[VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Chesnay Schepler <ch...@apache.org>]

Hi everyone,

This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and 
1.14 to address CVE-2021-44228.
It covers all 4 releases as they contain the same changes (upgrading 
Log4j to 2.15.0) and were prepared simultaneously by the same person.
(Hence, if something is broken, it likely applies to all releases)

Please review and vote on the release candidate #1 for the versions 
1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
[ ] +1, Approve the releases
[ ] -1, Do not approve the releases (please provide specific comments)

The complete staging area is available for your review, which includes:
* JIRA release notes [1],
* the official Apache source releases and binary convenience releases to 
be deployed to dist.apache.org [2], which are signed with the key with 
fingerprint C2EED7B111D464BA [3],
* all artifacts to be deployed to the Maven Central Repository [4],
     * *the jars for 1.13/1.14 are still being built*
* source code tags [5],
* website pull request listing the new releases and adding announcement 
blog post [6].

The vote will be open for at least 24 hours. The minimum vote time has 
been shortened as the changes are minimal and the matter is urgent.
It is adopted by majority approval, with at least 3 PMC affirmative votes.

Thanks,
Chesnay

[1]
1.11: 
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
1.12: 
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
1.13: 
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
1.14: 
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
[2]
1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
[3] https://dist.apache.org/repos/dist/release/flink/KEYS
[4]
1.11/1.12: 
https://repository.apache.org/content/repositories/orgapacheflink-1455
1.13: https://repository.apache.org/content/repositories/orgapacheflink-1457
1.14: https://repository.apache.org/content/repositories/orgapacheflink-1456
[5]
1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
[6] https://github.com/apache/flink-web/pull/489

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

["Tzu-Li (Gordon) Tai" <tz...@apache.org>]

+1 (binding)

- verified hashes and signatures
- checked that diff of all RCs contain only the log4j version upgrade

On Tue, Dec 14, 2021 at 4:06 AM Yun Gao <yu...@aliyun.com.invalid>
wrote:

> +1 (non-binding)
>
> * Reviewed the blog post.
> * Verified each version could run normally with example jobs.
> * Checked each version only contains the log4j2 fix.
>
> Thanks Chesnay for driving the emergency fix releases!
>
> Best,
> Yun
>
>
> ------------------------------------------------------------------
> From:Yun Tang <my...@live.com>
> Send Time:2021 Dec. 14 (Tue.) 18:25
> To:dev@flink.apache.org <de...@flink.apache.org>; Till Rohrmann <
> trohrmann@apache.org>
> Subject:Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate
> #1
>
> + 1 (non-binding) for releasing flink-1.13.4 and flink-1.14.1 currently
>
>
>   *   reviewed blog post
>   *   checked that the hot fix verion only contains the log4j2 version bump
>
> Best
> Yun Tang
> ________________________________
> From: Chesnay Schepler <ch...@apache.org>
> Sent: Tuesday, December 14, 2021 17:12
> To: dev@flink.apache.org <de...@flink.apache.org>; Till Rohrmann <
> trohrmann@apache.org>
> Subject: Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate
> #1
>
> I think that should be possible.
>
> On 14/12/2021 10:06, Till Rohrmann wrote:
> > +1 (binding)
> >
> > - reviewed blog post
> > - verified shasum and signatures
> > - checked that diff only contains the log4j version bump
> >
> > Can we simply add the missing Python binaries for MacOS after the release
> > of the other artifacts?
> >
> > Cheers,
> > Till
> >
> > On Tue, Dec 14, 2021 at 4:56 AM Yun Tang <my...@live.com> wrote:
> >
> >> Hi Chesnay,
> >>
> >> Thanks a lot for driving these emergency patch releases!
> >>
> >> I just noticed that current flink-1.11.4 offers python files on mac os
> >> [1]. Is it okay to release Flink-1.11.5 and flink-1.12.6 without those
> >> python binaries on mac os?
> >>
> >>
> >> [1] https://pypi.org/project/apache-flink/1.11.4/#files
> >>
> >> Best
> >> Yun Tang
> >> ________________________________
> >> From: Zhu Zhu <re...@gmail.com>
> >> Sent: Tuesday, December 14, 2021 11:00
> >> To: dev <de...@flink.apache.org>
> >> Subject: Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release
> candidate
> >> #1
> >>
> >> +1 (binding)
> >>
> >> - verified the differences of source releases to the corresponding
> latest
> >> releases, there are only dependency updates and release version update
> >> commits
> >> - verified versions of log4j dependencies in the all binary releases are
> >> 2.15.0
> >> - ran example jobs against all the binary releases, logs look good
> >> - release notes and blogpost look good
> >>
> >> Thanks,
> >> Zhu
> >>
> >> Xintong Song <to...@gmail.com> 于2021年12月14日周二 10:23写道：
> >>
> >>> +1 (binding)
> >>>
> >>> - verified checksum and signature
> >>> - verified that release candidates only contain the log4j dependency
> >>> changes compared to previous releases.
> >>> - release notes and blogpost LGTM
> >>>
> >>> Thanks a lot for driving these emergency patch releases, Chesnay!
> >>>
> >>> Thank you~
> >>>
> >>> Xintong Song
> >>>
> >>>
> >>>
> >>> On Tue, Dec 14, 2021 at 7:45 AM Chesnay Schepler <ch...@apache.org>
> >>> wrote:
> >>>
> >>>> I forgot to mention something important:
> >>>>
> >>>> The 1.11/1.12 releases do *NOT* contain flink-python releases for
> *mac*
> >>>> due to compile problems.
> >>>>
> >>>> On 13/12/2021 20:28, Chesnay Schepler wrote:
> >>>>> Hi everyone,
> >>>>>
> >>>>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13
> >> and
> >>>>> 1.14 to address CVE-2021-44228.
> >>>>> It covers all 4 releases as they contain the same changes (upgrading
> >>>>> Log4j to 2.15.0) and were prepared simultaneously by the same person.
> >>>>> (Hence, if something is broken, it likely applies to all releases)
> >>>>>
> >>>>> Please review and vote on the release candidate #1 for the versions
> >>>>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> >>>>> [ ] +1, Approve the releases
> >>>>> [ ] -1, Do not approve the releases (please provide specific
> >> comments)
> >>>>> The complete staging area is available for your review, which
> >> includes:
> >>>>> * JIRA release notes [1],
> >>>>> * the official Apache source releases and binary convenience releases
> >>>>> to be deployed to dist.apache.org [2], which are signed with the key
> >>>>> with fingerprint C2EED7B111D464BA [3],
> >>>>> * all artifacts to be deployed to the Maven Central Repository [4],
> >>>>>      * *the jars for 1.13/1.14 are still being built*
> >>>>> * source code tags [5],
> >>>>> * website pull request listing the new releases and adding
> >>>>> announcement blog post [6].
> >>>>>
> >>>>> The vote will be open for at least 24 hours. The minimum vote time
> >> has
> >>>>> been shortened as the changes are minimal and the matter is urgent.
> >>>>> It is adopted by majority approval, with at least 3 PMC affirmative
> >>>>> votes.
> >>>>>
> >>>>> Thanks,
> >>>>> Chesnay
> >>>>>
> >>>>> [1]
> >>>>> 1.11:
> >>>>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> >>>>> 1.12:
> >>>>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> >>>>> 1.13:
> >>>>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> >>>>> 1.14:
> >>>>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> >>>>> [2]
> >>>>> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> >>>>> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> >>>>> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> >>>>> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> >>>>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> >>>>> [4]
> >>>>> 1.11/1.12:
> >>>>>
> >> https://repository.apache.org/content/repositories/orgapacheflink-1455
> >>>>> 1.13:
> >>>>>
> >> https://repository.apache.org/content/repositories/orgapacheflink-1457
> >>>>> 1.14:
> >>>>>
> >> https://repository.apache.org/content/repositories/orgapacheflink-1456
> >>>>> [5]
> >>>>> 1.11:
> >> https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> >>>>> 1.12:
> >> https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> >>>>> 1.13:
> >> https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> >>>>> 1.14:
> >> https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> >>>>> [6] https://github.com/apache/flink-web/pull/489
> >>>>>
>
>
>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Yun Gao <yu...@aliyun.com.INVALID>]

