You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@druid.apache.org by Jihoon Son <ji...@apache.org> on 2020/05/06 04:50:16 UTC

[VOTE] Release Apache Druid 0.18.1 [RC2]

Hi all,

I have created a build for Apache Druid 0.18.1, release candidate 2.

Thanks for everyone who has helped contribute to the release! You can read
the proposed release notes here:
https://github.com/apache/druid/issues/9798

The release candidate has been tagged in GitHub as
druid-0.18.1-rc2 (8436ce4252b4ef5ab20acc532390c225930f299e),
available here:
https://github.com/apache/druid/releases/tag/druid-0.18.1-rc2

The artifacts to be voted on are located here:
https://dist.apache.org/repos/dist/dev/druid/0.18.1-rc2/

Staged druid.apache.org website documentation is available here:
https://druid.staged.apache.org/docs/0.18.1/design/index.html

A Docker image containing the binary of the release candidate can be
retrieved via:
docker pull apache/druid:0.18.1-rc2

artifact checksums
src:
8043265d6fb6d691b1bd1c63675f3cf76c5973a535ec5846826886cfbfc97e753dee07c1f5354aa109a07a730d9c0ff896291e7e9bbde40bdf6ed6221cd2c715
bin:
ab7e4d193539e9daa8f5a45596bf598f37832beade6be7d17a04c9f1d88339e99ca19c616307138dd27e191399a822659641c10444a14bbbab122cebd36dd0f4
docker: ccdf14da4e10ed9ee92b1ce4923b812fa72d0cca3fab2f5ee83c08e7cd4812df

Release artifacts are signed with the following key:
https://people.apache.org/keys/committer/jihoonson.asc

This key and the key of other committers can also be found in the project's
KEYS file here:
https://dist.apache.org/repos/dist/release/druid/KEYS

(If you are a committer, please feel free to add your own key to that file
by following the instructions in the file's header.)


Verify checksums:
diff <(shasum -a512 apache-druid-0.18.1-src.tar.gz | \
cut -d ' ' -f1) \
<(cat apache-druid-0.18.1-src.tar.gz.sha512 ; echo)

diff <(shasum -a512 apache-druid-0.18.1-bin.tar.gz | \
cut -d ' ' -f1) \
<(cat apache-druid-0.18.1-bin.tar.gz.sha512 ; echo)

Verify signatures:
gpg --verify apache-druid-0.18.1-src.tar.gz.asc \
apache-druid-0.18.1-src.tar.gz

gpg --verify apache-druid-0.18.1-bin.tar.gz.asc \
apache-druid-0.18.1-bin.tar.gz

Please review the proposed artifacts and vote. Note that Apache has
specific requirements that must be met before +1 binding votes can be cast
by PMC members. Please refer to the policy at
http://www.apache.org/legal/release-policy.html#policy for more details.

As part of the validation process, the release artifacts can be generated
from source by running:
mvn clean install -Papache-release,dist -Dgpg.skip

The RAT license check can be run from source by:
mvn apache-rat:check -Prat

This vote will be open for at least 72 hours. The vote will pass if a
majority of at least three +1 PMC votes are cast.

[ ] +1 Release this package as Apache Druid 0.18.1
[ ] 0 I don't feel strongly about it, but I'm okay with the release
[ ] -1 Do not release this package because...

Thanks!

Re: [VOTE] Release Apache Druid 0.18.1 [RC2]

Posted by Jihoon Son <gh...@gmail.com>.

Thanks all for voting!
I'm going to close this vote.

On Tue, May 12, 2020 at 1:08 PM Furkan KAMACI <fu...@gmail.com>
wrote:

