote to release the Apache Log4j 3.0.0-beta1. > > > > Website: https://logging.staged.apache.org/log4j > > GitHub: https://github.com/apache/logging-log4j2 > > Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd > > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > > Nexus: > > https://repository.apache.org/content/repositories/orgapachelogging-1246 > > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > > > Please download, test, and cast your votes on this mailing list. > > > > [ ] +1, release the artifacts > > [ ] -1, don't release, because... > > > > This vote is open for 72 hours and will pass unless getting a > > net negative vote count. All votes are welcome and we encourage > > everyone to test the release, but only the Logging Services PMC > > votes are officially counted. > > > > == Review Kit > > > > The minimum set of steps needed to review the uploaded distribution > > files in the Subversion repository can be summarized as follows: > > > > # Check out the distribution > > svn co https://dist.apache.org/repos/... && cd $_ > > > > # Verify checksums > > shasum --check *.sha512 > > > > # Verify signatures > > wget -O - https://downloads.apache.org/logging/KEYS | gpg --import > > for sigFile in *.asc; do gpg --verify $sigFile; done > > > > # Verify reproduciblity > > umask 0022 > > unzip *-src.zip -d src > > cd src > > export NEXUS_REPO=https://repository.apache.org/content/... > > sh mvnw -Prelease \ > > verify artifact:compare \ > > -Dreference.repo=$NEXUS_REPO \ > > -Dcyclonedx.skip > > > > Some SBOM discrepancy is causing reproducibility mismatch, hence the > > `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I > couldn't > > figure out the missing piece yet. > > > > == Release Notes > > > > This is the first beta release of the upcoming major release, i.e., > > `3.0.0`. > > > > === Added > > > > * Add annotations for nullability. (LOG4J2-1477) > > * Remove deprecated code. (LOG4J2-2493) > > * Add a more generalized dependency injection system to plugins inspired > > by JSR 330. (LOG4J2-2803) > > * Add and enhance structured properties for per-context settings outside > > configuration files. (1473) > > * Automate artifact publishing and release preparation. (LOG4J2-3466) > > * Add support for dependency injection of plugins into container types > > such as `Optional`, `Collection`, `Set`, `Stream`, `List`, > > and `Map`. (LOG4J2-3496) > > * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497) > > > > === Changed > > > > * Remove liquibase-log4j2 maven module (#1193) > > * Make the output of annotation processing reproducible. (#1520) > > * Replace `synchronized` blocks with locks for improved performance with > > virtual threads. (#1532) > > * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550) > > * Ignore exceptions thrown by PropertySources. Eliminate > > ClassCastException when SimpleLoggerContext is used. > > (spring-projects/spring-boot#33450, #1799) > > * Update `com.lmax:disruptor` to version `4.0.0` (#1829) > > * Migrate most tests to JUnit 5. This includes a more powerful set of > test > > extensions. (LOG4J2-2653) > > * Make Log4j use its own BOM. (LOG4J2-3511) > > * Change encoding of HTTP Basic Authentication to UTF-8. (#1970) > > * Upgraded the required compiler version to Java 17 > > * Upgraded the required runtime version to Java 17 > > * Update `actions/checkout` to version `4.1.1` (#1869) > > * Update `actions/setup-java` to version `3.13.0` (#1809) > > * Update `actions/setup-python` to version `4.7.1` (#1831) > > * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028) > > * Update `com.datastax.cassandra:cassandra-driver-core` to version > > `3.11.5` (#1889) > > * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974) > > * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2032) > > * Update `com.github.spotbugs:spotbugs-maven-plugin` to version `4.7.3.6` > > (#1879) > > * Update `com.github.tomakehurst:wiremock-jre8` to version `2.35.1` > (#1765) > > * Update `com.google.errorprone:error_prone_core` to version `2.23.0` > > (#1871) > > * Update `com.google.guava:guava-testlib` to version `32.1.3-jre` (#1934) > > * Update `com.h2database:h2` to version `2.2.224` (#1917) > > * Update `commons-codec:commons-codec` to version `1.16.0` (#2054) > > * Update `commons-io:commons-io` to version `2.15.1` (#2