+1 (non-binding)

* Reviewed the blog post.
* Verified each version could run normally with example jobs.
* Checked each version only contains the log4j2 fix.

Thanks Chesnay for driving the emergency fix releases!

Best,
Yun


------------------------------------------------------------------
From:Yun Tang <my...@live.com>
Send Time:2021 Dec. 14 (Tue.) 18:25
To:dev@flink.apache.org <de...@flink.apache.org>; Till Rohrmann <tr...@apache.org>
Subject:Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

+ 1 (non-binding) for releasing flink-1.13.4 and flink-1.14.1 currently


  *   reviewed blog post
  *   checked that the hot fix verion only contains the log4j2 version bump

Best
Yun Tang
________________________________
From: Chesnay Schepler <ch...@apache.org>
Sent: Tuesday, December 14, 2021 17:12
To: dev@flink.apache.org <de...@flink.apache.org>; Till Rohrmann <tr...@apache.org>
Subject: Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

I think that should be possible.

On 14/12/2021 10:06, Till Rohrmann wrote:
> +1 (binding)
>
> - reviewed blog post
> - verified shasum and signatures
> - checked that diff only contains the log4j version bump
>
> Can we simply add the missing Python binaries for MacOS after the release
> of the other artifacts?
>
> Cheers,
> Till
>
> On Tue, Dec 14, 2021 at 4:56 AM Yun Tang <my...@live.com> wrote:
>
>> Hi Chesnay,
>>
>> Thanks a lot for driving these emergency patch releases!
>>
>> I just noticed that current flink-1.11.4 offers python files on mac os
>> [1]. Is it okay to release Flink-1.11.5 and flink-1.12.6 without those
>> python binaries on mac os?
>>
>>
>> [1] https://pypi.org/project/apache-flink/1.11.4/#files
>>
>> Best
>> Yun Tang
>> ________________________________
>> From: Zhu Zhu <re...@gmail.com>
>> Sent: Tuesday, December 14, 2021 11:00
>> To: dev <de...@flink.apache.org>
>> Subject: Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate
>> #1
>>
>> +1 (binding)
>>
>> - verified the differences of source releases to the corresponding latest
>> releases, there are only dependency updates and release version update
>> commits
>> - verified versions of log4j dependencies in the all binary releases are
>> 2.15.0
>> - ran example jobs against all the binary releases, logs look good
>> - release notes and blogpost look good
>>
>> Thanks,
>> Zhu
>>
>> Xintong Song <to...@gmail.com> 于2021年12月14日周二 10:23写道：
>>
>>> +1 (binding)
>>>
>>> - verified checksum and signature
>>> - verified that release candidates only contain the log4j dependency
>>> changes compared to previous releases.
>>> - release notes and blogpost LGTM
>>>
>>> Thanks a lot for driving these emergency patch releases, Chesnay!
>>>
>>> Thank you~
>>>
>>> Xintong Song
>>>
>>>
>>>
>>> On Tue, Dec 14, 2021 at 7:45 AM Chesnay Schepler <ch...@apache.org>
>>> wrote:
>>>
>>>> I forgot to mention something important:
>>>>
>>>> The 1.11/1.12 releases do *NOT* contain flink-python releases for *mac*
>>>> due to compile problems.
>>>>
>>>> On 13/12/2021 20:28, Chesnay Schepler wrote:
>>>>> Hi everyone,
>>>>>
>>>>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13
>> and
>>>>> 1.14 to address CVE-2021-44228.
>>>>> It covers all 4 releases as they contain the same changes (upgrading
>>>>> Log4j to 2.15.0) and were prepared simultaneously by the same person.
>>>>> (Hence, if something is broken, it likely applies to all releases)
>>>>>
>>>>> Please review and vote on the release candidate #1 for the versions
>>>>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
>>>>> [ ] +1, Approve the releases
>>>>> [ ] -1, Do not approve the releases (please provide specific
>> comments)
>>>>> The complete staging area is available for your review, which
>> includes:
>>>>> * JIRA release notes [1],
>>>>> * the official Apache source releases and binary convenience releases
>>>>> to be deployed to dist.apache.org [2], which are signed with the key
>>>>> with fingerprint C2EED7B111D464BA [3],
>>>>> * all artifacts to be deployed to the Maven Central Repository [4],
>>>>>      * *the jars for 1.13/1.14 are still being built*
>>>>> * source code tags [5],
>>>>> * website pull request listing the new releases and adding
>>>>> announcement blog post [6].
>>>>>
>>>>> The vote will be open for at least 24 hours. The minimum vote time
>> has
>>>>> been shortened as the changes are minimal and the matter is urgent.
>>>>> It is adopted by majority approval, with at least 3 PMC affirmative
>>>>> votes.
>>>>>
>>>>> Thanks,
>>>>> Chesnay
>>>>>
>>>>> [1]
>>>>> 1.11:
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
>>>>> 1.12:
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
>>>>> 1.13:
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
>>>>> 1.14:
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
>>>>> [2]
>>>>> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
>>>>> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
>>>>> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
>>>>> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
>>>>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
>>>>> [4]
>>>>> 1.11/1.12:
>>>>>
>> https://repository.apache.org/content/repositories/orgapacheflink-1455
>>>>> 1.13:
>>>>>
>> https://repository.apache.org/content/repositories/orgapacheflink-1457
>>>>> 1.14:
>>>>>
>> https://repository.apache.org/content/repositories/orgapacheflink-1456
>>>>> [5]
>>>>> 1.11:
>> https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
>>>>> 1.12:
>> https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
>>>>> 1.13:
>> https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
>>>>> 1.14:
>> https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
>>>>> [6] https://github.com/apache/flink-web/pull/489
>>>>>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Yun Tang <my...@live.com>]

+ 1 (non-binding) for releasing flink-1.13.4 and flink-1.14.1 currently


  *   reviewed blog post
  *   checked that the hot fix verion only contains the log4j2 version bump

Best
Yun Tang
________________________________
From: Chesnay Schepler <ch...@apache.org>
Sent: Tuesday, December 14, 2021 17:12
To: dev@flink.apache.org <de...@flink.apache.org>; Till Rohrmann <tr...@apache.org>
Subject: Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

I think that should be possible.