> Hi,
>
> +1 (binding).
>
> I checked:
>
> - LICENSE is fine
> - NOTICE year should be updated (which is changed at master. However I've
> created another PR for it)
> - No unexpected binary files
> - Checked PGP signatures
> - Checked Checksums
> - Code compiles
> - Tests successfully run
> - Ran native batch/kafka quickstart
> - Apache rat checks are OK
>
> Kind Regards,
> Furkan KAMACI
>
> On Tue, May 12, 2020 at 10:37 PM Jonathan Wei <jo...@apache.org> wrote:
>
> > +1 (binding)
> >
> > src:
> > - Checked signature/hash
> > - Checked LICENSE/NOTICE
> > - Ran rat and unit tests
> > - Built distribution and ran native batch/kafka quickstart
> >
> > bin:
> > - Checked signature/hash
> > - Checked LICENSE/NOTICE
> > - ran native batch/kafka quickstart
> >
> > --
> >
> > A note about building the source distribution:
> >
> > The following error occurs if you use the "apache-release" profile:
> >
> > [ERROR] Failed to execute goal
> org.owasp:dependency-check-maven:5.3.2:check
> > (default) on project druid-cloudfiles-extensions:
> > [ERROR]
> > [ERROR] One or more dependencies were identified with vulnerabilities
> that
> > have a CVSS score greater than or equal to '7.0':
> > [ERROR]
> > [ERROR] openstack-keystone-1.9.1.jar: CVE-2020-12689, CVE-2020-12691,
> > CVE-2020-12690
> >
> > It's in a extensions-contrib extension which isn't included in the built
> > distribution, so I don't think we need to fix that for this release.
> >
> > The tarball can be built successfully by using -Pdist instead of
> > -Papache-release,dist
> >
> > On Mon, May 11, 2020 at 9:21 AM Surekha Saharan <
> surekha.saharan@imply.io>
> > wrote:
> >
> > > +1 (binding)
> > >
> > > src package:
> > > - downloaded, verified signature and hash
> > > - compiled source and ran unit tests
> > > - ran RAT check
> > > - checked LICENSE/ NOTICE
> > >
> > >
> > > bin package:
> > > - downloaded, verified signature and hash
> > > - ran quickstart batch and kafka ingestion tutorial and simple queries
> > > - checked LICENSE/NOTICE
> > >
> > > On Tue, May 5, 2020 at 9:50 PM Jihoon Son <ji...@apache.org>
> wrote:
> > >
> > > > Hi all,
> > > >
> > > > I have created a build for Apache Druid 0.18.1, release candidate 2.
> > > >
> > > > Thanks for everyone who has helped contribute to the release! You can
> > > read
> > > > the proposed release notes here:
> > > > https://github.com/apache/druid/issues/9798
> > > >
> > > > The release candidate has been tagged in GitHub as
> > > > druid-0.18.1-rc2 (8436ce4252b4ef5ab20acc532390c225930f299e),
> > > > available here:
> > > > https://github.com/apache/druid/releases/tag/druid-0.18.1-rc2
> > > >
> > > > The artifacts to be voted on are located here:
> > > > https://dist.apache.org/repos/dist/dev/druid/0.18.1-rc2/
> > > >
> > > > Staged druid.apache.org website documentation is available here:
> > > > https://druid.staged.apache.org/docs/0.18.1/design/index.html
> > > >
> > > > A Docker image containing the binary of the release candidate can be
> > > > retrieved via:
> > > > docker pull apache/druid:0.18.1-rc2
> > > >
> > > > artifact checksums
> > > > src:
> > > >
> > > >
> > >
> >
> 8043265d6fb6d691b1bd1c63675f3cf76c5973a535ec5846826886cfbfc97e753dee07c1f5354aa109a07a730d9c0ff896291e7e9bbde40bdf6ed6221cd2c715
> > > > bin:
> > > >
> > > >
> > >
> >
> ab7e4d193539e9daa8f5a45596bf598f37832beade6be7d17a04c9f1d88339e99ca19c616307138dd27e191399a822659641c10444a14bbbab122cebd36dd0f4
> > > > docker:
> > ccdf14da4e10ed9ee92b1ce4923b812fa72d0cca3fab2f5ee83c08e7cd4812df
> > > >
> > > > Release artifacts are signed with the following key:
> > > > https://people.apache.org/keys/committer/jihoonson.asc
> > > >
> > > > This key and the key of other committers can also be found in the
> > > project's
> > > > KEYS file here:
> > > > https://dist.apache.org/repos/dist/release/druid/KEYS
> > > >
> > > > (If you are a committer, please feel free to add your own key to that
> > > file
> > > > by following the instructions in the file's header.)
> > > >
> > > >
> > > > Verify checksums:
> > > > diff <(shasum -a512 apache-druid-0.18.1-src.tar.gz | \
> > > > cut -d ' ' -f1) \
> > > > <(cat apache-druid-0.18.1-src.tar.gz.sha512 ; echo)
> > > >
> > > > diff <(shasum -a512 apache-druid-0.18.1-bin.tar.gz | \
> > > > cut -d ' ' -f1) \
> > > > <(cat apache-druid-0.18.1-bin.tar.gz.sha512 ; echo)
> > > >
> > > > Verify signatures:
> > > > gpg --verify apache-druid-0.18.1-src.tar.gz.asc \
> > > > apache-druid-0.18.1-src.tar.gz
> > > >
> > > > gpg --verify apache-druid-0.18.1-bin.tar.gz.asc \
> > > > apache-druid-0.18.1-bin.tar.gz
> > > >
> > > > Please review the proposed artifacts and vote. Note that Apache has
> > > > specific requirements that must be met before +1 binding votes can be
> > > cast
> > > > by PMC members. Please refer to the policy at
> > > > http://www.apache.org/legal/release-policy.html#policy for more
> > details.
> > > >
> > > > As part of the validation process, the release artifacts can be
> > generated
> > > > from source by running:
> > > > mvn clean install -Papache-release,dist -Dgpg.skip
> > > >
> > > > The RAT license check can be run from source by:
> > > > mvn apache-rat:check -Prat
> > > >
> > > > This vote will be open for at least 72 hours. The vote will pass if a
> > > > majority of at least three +1 PMC votes are cast.
> > > >
> > > > [ ] +1 Release this package as Apache Druid 0.18.1
> > > > [ ] 0 I don't feel strongly about it, but I'm okay with the release
> > > > [ ] -1 Do not release this package because...
> > > >
> > > > Thanks!
> > > >
> > >
> >
>

