You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by Szalay-Bekő Máté <sz...@gmail.com> on 2022/05/02 12:14:26 UTC

Re: [VOTE] Apache ZooKeeper release 3.7.1 candidate 0

+1 (binding)

- I built the source code (-Pfull-build) on Ubuntu 18.04.6 using OpenJDK
11.0.14.1 and maven 3.6.0.
- all the unit tests passed eventually (both Java and C-client).
- I also built and executed unit tests for zkpython
- checkstyle and spotbugs passed
- apache-rat passed
- owasp (CVE check) passed (with some false-positives, see ZOOKEEPER-4510)
- fatjar built
- I executed quick rolling-upgrade smoke tests (using
https://github.com/symat/zk-rolling-upgrade-test):
    - rolling upgrade from 3.5.9 to 3.7.1
    - rolling upgrade from 3.6.3 to 3.7.1
    - rolling upgrade from 3.7.0 to 3.7.1
    - rolling upgrade from 3.7.1 to 3.8.0

Few minor issues, none of them blocker in my opinion:
- some false positive CVE problems (followed in
https://issues.apache.org/jira/browse/ZOOKEEPER-4510)
- some unit tests failed for me the first time, but succeeded when I run
them one-by-one:
    - org.apache.zookeeper.ZKUtilTest
    - org.apache.zookeeper.server.ZooKeeperServerMainTest
    - org.apache.zookeeper.server.quorum.QuorumPeerMainMultiAddressTest
    - org.apache.zookeeper.server.quorum.QuorumPeerMainTest
    - org.apache.zookeeper.server.quorum.Zab1_0Test
    - org.apache.zookeeper.server.util.JvmPauseMonitorTest
    - org.apache.zookeeper.server.util.RequestPathMetricsCollectorTest
- some C unit tests failed also on my docker environment (these run
successfully on CI, so I assume it is only a problem on my docker setup):
    - Zookeeper_readOnly::testReadOnly (only on the multi-threaded C-client
test suite)
    - Zookeeper_readOnly::testReadOnlyWithSSL (only on the multi-threaded
C-client test suite)

Thanks for your work preparing the RC!

Kind regards,
Máté

On Fri, Apr 29, 2022 at 4:03 PM Christopher <ct...@apache.org> wrote:

> FWIW, this is already being tracked on
> https://issues.apache.org/jira/browse/ZOOKEEPER-4510
> It's a false positive. I don't think it should hold up a vote.
>
> On Fri, Apr 29, 2022 at 7:40 AM Szalay-Bekő Máté
> <sz...@gmail.com> wrote:
> >
> > Hello Mohammad,
> >
> > Thanks for the RC! I'm still testing it (so no vote just yet), but I
> found
> > some CVE errors reported. The command "mvn clean package -DskipTests
> > dependency-check:check" failed with:
> >
> > [ERROR] One or more dependencies were identified with vulnerabilities
> that
> > have a CVSS score greater than or equal to '0.0':
> > [ERROR]
> > [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
> > [ERROR]
> > [ERROR] See the dependency-check report for more details.
> >
> > I think this is a dependency-check plugin error and not an actual
> security
> > problem. At least I don't see Apache Chainsaw in our dependency tree, I
> > don't know why maven dependency-check reports this. Anyway, it would be
> > good if someone else can take a look too.
> >
> > Best regards,
> > Máté
> >
> > On Mon, Apr 25, 2022 at 3:25 AM Mohammad Arshad <ar...@apache.org>
> wrote:
> >
> > > This is a bug fix release candidate for 3.7.1. It contains 61 fixes.
> > >
> > > The full release notes is available at:
> > >
> > >
> > >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12350030
> > >
> > > *** Please download, test and vote by Sunday, 01 May, 2022, 23:59
> UTC+0.
> > > ***
> > >
> > > Source files:
> > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/
> > >
> > > Maven staging repo:
> > >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1075
> > >
> > > The release candidate tag in git to be voted upon: release-3.7.1-0
> > > https://github.com/apache/zookeeper/tree/release-3.7.1-0
> > >
> > > ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> > > https://www.apache.org/dist/zookeeper/KEYS
> > >
> > > The staging version of the website is:
> > >
> > >
> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/website/index.html
> > >
> > >
> > > Should we release this candidate?
> > >
> > >
> > > -Arshad
> > >
>

Re: [VOTE] Apache ZooKeeper release 3.7.1 candidate 0

Posted by Enrico Olivelli <eo...@gmail.com>.