On 14/12/2021 10:06, Till Rohrmann wrote:
> +1 (binding)
>
> - reviewed blog post
> - verified shasum and signatures
> - checked that diff only contains the log4j version bump
>
> Can we simply add the missing Python binaries for MacOS after the release
> of the other artifacts?
>
> Cheers,
> Till
>
> On Tue, Dec 14, 2021 at 4:56 AM Yun Tang <my...@live.com> wrote:
>
>> Hi Chesnay,
>>
>> Thanks a lot for driving these emergency patch releases!
>>
>> I just noticed that current flink-1.11.4 offers python files on mac os
>> [1]. Is it okay to release Flink-1.11.5 and flink-1.12.6 without those
>> python binaries on mac os?
>>
>>
>> [1] https://pypi.org/project/apache-flink/1.11.4/#files
>>
>> Best
>> Yun Tang
>> ________________________________
>> From: Zhu Zhu <re...@gmail.com>
>> Sent: Tuesday, December 14, 2021 11:00
>> To: dev <de...@flink.apache.org>
>> Subject: Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate
>> #1
>>
>> +1 (binding)
>>
>> - verified the differences of source releases to the corresponding latest
>> releases, there are only dependency updates and release version update
>> commits
>> - verified versions of log4j dependencies in the all binary releases are
>> 2.15.0
>> - ran example jobs against all the binary releases, logs look good
>> - release notes and blogpost look good
>>
>> Thanks,
>> Zhu
>>
>> Xintong Song <to...@gmail.com> 于2021年12月14日周二 10:23写道：
>>
>>> +1 (binding)
>>>
>>> - verified checksum and signature
>>> - verified that release candidates only contain the log4j dependency
>>> changes compared to previous releases.
>>> - release notes and blogpost LGTM
>>>
>>> Thanks a lot for driving these emergency patch releases, Chesnay!
>>>
>>> Thank you~
>>>
>>> Xintong Song
>>>
>>>
>>>
>>> On Tue, Dec 14, 2021 at 7:45 AM Chesnay Schepler <ch...@apache.org>
>>> wrote:
>>>
>>>> I forgot to mention something important:
>>>>
>>>> The 1.11/1.12 releases do *NOT* contain flink-python releases for *mac*
>>>> due to compile problems.
>>>>
>>>> On 13/12/2021 20:28, Chesnay Schepler wrote:
>>>>> Hi everyone,
>>>>>
>>>>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13
>> and
>>>>> 1.14 to address CVE-2021-44228.
>>>>> It covers all 4 releases as they contain the same changes (upgrading
>>>>> Log4j to 2.15.0) and were prepared simultaneously by the same person.
>>>>> (Hence, if something is broken, it likely applies to all releases)
>>>>>
>>>>> Please review and vote on the release candidate #1 for the versions
>>>>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
>>>>> [ ] +1, Approve the releases
>>>>> [ ] -1, Do not approve the releases (please provide specific
>> comments)
>>>>> The complete staging area is available for your review, which
>> includes:
>>>>> * JIRA release notes [1],
>>>>> * the official Apache source releases and binary convenience releases
>>>>> to be deployed to dist.apache.org [2], which are signed with the key
>>>>> with fingerprint C2EED7B111D464BA [3],
>>>>> * all artifacts to be deployed to the Maven Central Repository [4],
>>>>>      * *the jars for 1.13/1.14 are still being built*
>>>>> * source code tags [5],
>>>>> * website pull request listing the new releases and adding
>>>>> announcement blog post [6].
>>>>>
>>>>> The vote will be open for at least 24 hours. The minimum vote time
>> has
>>>>> been shortened as the changes are minimal and the matter is urgent.
>>>>> It is adopted by majority approval, with at least 3 PMC affirmative
>>>>> votes.
>>>>>
>>>>> Thanks,
>>>>> Chesnay
>>>>>
>>>>> [1]
>>>>> 1.11:
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
>>>>> 1.12:
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
>>>>> 1.13:
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
>>>>> 1.14:
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
>>>>> [2]
>>>>> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
>>>>> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
>>>>> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
>>>>> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
>>>>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
>>>>> [4]
>>>>> 1.11/1.12:
>>>>>
>> https://repository.apache.org/content/repositories/orgapacheflink-1455
>>>>> 1.13:
>>>>>
>> https://repository.apache.org/content/repositories/orgapacheflink-1457
>>>>> 1.14:
>>>>>
>> https://repository.apache.org/content/repositories/orgapacheflink-1456
>>>>> [5]
>>>>> 1.11:
>> https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
>>>>> 1.12:
>> https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
>>>>> 1.13:
>> https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
>>>>> 1.14:
>> https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
>>>>> [6] https://github.com/apache/flink-web/pull/489
>>>>>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Chesnay Schepler <ch...@apache.org>]