Re: [VOTE] Release Apache Druid 0.18.1 [RC2]

Posted by Furkan KAMACI <fu...@gmail.com>.

Hi,

+1 (binding).

I checked:

- LICENSE is fine
- NOTICE year should be updated (which is changed at master. However I've
created another PR for it)
- No unexpected binary files
- Checked PGP signatures
- Checked Checksums
- Code compiles
- Tests successfully run
- Ran native batch/kafka quickstart
- Apache rat checks are OK

Kind Regards,
Furkan KAMACI

On Tue, May 12, 2020 at 10:37 PM Jonathan Wei <jo...@apache.org> wrote:

> +1 (binding)
>
> src:
> - Checked signature/hash
> - Checked LICENSE/NOTICE
> - Ran rat and unit tests
> - Built distribution and ran native batch/kafka quickstart
>
> bin:
> - Checked signature/hash
> - Checked LICENSE/NOTICE
> - ran native batch/kafka quickstart
>
> --
>
> A note about building the source distribution:
>
> The following error occurs if you use the "apache-release" profile:
>
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.2:check
> (default) on project druid-cloudfiles-extensions:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '7.0':
> [ERROR]
> [ERROR] openstack-keystone-1.9.1.jar: CVE-2020-12689, CVE-2020-12691,
> CVE-2020-12690
>
> It's in a extensions-contrib extension which isn't included in the built
> distribution, so I don't think we need to fix that for this release.
>
> The tarball can be built successfully by using -Pdist instead of
> -Papache-release,dist
>
> On Mon, May 11, 2020 at 9:21 AM Surekha Saharan <su...@imply.io>
> wrote:
>
> > +1 (binding)
> >
> > src package:
> > - downloaded, verified signature and hash
> > - compiled source and ran unit tests
> > - ran RAT check
> > - checked LICENSE/ NOTICE
> >
> >
> > bin package:
> > - downloaded, verified signature and hash
> > - ran quickstart batch and kafka ingestion tutorial and simple queries
> > - checked LICENSE/NOTICE
> >
> > On Tue, May 5, 2020 at 9:50 PM Jihoon Son <ji...@apache.org> wrote:
> >
> > > Hi all,
> > >
> > > I have created a build for Apache Druid 0.18.1, release candidate 2.
> > >
> > > Thanks for everyone who has helped contribute to the release! You can
> > read
> > > the proposed release notes here:
> > > https://github.com/apache/druid/issues/9798
> > >
> > > The release candidate has been tagged in GitHub as
> > > druid-0.18.1-rc2 (8436ce4252b4ef5ab20acc532390c225930f299e),
> > > available here:
> > > https://github.com/apache/druid/releases/tag/druid-0.18.1-rc2
> > >
> > > The artifacts to be voted on are located here:
> > > https://dist.apache.org/repos/dist/dev/druid/0.18.1-rc2/
> > >
> > > Staged druid.apache.org website documentation is available here:
> > > https://druid.staged.apache.org/docs/0.18.1/design/index.html
> > >
> > > A Docker image containing the binary of the release candidate can be
> > > retrieved via:
> > > docker pull apache/druid:0.18.1-rc2
> > >
> > > artifact checksums
> > > src:
> > >
> > >
> >
> 8043265d6fb6d691b1bd1c63675f3cf76c5973a535ec5846826886cfbfc97e753dee07c1f5354aa109a07a730d9c0ff896291e7e9bbde40bdf6ed6221cd2c715
> > > bin:
> > >