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Even though the vote was intended for 72 hours, it has been 5 days and there hasn't been any official votes on the release. I will wait for another 24 hours and cancel the release. I will appreciate PMC members' participation in the voting. On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı wrote: > This is a vote to release the Apache Log4j 3.0.0-beta1. > > Website: https://logging.staged.apache.org/log4j > GitHub: https://github.com/apache/logging-log4j2 > Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1246 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... > > This vote is open for 72 hours and will pass unless getting a > net negative vote count. All votes are welcome and we encourage > everyone to test the release, but only the Logging Services PMC > votes are officially counted. > > == Review Kit > > The minimum set of steps needed to review the uploaded distribution > files in the Subversion repository can be summarized as follows: > > # Check out the distribution > svn co https://dist.apache.org/repos/... && cd $_ > > # Verify checksums > shasum --check *.sha512 > > # Verify signatures > wget -O - https://downloads.apache.org/logging/KEYS | gpg --import > for sigFile in *.asc; do gpg --verify $sigFile; done > > # Verify reproduciblity > umask 0022 > unzip *-src.zip -d src > cd src > export NEXUS_REPO=https://repository.apache.org/content/... > sh mvnw -Prelease \ > verify artifact:compare \ > -Dreference.repo=$NEXUS_REPO \ > -Dcyclonedx.skip > > Some SBOM discrepancy is causing reproducibility mismatch, hence the > `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I couldn't > figure out the missing piece yet. > > == Release Notes > > This is the first beta release of the upcoming major release, i.e., > `3.0.0`. > > === Added > > * Add annotations for nullability. (LOG4J2-1477) > * Remove deprecated code. (LOG4J2-2493) > * Add a more generalized dependency injection system to plugins inspired > by JSR 330. (LOG4J2-2803) > * Add and enhance structured properties for per-context settings outside > configuration files. (1473) > * Automate artifact publishing and release preparation. (LOG4J2-3466) > * Add support for dependency injection of plugins into container types > such as `Optional`, `Collection`, `Set`, `Stream`, `List`, > and `Map`. (LOG4J2-3496) > * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497) > > === Changed > > * Remove liquibase-log4j2 maven module (#1193) > * Make the output of annotation processing reproducible. (#1520) > * Replace `synchronized` blocks with locks for improved performance with > virtual threads. (#1532) > * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550) > * Ignore exceptions thrown by PropertySources. Eliminate > ClassCastException when SimpleLoggerContext is used. > (spring-projects/spring-boot#33450, #1799) > * Update `com.lmax:disruptor` to version `4.0.0` (#1829) > * Migrate most tests to JUnit 5. This includes a more powerful set of test > extensions. (LOG4J2-2653) > * Make Log4j use its own BOM. (LOG4J2-3511) > * Change encoding of HTTP Basic Authentication to UTF-8. (#1970) > * Upgraded the required compiler version to Java 17 > * Upgraded the required runtime version to Java 17 > * Update `actions/checkout` to version `4.1.1` (#1869) > * Update `actions/setup-java` to version `3.13.0` (#1809) > * Update `actions/setup-python` to version `4.7.1` (#1831) > * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028) > * Update `com.datastax.cassandra:cassandra-driver-core` to version > `3.11.5` (#1889) > * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974) > * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2032) > * Update `com.github.spotbugs:spotbugs-maven-plugin` to version `4.7.3.6` > (#1879) > * Update `com.github.tomakehurst:wiremock-jre8` to version `2.35.1` (#1765) > * Update `com.google.errorprone:error_prone_core` to version `2.23.0` > (#1871) > * Update `com.google.guava:guava-testlib` to version `32.1.3-jre` (#1934) > * Update `com.h2database:h2` to version `2.2.224` (#1917) > * Update `commons-codec:commons-codec` to version `1.16.0` (#2054) > * Update `commons-io:commons-io` to version `2.15.1` (#2035) > * Update `commons-logging:commons-logging` to version `1.3.0` (#2046) > * Update `de.flapdoodle.reverse:de.flapdoodle.reverse` to version `1.7.2` > (#2000) > * Update `io.netty:netty-bom` to version `4.1.101.Final` (#1999) > * Update `net.java.dev.jna:jna` to version `5.14.0` (#2082) > * Update `org.apache.aries.spifly:org.apache.aries.spifly.dynamic.bundle` > to version `1.3.7` (#205
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
> On Dec 14, 2023, at 3:08 PM, Volkan Yazıcı wrote: > > Given we will have several other betas before a GA release, do these issues > really constitute a serious blocker? Or they can be addressed in the next > beta? > I can’t run the release verification commands you provided without this fix as the build fails after log4j-core-tests.