I think that should be possible.

On 14/12/2021 10:06, Till Rohrmann wrote:
> +1 (binding)
>
> - reviewed blog post
> - verified shasum and signatures
> - checked that diff only contains the log4j version bump
>
> Can we simply add the missing Python binaries for MacOS after the release
> of the other artifacts?
>
> Cheers,
> Till
>
> On Tue, Dec 14, 2021 at 4:56 AM Yun Tang <my...@live.com> wrote:
>
>> Hi Chesnay,
>>
>> Thanks a lot for driving these emergency patch releases!
>>
>> I just noticed that current flink-1.11.4 offers python files on mac os
>> [1]. Is it okay to release Flink-1.11.5 and flink-1.12.6 without those
>> python binaries on mac os?
>>
>>
>> [1] https://pypi.org/project/apache-flink/1.11.4/#files
>>
>> Best
>> Yun Tang
>> ________________________________
>> From: Zhu Zhu <re...@gmail.com>
>> Sent: Tuesday, December 14, 2021 11:00
>> To: dev <de...@flink.apache.org>
>> Subject: Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate
>> #1
>>
>> +1 (binding)
>>
>> - verified the differences of source releases to the corresponding latest
>> releases, there are only dependency updates and release version update
>> commits
>> - verified versions of log4j dependencies in the all binary releases are
>> 2.15.0
>> - ran example jobs against all the binary releases, logs look good
>> - release notes and blogpost look good
>>
>> Thanks,
>> Zhu
>>
>> Xintong Song <to...@gmail.com> 于2021年12月14日周二 10:23写道：
>>
>>> +1 (binding)
>>>
>>> - verified checksum and signature
>>> - verified that release candidates only contain the log4j dependency
>>> changes compared to previous releases.
>>> - release notes and blogpost LGTM
>>>
>>> Thanks a lot for driving these emergency patch releases, Chesnay!
>>>
>>> Thank you~
>>>
>>> Xintong Song
>>>
>>>
>>>
>>> On Tue, Dec 14, 2021 at 7:45 AM Chesnay Schepler <ch...@apache.org>
>>> wrote:
>>>
>>>> I forgot to mention something important:
>>>>
>>>> The 1.11/1.12 releases do *NOT* contain flink-python releases for *mac*
>>>> due to compile problems.
>>>>
>>>> On 13/12/2021 20:28, Chesnay Schepler wrote:
>>>>> Hi everyone,
>>>>>
>>>>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13
>> and
>>>>> 1.14 to address CVE-2021-44228.
>>>>> It covers all 4 releases as they contain the same changes (upgrading
>>>>> Log4j to 2.15.0) and were prepared simultaneously by the same person.
>>>>> (Hence, if something is broken, it likely applies to all releases)
>>>>>
>>>>> Please review and vote on the release candidate #1 for the versions
>>>>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
>>>>> [ ] +1, Approve the releases
>>>>> [ ] -1, Do not approve the releases (please provide specific
>> comments)
>>>>> The complete staging area is available for your review, which
>> includes:
>>>>> * JIRA release notes [1],
>>>>> * the official Apache source releases and binary convenience releases
>>>>> to be deployed to dist.apache.org [2], which are signed with the key
>>>>> with fingerprint C2EED7B111D464BA [3],
>>>>> * all artifacts to be deployed to the Maven Central Repository [4],
>>>>>      * *the jars for 1.13/1.14 are still being built*
>>>>> * source code tags [5],
>>>>> * website pull request listing the new releases and adding
>>>>> announcement blog post [6].
>>>>>
>>>>> The vote will be open for at least 24 hours. The minimum vote time
>> has
>>>>> been shortened as the changes are minimal and the matter is urgent.
>>>>> It is adopted by majority approval, with at least 3 PMC affirmative
>>>>> votes.
>>>>>
>>>>> Thanks,
>>>>> Chesnay
>>>>>
>>>>> [1]
>>>>> 1.11:
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
>>>>> 1.12:
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
>>>>> 1.13:
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
>>>>> 1.14:
>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
>>>>> [2]
>>>>> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
>>>>> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
>>>>> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
>>>>> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
>>>>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
>>>>> [4]
>>>>> 1.11/1.12:
>>>>>
>> https://repository.apache.org/content/repositories/orgapacheflink-1455
>>>>> 1.13:
>>>>>
>> https://repository.apache.org/content/repositories/orgapacheflink-1457
>>>>> 1.14:
>>>>>
>> https://repository.apache.org/content/repositories/orgapacheflink-1456
>>>>> [5]
>>>>> 1.11:
>> https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
>>>>> 1.12:
>> https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
>>>>> 1.13:
>> https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
>>>>> 1.14:
>> https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
>>>>> [6] https://github.com/apache/flink-web/pull/489
>>>>>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Till Rohrmann <tr...@apache.org>]