> > >
> >
> ab7e4d193539e9daa8f5a45596bf598f37832beade6be7d17a04c9f1d88339e99ca19c616307138dd27e191399a822659641c10444a14bbbab122cebd36dd0f4
> > > docker:
> ccdf14da4e10ed9ee92b1ce4923b812fa72d0cca3fab2f5ee83c08e7cd4812df
> > >
> > > Release artifacts are signed with the following key:
> > > https://people.apache.org/keys/committer/jihoonson.asc
> > >
> > > This key and the key of other committers can also be found in the
> > project's
> > > KEYS file here:
> > > https://dist.apache.org/repos/dist/release/druid/KEYS
> > >
> > > (If you are a committer, please feel free to add your own key to that
> > file
> > > by following the instructions in the file's header.)
> > >
> > >
> > > Verify checksums:
> > > diff <(shasum -a512 apache-druid-0.18.1-src.tar.gz | \
> > > cut -d ' ' -f1) \
> > > <(cat apache-druid-0.18.1-src.tar.gz.sha512 ; echo)
> > >
> > > diff <(shasum -a512 apache-druid-0.18.1-bin.tar.gz | \
> > > cut -d ' ' -f1) \
> > > <(cat apache-druid-0.18.1-bin.tar.gz.sha512 ; echo)
> > >
> > > Verify signatures:
> > > gpg --verify apache-druid-0.18.1-src.tar.gz.asc \
> > > apache-druid-0.18.1-src.tar.gz
> > >
> > > gpg --verify apache-druid-0.18.1-bin.tar.gz.asc \
> > > apache-druid-0.18.1-bin.tar.gz
> > >
> > > Please review the proposed artifacts and vote. Note that Apache has
> > > specific requirements that must be met before +1 binding votes can be
> > cast
> > > by PMC members. Please refer to the policy at
> > > http://www.apache.org/legal/release-policy.html#policy for more
> details.
> > >
> > > As part of the validation process, the release artifacts can be
> generated
> > > from source by running:
> > > mvn clean install -Papache-release,dist -Dgpg.skip
> > >
> > > The RAT license check can be run from source by:
> > > mvn apache-rat:check -Prat
> > >
> > > This vote will be open for at least 72 hours. The vote will pass if a
> > > majority of at least three +1 PMC votes are cast.
> > >
> > > [ ] +1 Release this package as Apache Druid 0.18.1
> > > [ ] 0 I don't feel strongly about it, but I'm okay with the release
> > > [ ] -1 Do not release this package because...
> > >
> > > Thanks!
> > >
> >
>

Re: [VOTE] Release Apache Druid 0.18.1 [RC2]

Posted by Jonathan Wei <jo...@apache.org>.

+1 (binding)

src:
- Checked signature/hash
- Checked LICENSE/NOTICE
- Ran rat and unit tests
- Built distribution and ran native batch/kafka quickstart

bin:
- Checked signature/hash
- Checked LICENSE/NOTICE
- ran native batch/kafka quickstart

--

A note about building the source distribution:

The following error occurs if you use the "apache-release" profile:

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.2:check
(default) on project druid-cloudfiles-extensions:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that
have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] openstack-keystone-1.9.1.jar: CVE-2020-12689, CVE-2020-12691,
CVE-2020-12690

It's in a extensions-contrib extension which isn't included in the built
distribution, so I don't think we need to fix that for this release.