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Hi Volkan, On Thu, 14 Dec 2023 at 22:09, Volkan Yazıcı wrote: > > Given we will have several other betas before a GA release, do these issues > really constitute a serious blocker? Or they can be addressed in the next > beta? These artifacts will pollute Maven Central and overly complicate the verification process. The only way to be able to resume from an artifact:compare failure is to run: ./mvnw install artifact:compare -Prelease -Dreference.repo=... I am not sure if this will use the remote repo to verify the artifacts or use the freshly installed versions. Piotr
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Hi Gary, On Thu, 14 Dec 2023 at 21:39, Gary Gregory wrote: > If you write "Please don't release this.", then you should vote -1. Or am I > missing something? I don't think that will be necessary. I am reserving my vote for later. ;-) Piotr
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Given we will have several other betas before a GA release, do these issues really constitute a serious blocker? Or they can be addressed in the next beta? On Thu, 14 Dec 2023 at 21:32, Piotr P. Karwasz wrote: > Hi Volkan, > > On Wed, 13 Dec 2023 at 16:26, Volkan Yazıcı wrote: > > > > This is a vote to release the Apache Log4j 3.0.0-beta1. > > > > Website: https://logging.staged.apache.org/log4j > > GitHub: https://github.com/apache/logging-log4j2 > > Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd > > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > > Nexus: > > https://repository.apache.org/content/repositories/orgapachelogging-1246 > > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > > > Please download, test, and cast your votes on this mailing list. > > > > [ ] +1, release the artifacts > > [ ] -1, don't release, because... > > Thanks for preparing the release, unfortunately: > > * The Maven Source Plugin is misconfigured and it publishes **test** > source artifacts. I fixed in in commit > a8dcc55fc37e3a332101dcf0d5833273708b583b, you can cherry-pick it onto > the release branch, > * Since test sources are generated we have reproducibility problems: > the source artifact does not preserve the chmod of each file and some > files have an executable flag... > > Please don't release this. > > Piotr >
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Hi Piotr, If you write "Please don't release this.", then you should vote -1. Or am I missing something? Gary On Thu, Dec 14, 2023, 3:33 PM Piotr P. Karwasz wrote: > Hi Volkan, > > On Wed, 13 Dec 2023 at 16:26, Volkan Yazıcı wrote: > > > > This is a vote to release the Apache Log4j 3.0.0-beta1. > > > > Website: https://logging.staged.apache.org/log4j > > GitHub: https://github.com/apache/logging-log4j2 > > Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd > > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > > Nexus: > > https://repository.apache.org/content/repositories/orgapachelogging-1246 > > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > > > Please download, test, and cast your votes on this mailing list. > > > > [ ] +1, release the artifacts > > [ ] -1, don't release, because... > > Thanks for preparing the release, unfortunately: > > * The Maven Source Plugin is misconfigured and it publishes **test** > source artifacts. I fixed in in commit > a8dcc55fc37e3a332101dcf0d5833273708b583b, you can cherry-pick it onto > the release branch, > * Since test sources are generated we have reproducibility problems: > the source artifact does not preserve the chmod of each file and some > files have an executable flag... > > Please don't release this. > > Piotr >
Re: [VOTE] Release Apache Log4j 3.0.0-beta1
Hi Volkan, On Wed, 13 Dec 2023 at 16:26, Volkan Yazıcı wrote: > > This is a vote to release the Apache Log4j 3.0.0-beta1. > > Website: https://logging.staged.apache.org/log4j > GitHub: https://github.com/apache/logging-log4j2 > Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1246 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... Thanks for preparing the release, unfortunately: * The Maven Source Plugin is misconfigured and it publishes **test** source artifacts. I fixed in in commit a8dcc55fc37e3a332101dcf0d5833273708b583b, you can cherry-pick it onto the release branch, * Since test sources are generated we have reproducibility problems: the source artifact does not preserve the chmod of each file and some files have an executable flag... Please don't release this. Piotr