+1 (binding)

- reviewed blog post
- verified shasum and signatures
- checked that diff only contains the log4j version bump

Can we simply add the missing Python binaries for MacOS after the release
of the other artifacts?

Cheers,
Till

On Tue, Dec 14, 2021 at 4:56 AM Yun Tang <my...@live.com> wrote:

> Hi Chesnay,
>
> Thanks a lot for driving these emergency patch releases!
>
> I just noticed that current flink-1.11.4 offers python files on mac os
> [1]. Is it okay to release Flink-1.11.5 and flink-1.12.6 without those
> python binaries on mac os?
>
>
> [1] https://pypi.org/project/apache-flink/1.11.4/#files
>
> Best
> Yun Tang
> ________________________________
> From: Zhu Zhu <re...@gmail.com>
> Sent: Tuesday, December 14, 2021 11:00
> To: dev <de...@flink.apache.org>
> Subject: Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate
> #1
>
> +1 (binding)
>
> - verified the differences of source releases to the corresponding latest
> releases, there are only dependency updates and release version update
> commits
> - verified versions of log4j dependencies in the all binary releases are
> 2.15.0
> - ran example jobs against all the binary releases, logs look good
> - release notes and blogpost look good
>
> Thanks,
> Zhu
>
> Xintong Song <to...@gmail.com> 于2021年12月14日周二 10:23写道：
>
> > +1 (binding)
> >
> > - verified checksum and signature
> > - verified that release candidates only contain the log4j dependency
> > changes compared to previous releases.
> > - release notes and blogpost LGTM
> >
> > Thanks a lot for driving these emergency patch releases, Chesnay!
> >
> > Thank you~
> >
> > Xintong Song
> >
> >
> >
> > On Tue, Dec 14, 2021 at 7:45 AM Chesnay Schepler <ch...@apache.org>
> > wrote:
> >
> > > I forgot to mention something important:
> > >
> > > The 1.11/1.12 releases do *NOT* contain flink-python releases for *mac*
> > > due to compile problems.
> > >
> > > On 13/12/2021 20:28, Chesnay Schepler wrote:
> > > > Hi everyone,
> > > >
> > > > This vote is for the emergency patch releases for 1.11, 1.12, 1.13
> and
> > > > 1.14 to address CVE-2021-44228.
> > > > It covers all 4 releases as they contain the same changes (upgrading
> > > > Log4j to 2.15.0) and were prepared simultaneously by the same person.
> > > > (Hence, if something is broken, it likely applies to all releases)
> > > >
> > > > Please review and vote on the release candidate #1 for the versions
> > > > 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> > > > [ ] +1, Approve the releases
> > > > [ ] -1, Do not approve the releases (please provide specific
> comments)
> > > >
> > > > The complete staging area is available for your review, which
> includes:
> > > > * JIRA release notes [1],
> > > > * the official Apache source releases and binary convenience releases
> > > > to be deployed to dist.apache.org [2], which are signed with the key
> > > > with fingerprint C2EED7B111D464BA [3],
> > > > * all artifacts to be deployed to the Maven Central Repository [4],
> > > >     * *the jars for 1.13/1.14 are still being built*
> > > > * source code tags [5],
> > > > * website pull request listing the new releases and adding
> > > > announcement blog post [6].
> > > >
> > > > The vote will be open for at least 24 hours. The minimum vote time
> has
> > > > been shortened as the changes are minimal and the matter is urgent.
> > > > It is adopted by majority approval, with at least 3 PMC affirmative
> > > > votes.
> > > >
> > > > Thanks,
> > > > Chesnay
> > > >
> > > > [1]
> > > > 1.11:
> > > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> > > > 1.12:
> > > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> > > > 1.13:
> > > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> > > > 1.14:
> > > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> > > > [2]
> > > > 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> > > > 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> > > > 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> > > > 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> > > > [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> > > > [4]
> > > > 1.11/1.12:
> > > >
> https://repository.apache.org/content/repositories/orgapacheflink-1455
> > > > 1.13:
> > > >
> https://repository.apache.org/content/repositories/orgapacheflink-1457
> > > > 1.14:
> > > >
> https://repository.apache.org/content/repositories/orgapacheflink-1456
> > > > [5]
> > > > 1.11:
> https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> > > > 1.12:
> https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> > > > 1.13:
> https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> > > > 1.14:
> https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> > > > [6] https://github.com/apache/flink-web/pull/489
> > > >
> > >
> >
>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Yun Tang <my...@live.com>]