The tarball can be built successfully by using -Pdist instead of
-Papache-release,dist

On Mon, May 11, 2020 at 9:21 AM Surekha Saharan <su...@imply.io>
wrote:

> +1 (binding)
>
> src package:
> - downloaded, verified signature and hash
> - compiled source and ran unit tests
> - ran RAT check
> - checked LICENSE/ NOTICE
>
>
> bin package:
> - downloaded, verified signature and hash
> - ran quickstart batch and kafka ingestion tutorial and simple queries
> - checked LICENSE/NOTICE
>
> On Tue, May 5, 2020 at 9:50 PM Jihoon Son <ji...@apache.org> wrote:
>
> > Hi all,
> >
> > I have created a build for Apache Druid 0.18.1, release candidate 2.
> >
> > Thanks for everyone who has helped contribute to the release! You can
> read
> > the proposed release notes here:
> > https://github.com/apache/druid/issues/9798
> >
> > The release candidate has been tagged in GitHub as
> > druid-0.18.1-rc2 (8436ce4252b4ef5ab20acc532390c225930f299e),
> > available here:
> > https://github.com/apache/druid/releases/tag/druid-0.18.1-rc2
> >
> > The artifacts to be voted on are located here:
> > https://dist.apache.org/repos/dist/dev/druid/0.18.1-rc2/
> >
> > Staged druid.apache.org website documentation is available here:
> > https://druid.staged.apache.org/docs/0.18.1/design/index.html
> >
> > A Docker image containing the binary of the release candidate can be
> > retrieved via:
> > docker pull apache/druid:0.18.1-rc2
> >
> > artifact checksums
> > src:
> >
> >
> 8043265d6fb6d691b1bd1c63675f3cf76c5973a535ec5846826886cfbfc97e753dee07c1f5354aa109a07a730d9c0ff896291e7e9bbde40bdf6ed6221cd2c715
> > bin:
> >
> >
> ab7e4d193539e9daa8f5a45596bf598f37832beade6be7d17a04c9f1d88339e99ca19c616307138dd27e191399a822659641c10444a14bbbab122cebd36dd0f4
> > docker: ccdf14da4e10ed9ee92b1ce4923b812fa72d0cca3fab2f5ee83c08e7cd4812df
> >
> > Release artifacts are signed with the following key:
> > https://people.apache.org/keys/committer/jihoonson.asc
> >
> > This key and the key of other committers can also be found in the
> project's
> > KEYS file here:
> > https://dist.apache.org/repos/dist/release/druid/KEYS
> >
> > (If you are a committer, please feel free to add your own key to that
> file
> > by following the instructions in the file's header.)
> >
> >
> > Verify checksums:
> > diff <(shasum -a512 apache-druid-0.18.1-src.tar.gz | \
> > cut -d ' ' -f1) \
> > <(cat apache-druid-0.18.1-src.tar.gz.sha512 ; echo)
> >
> > diff <(shasum -a512 apache-druid-0.18.1-bin.tar.gz | \
> > cut -d ' ' -f1) \
> > <(cat apache-druid-0.18.1-bin.tar.gz.sha512 ; echo)
> >
> > Verify signatures:
> > gpg --verify apache-druid-0.18.1-src.tar.gz.asc \
> > apache-druid-0.18.1-src.tar.gz
> >
> > gpg --verify apache-druid-0.18.1-bin.tar.gz.asc \
> > apache-druid-0.18.1-bin.tar.gz
> >
> > Please review the proposed artifacts and vote. Note that Apache has
> > specific requirements that must be met before +1 binding votes can be
> cast
> > by PMC members. Please refer to the policy at
> > http://www.apache.org/legal/release-policy.html#policy for more details.
> >
> > As part of the validation process, the release artifacts can be generated
> > from source by running:
> > mvn clean install -Papache-release,dist -Dgpg.skip
> >
> > The RAT license check can be run from source by:
> > mvn apache-rat:check -Prat
> >
> > This vote will be open for at least 72 hours. The vote will pass if a
> > majority of at least three +1 PMC votes are cast.
> >
> > [ ] +1 Release this package as Apache Druid 0.18.1
> > [ ] 0 I don't feel strongly about it, but I'm okay with the release
> > [ ] -1 Do not release this package because...
> >
> > Thanks!
> >
>

Re: [VOTE] Release Apache Druid 0.18.1 [RC2]

Posted by Surekha Saharan <su...@imply.io>.