+1 (binding)
- Verified checksums, signatures, licence files
- Built on Ubuntu with JDK11, all tests passed (I used surefire-forkcount=1)
- Run smoke tests on the binaries produced by building the source package

Good job, thank you Mohammad

Enrico

Il giorno lun 2 mag 2022 alle ore 14:14 Szalay-Bekő Máté
<sz...@gmail.com> ha scritto:
>
> +1 (binding)
>
> - I built the source code (-Pfull-build) on Ubuntu 18.04.6 using OpenJDK
> 11.0.14.1 and maven 3.6.0.
> - all the unit tests passed eventually (both Java and C-client).
> - I also built and executed unit tests for zkpython
> - checkstyle and spotbugs passed
> - apache-rat passed
> - owasp (CVE check) passed (with some false-positives, see ZOOKEEPER-4510)
> - fatjar built
> - I executed quick rolling-upgrade smoke tests (using
> https://github.com/symat/zk-rolling-upgrade-test):
>     - rolling upgrade from 3.5.9 to 3.7.1
>     - rolling upgrade from 3.6.3 to 3.7.1
>     - rolling upgrade from 3.7.0 to 3.7.1
>     - rolling upgrade from 3.7.1 to 3.8.0
>
> Few minor issues, none of them blocker in my opinion:
> - some false positive CVE problems (followed in
> https://issues.apache.org/jira/browse/ZOOKEEPER-4510)
> - some unit tests failed for me the first time, but succeeded when I run
> them one-by-one:
>     - org.apache.zookeeper.ZKUtilTest
>     - org.apache.zookeeper.server.ZooKeeperServerMainTest
>     - org.apache.zookeeper.server.quorum.QuorumPeerMainMultiAddressTest
>     - org.apache.zookeeper.server.quorum.QuorumPeerMainTest
>     - org.apache.zookeeper.server.quorum.Zab1_0Test
>     - org.apache.zookeeper.server.util.JvmPauseMonitorTest
>     - org.apache.zookeeper.server.util.RequestPathMetricsCollectorTest
> - some C unit tests failed also on my docker environment (these run
> successfully on CI, so I assume it is only a problem on my docker setup):
>     - Zookeeper_readOnly::testReadOnly (only on the multi-threaded C-client
> test suite)
>     - Zookeeper_readOnly::testReadOnlyWithSSL (only on the multi-threaded
> C-client test suite)
>
> Thanks for your work preparing the RC!
>
> Kind regards,
> Máté
>
> On Fri, Apr 29, 2022 at 4:03 PM Christopher <ct...@apache.org> wrote:
>
> > FWIW, this is already being tracked on
> > https://issues.apache.org/jira/browse/ZOOKEEPER-4510
> > It's a false positive. I don't think it should hold up a vote.
> >
> > On Fri, Apr 29, 2022 at 7:40 AM Szalay-Bekő Máté
> > <sz...@gmail.com> wrote:
> > >
> > > Hello Mohammad,
> > >
> > > Thanks for the RC! I'm still testing it (so no vote just yet), but I
> > found
> > > some CVE errors reported. The command "mvn clean package -DskipTests
> > > dependency-check:check" failed with:
> > >
> > > [ERROR] One or more dependencies were identified with vulnerabilities
> > that
> > > have a CVSS score greater than or equal to '0.0':
> > > [ERROR]
> > > [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
> > > [ERROR]
> > > [ERROR] See the dependency-check report for more details.
> > >
> > > I think this is a dependency-check plugin error and not an actual
> > security
> > > problem. At least I don't see Apache Chainsaw in our dependency tree, I
> > > don't know why maven dependency-check reports this. Anyway, it would be
> > > good if someone else can take a look too.
> > >
> > > Best regards,
> > > Máté
> > >
> > > On Mon, Apr 25, 2022 at 3:25 AM Mohammad Arshad <ar...@apache.org>
> > wrote:
> > >
> > > > This is a bug fix release candidate for 3.7.1. It contains 61 fixes.
> > > >
> > > > The full release notes is available at:
> > > >
> > > >
> > > >
> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12350030
> > > >
> > > > *** Please download, test and vote by Sunday, 01 May, 2022, 23:59
> > UTC+0.
> > > > ***
> > > >
> > > > Source files:
> > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/
> > > >
> > > > Maven staging repo:
> > > >
> > https://repository.apache.org/content/repositories/orgapachezookeeper-1075
> > > >
> > > > The release candidate tag in git to be voted upon: release-3.7.1-0
> > > > https://github.com/apache/zookeeper/tree/release-3.7.1-0
> > > >
> > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> > > > https://www.apache.org/dist/zookeeper/KEYS
> > > >
> > > > The staging version of the website is:
> > > >
> > > >
> > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.1-rc0/website/index.html
> > > >
> > > >
> > > > Should we release this candidate?
> > > >
> > > >
> > > > -Arshad
> > > >
> >