Hi Chesnay,

Thanks a lot for driving these emergency patch releases!

I just noticed that current flink-1.11.4 offers python files on mac os [1]. Is it okay to release Flink-1.11.5 and flink-1.12.6 without those python binaries on mac os?


[1] https://pypi.org/project/apache-flink/1.11.4/#files

Best
Yun Tang
________________________________
From: Zhu Zhu <re...@gmail.com>
Sent: Tuesday, December 14, 2021 11:00
To: dev <de...@flink.apache.org>
Subject: Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

+1 (binding)

- verified the differences of source releases to the corresponding latest
releases, there are only dependency updates and release version update
commits
- verified versions of log4j dependencies in the all binary releases are
2.15.0
- ran example jobs against all the binary releases, logs look good
- release notes and blogpost look good

Thanks,
Zhu

Xintong Song <to...@gmail.com> 于2021年12月14日周二 10:23写道：

> +1 (binding)
>
> - verified checksum and signature
> - verified that release candidates only contain the log4j dependency
> changes compared to previous releases.
> - release notes and blogpost LGTM
>
> Thanks a lot for driving these emergency patch releases, Chesnay!
>
> Thank you~
>
> Xintong Song
>
>
>
> On Tue, Dec 14, 2021 at 7:45 AM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> > I forgot to mention something important:
> >
> > The 1.11/1.12 releases do *NOT* contain flink-python releases for *mac*
> > due to compile problems.
> >
> > On 13/12/2021 20:28, Chesnay Schepler wrote:
> > > Hi everyone,
> > >
> > > This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and
> > > 1.14 to address CVE-2021-44228.
> > > It covers all 4 releases as they contain the same changes (upgrading
> > > Log4j to 2.15.0) and were prepared simultaneously by the same person.
> > > (Hence, if something is broken, it likely applies to all releases)
> > >
> > > Please review and vote on the release candidate #1 for the versions
> > > 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> > > [ ] +1, Approve the releases
> > > [ ] -1, Do not approve the releases (please provide specific comments)
> > >
> > > The complete staging area is available for your review, which includes:
> > > * JIRA release notes [1],
> > > * the official Apache source releases and binary convenience releases
> > > to be deployed to dist.apache.org [2], which are signed with the key
> > > with fingerprint C2EED7B111D464BA [3],
> > > * all artifacts to be deployed to the Maven Central Repository [4],
> > >     * *the jars for 1.13/1.14 are still being built*
> > > * source code tags [5],
> > > * website pull request listing the new releases and adding
> > > announcement blog post [6].
> > >
> > > The vote will be open for at least 24 hours. The minimum vote time has
> > > been shortened as the changes are minimal and the matter is urgent.
> > > It is adopted by majority approval, with at least 3 PMC affirmative
> > > votes.
> > >
> > > Thanks,
> > > Chesnay
> > >
> > > [1]
> > > 1.11:
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> > > 1.12:
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> > > 1.13:
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> > > 1.14:
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> > > [2]
> > > 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> > > 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> > > 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> > > 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> > > [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> > > [4]
> > > 1.11/1.12:
> > > https://repository.apache.org/content/repositories/orgapacheflink-1455
> > > 1.13:
> > > https://repository.apache.org/content/repositories/orgapacheflink-1457
> > > 1.14:
> > > https://repository.apache.org/content/repositories/orgapacheflink-1456
> > > [5]
> > > 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> > > 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> > > 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> > > 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> > > [6] https://github.com/apache/flink-web/pull/489
> > >
> >
>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Zhu Zhu <re...@gmail.com>]

+1 (binding)

- verified the differences of source releases to the corresponding latest
releases, there are only dependency updates and release version update
commits
- verified versions of log4j dependencies in the all binary releases are
2.15.0
- ran example jobs against all the binary releases, logs look good
- release notes and blogpost look good