+1 (binding)

src package:
- downloaded, verified signature and hash
- compiled source and ran unit tests
- ran RAT check
- checked LICENSE/ NOTICE


bin package:
- downloaded, verified signature and hash
- ran quickstart batch and kafka ingestion tutorial and simple queries
- checked LICENSE/NOTICE

On Tue, May 5, 2020 at 9:50 PM Jihoon Son <ji...@apache.org> wrote:

> Hi all,
>
> I have created a build for Apache Druid 0.18.1, release candidate 2.
>
> Thanks for everyone who has helped contribute to the release! You can read
> the proposed release notes here:
> https://github.com/apache/druid/issues/9798
>
> The release candidate has been tagged in GitHub as
> druid-0.18.1-rc2 (8436ce4252b4ef5ab20acc532390c225930f299e),
> available here:
> https://github.com/apache/druid/releases/tag/druid-0.18.1-rc2
>
> The artifacts to be voted on are located here:
> https://dist.apache.org/repos/dist/dev/druid/0.18.1-rc2/
>
> Staged druid.apache.org website documentation is available here:
> https://druid.staged.apache.org/docs/0.18.1/design/index.html
>
> A Docker image containing the binary of the release candidate can be
> retrieved via:
> docker pull apache/druid:0.18.1-rc2
>
> artifact checksums
> src:
>
> 8043265d6fb6d691b1bd1c63675f3cf76c5973a535ec5846826886cfbfc97e753dee07c1f5354aa109a07a730d9c0ff896291e7e9bbde40bdf6ed6221cd2c715
> bin:
>
> ab7e4d193539e9daa8f5a45596bf598f37832beade6be7d17a04c9f1d88339e99ca19c616307138dd27e191399a822659641c10444a14bbbab122cebd36dd0f4
> docker: ccdf14da4e10ed9ee92b1ce4923b812fa72d0cca3fab2f5ee83c08e7cd4812df
>
> Release artifacts are signed with the following key:
> https://people.apache.org/keys/committer/jihoonson.asc
>
> This key and the key of other committers can also be found in the project's
> KEYS file here:
> https://dist.apache.org/repos/dist/release/druid/KEYS
>
> (If you are a committer, please feel free to add your own key to that file
> by following the instructions in the file's header.)
>
>
> Verify checksums:
> diff <(shasum -a512 apache-druid-0.18.1-src.tar.gz | \
> cut -d ' ' -f1) \
> <(cat apache-druid-0.18.1-src.tar.gz.sha512 ; echo)
>
> diff <(shasum -a512 apache-druid-0.18.1-bin.tar.gz | \
> cut -d ' ' -f1) \
> <(cat apache-druid-0.18.1-bin.tar.gz.sha512 ; echo)
>
> Verify signatures:
> gpg --verify apache-druid-0.18.1-src.tar.gz.asc \
> apache-druid-0.18.1-src.tar.gz
>
> gpg --verify apache-druid-0.18.1-bin.tar.gz.asc \
> apache-druid-0.18.1-bin.tar.gz
>
> Please review the proposed artifacts and vote. Note that Apache has
> specific requirements that must be met before +1 binding votes can be cast
> by PMC members. Please refer to the policy at
> http://www.apache.org/legal/release-policy.html#policy for more details.
>
> As part of the validation process, the release artifacts can be generated
> from source by running:
> mvn clean install -Papache-release,dist -Dgpg.skip
>
> The RAT license check can be run from source by:
> mvn apache-rat:check -Prat
>
> This vote will be open for at least 72 hours. The vote will pass if a
> majority of at least three +1 PMC votes are cast.
>
> [ ] +1 Release this package as Apache Druid 0.18.1
> [ ] 0 I don't feel strongly about it, but I'm okay with the release
> [ ] -1 Do not release this package because...
>
> Thanks!
>