Thanks,
Zhu

Xintong Song <to...@gmail.com> 于2021年12月14日周二 10:23写道：

> +1 (binding)
>
> - verified checksum and signature
> - verified that release candidates only contain the log4j dependency
> changes compared to previous releases.
> - release notes and blogpost LGTM
>
> Thanks a lot for driving these emergency patch releases, Chesnay!
>
> Thank you~
>
> Xintong Song
>
>
>
> On Tue, Dec 14, 2021 at 7:45 AM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> > I forgot to mention something important:
> >
> > The 1.11/1.12 releases do *NOT* contain flink-python releases for *mac*
> > due to compile problems.
> >
> > On 13/12/2021 20:28, Chesnay Schepler wrote:
> > > Hi everyone,
> > >
> > > This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and
> > > 1.14 to address CVE-2021-44228.
> > > It covers all 4 releases as they contain the same changes (upgrading
> > > Log4j to 2.15.0) and were prepared simultaneously by the same person.
> > > (Hence, if something is broken, it likely applies to all releases)
> > >
> > > Please review and vote on the release candidate #1 for the versions
> > > 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> > > [ ] +1, Approve the releases
> > > [ ] -1, Do not approve the releases (please provide specific comments)
> > >
> > > The complete staging area is available for your review, which includes:
> > > * JIRA release notes [1],
> > > * the official Apache source releases and binary convenience releases
> > > to be deployed to dist.apache.org [2], which are signed with the key
> > > with fingerprint C2EED7B111D464BA [3],
> > > * all artifacts to be deployed to the Maven Central Repository [4],
> > >     * *the jars for 1.13/1.14 are still being built*
> > > * source code tags [5],
> > > * website pull request listing the new releases and adding
> > > announcement blog post [6].
> > >
> > > The vote will be open for at least 24 hours. The minimum vote time has
> > > been shortened as the changes are minimal and the matter is urgent.
> > > It is adopted by majority approval, with at least 3 PMC affirmative
> > > votes.
> > >
> > > Thanks,
> > > Chesnay
> > >
> > > [1]
> > > 1.11:
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> > > 1.12:
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> > > 1.13:
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> > > 1.14:
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> > > [2]
> > > 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> > > 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> > > 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> > > 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> > > [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> > > [4]
> > > 1.11/1.12:
> > > https://repository.apache.org/content/repositories/orgapacheflink-1455
> > > 1.13:
> > > https://repository.apache.org/content/repositories/orgapacheflink-1457
> > > 1.14:
> > > https://repository.apache.org/content/repositories/orgapacheflink-1456
> > > [5]
> > > 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> > > 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> > > 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> > > 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> > > [6] https://github.com/apache/flink-web/pull/489
> > >
> >
>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Xintong Song <to...@gmail.com>]

+1 (binding)

- verified checksum and signature
- verified that release candidates only contain the log4j dependency
changes compared to previous releases.
- release notes and blogpost LGTM

Thanks a lot for driving these emergency patch releases, Chesnay!

Thank you~

Xintong Song



On Tue, Dec 14, 2021 at 7:45 AM Chesnay Schepler <ch...@apache.org> wrote:

> I forgot to mention something important:
>
> The 1.11/1.12 releases do *NOT* contain flink-python releases for *mac*
> due to compile problems.
>
> On 13/12/2021 20:28, Chesnay Schepler wrote:
> > Hi everyone,
> >
> > This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and
> > 1.14 to address CVE-2021-44228.
> > It covers all 4 releases as they contain the same changes (upgrading
> > Log4j to 2.15.0) and were prepared simultaneously by the same person.
> > (Hence, if something is broken, it likely applies to all releases)
> >
> > Please review and vote on the release candidate #1 for the versions
> > 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> > [ ] +1, Approve the releases
> > [ ] -1, Do not approve the releases (please provide specific comments)
> >
> > The complete staging area is available for your review, which includes:
> > * JIRA release notes [1],
> > * the official Apache source releases and binary convenience releases
> > to be deployed to dist.apache.org [2], which are signed with the key
> > with fingerprint C2EED7B111D464BA [3],
> > * all artifacts to be deployed to the Maven Central Repository [4],
> >     * *the jars for 1.13/1.14 are still being built*
> > * source code tags [5],
> > * website pull request listing the new releases and adding
> > announcement blog post [6].
> >
> > The vote will be open for at least 24 hours. The minimum vote time has
> > been shortened as the changes are minimal and the matter is urgent.
> > It is adopted by majority approval, with at least 3 PMC affirmative
> > votes.
> >
> > Thanks,
> > Chesnay
> >
> > [1]
> > 1.11:
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> > 1.12:
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> > 1.13:
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> > 1.14:
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> > [2]
> > 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> > 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> > 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> > 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> > [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> > [4]
> > 1.11/1.12:
> > https://repository.apache.org/content/repositories/orgapacheflink-1455
> > 1.13:
> > https://repository.apache.org/content/repositories/orgapacheflink-1457
> > 1.14:
> > https://repository.apache.org/content/repositories/orgapacheflink-1456
> > [5]
> > 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> > 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> > 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> > 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> > [6] https://github.com/apache/flink-web/pull/489
> >
>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Chesnay Schepler <ch...@apache.org>]

I forgot to mention something important:

The 1.11/1.12 releases do *NOT* contain flink-python releases for *mac* 
due to compile problems.

On 13/12/2021 20:28, Chesnay Schepler wrote:
> Hi everyone,
>
> This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and 
> 1.14 to address CVE-2021-44228.
> It covers all 4 releases as they contain the same changes (upgrading 
> Log4j to 2.15.0) and were prepared simultaneously by the same person.
> (Hence, if something is broken, it likely applies to all releases)
>
> Please review and vote on the release candidate #1 for the versions 
> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> [ ] +1, Approve the releases
> [ ] -1, Do not approve the releases (please provide specific comments)
>
> The complete staging area is available for your review, which includes:
> * JIRA release notes [1],
> * the official Apache source releases and binary convenience releases 
> to be deployed to dist.apache.org [2], which are signed with the key 
> with fingerprint C2EED7B111D464BA [3],
> * all artifacts to be deployed to the Maven Central Repository [4],
>     * *the jars for 1.13/1.14 are still being built*
> * source code tags [5],
> * website pull request listing the new releases and adding 
> announcement blog post [6].
>
> The vote will be open for at least 24 hours. The minimum vote time has 
> been shortened as the changes are minimal and the matter is urgent.
> It is adopted by majority approval, with at least 3 PMC affirmative 
> votes.
>
> Thanks,
> Chesnay
>
> [1]
> 1.11: 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> 1.12: 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> 1.13: 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> 1.14: 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> [2]
> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> [4]
> 1.11/1.12: 
> https://repository.apache.org/content/repositories/orgapacheflink-1455
> 1.13: 
> https://repository.apache.org/content/repositories/orgapacheflink-1457
> 1.14: 
> https://repository.apache.org/content/repositories/orgapacheflink-1456
> [5]
> 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> [6] https://github.com/apache/flink-web/pull/489
>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Chesnay Schepler <ch...@apache.org>]

Update: All jars are now available.

On 13/12/2021 20:28, Chesnay Schepler wrote:
> Hi everyone,
>
> This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and 
> 1.14 to address CVE-2021-44228.
> It covers all 4 releases as they contain the same changes (upgrading 
> Log4j to 2.15.0) and were prepared simultaneously by the same person.
> (Hence, if something is broken, it likely applies to all releases)
>
> Please review and vote on the release candidate #1 for the versions 
> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> [ ] +1, Approve the releases
> [ ] -1, Do not approve the releases (please provide specific comments)
>
> The complete staging area is available for your review, which includes:
> * JIRA release notes [1],
> * the official Apache source releases and binary convenience releases 
> to be deployed to dist.apache.org [2], which are signed with the key 
> with fingerprint C2EED7B111D464BA [3],
> * all artifacts to be deployed to the Maven Central Repository [4],
>     * *the jars for 1.13/1.14 are still being built*
> * source code tags [5],
> * website pull request listing the new releases and adding 
> announcement blog post [6].
>
> The vote will be open for at least 24 hours. The minimum vote time has 
> been shortened as the changes are minimal and the matter is urgent.
> It is adopted by majority approval, with at least 3 PMC affirmative 
> votes.
>
> Thanks,
> Chesnay
>
> [1]
> 1.11: 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> 1.12: 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> 1.13: 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> 1.14: 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> [2]
> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> [4]
> 1.11/1.12: 
> https://repository.apache.org/content/repositories/orgapacheflink-1455
> 1.13: 
> https://repository.apache.org/content/repositories/orgapacheflink-1457
> 1.14: 
> https://repository.apache.org/content/repositories/orgapacheflink-1456
> [5]
> 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> [6] https://github.com/apache/flink-web/pull/489
>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Stephan Ewen <ew...@gmail.com>]

+1 (binding)

 - Verified that commit history is identical to previous release (except
dependency upgrade and release version commit)
 - Verified that the source releases reference updated dependency and
binary releases contain updated dependency
 - Blog post looks good
 - ran bundled examples against 1.14.1 binary release, worked as expected.

On Mon, Dec 13, 2021 at 9:22 PM Seth Wiesman <sj...@gmail.com> wrote:

> +1 (non-binding)
>
> - Checked Log4J version and updated license preambles on all releases
> - Verified signatures on sources
> - Reviewed blog post
>
> Seth
>
> On Mon, Dec 13, 2021 at 1:42 PM Jing Ge <ji...@ververica.com> wrote:
>
> > +1   LGTM. Many thanks for your effort!
> >
> > On Mon, Dec 13, 2021 at 8:28 PM Chesnay Schepler <ch...@apache.org>
> > wrote:
> >
> > > Hi everyone,
> > >
> > > This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and
> > > 1.14 to address CVE-2021-44228.
> > > It covers all 4 releases as they contain the same changes (upgrading
> > > Log4j to 2.15.0) and were prepared simultaneously by the same person.
> > > (Hence, if something is broken, it likely applies to all releases)
> > >
> > > Please review and vote on the release candidate #1 for the versions
> > > 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> > > [ ] +1, Approve the releases
> > > [ ] -1, Do not approve the releases (please provide specific comments)
> > >
> > > The complete staging area is available for your review, which includes:
> > > * JIRA release notes [1],
> > > * the official Apache source releases and binary convenience releases
> to
> > > be deployed to dist.apache.org [2], which are signed with the key with
> > > fingerprint C2EED7B111D464BA [3],
> > > * all artifacts to be deployed to the Maven Central Repository [4],
> > >      * *the jars for 1.13/1.14 are still being built*
> > > * source code tags [5],
> > > * website pull request listing the new releases and adding announcement
> > > blog post [6].
> > >
> > > The vote will be open for at least 24 hours. The minimum vote time has
> > > been shortened as the changes are minimal and the matter is urgent.
> > > It is adopted by majority approval, with at least 3 PMC affirmative
> > votes.
> > >
> > > Thanks,
> > > Chesnay
> > >
> > > [1]
> > > 1.11:
> > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> > > 1.12:
> > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> > > 1.13:
> > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> > > 1.14:
> > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> > > [2]
> > > 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> > > 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> > > 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> > > 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> > > [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> > > [4]
> > > 1.11/1.12:
> > > https://repository.apache.org/content/repositories/orgapacheflink-1455
> > > 1.13:
> > > https://repository.apache.org/content/repositories/orgapacheflink-1457
> > > 1.14:
> > > https://repository.apache.org/content/repositories/orgapacheflink-1456
> > > [5]
> > > 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> > > 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> > > 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> > > 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> > > [6] https://github.com/apache/flink-web/pull/489
> > >
> >
>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Seth Wiesman <sj...@gmail.com>]

+1 (non-binding)

- Checked Log4J version and updated license preambles on all releases
- Verified signatures on sources
- Reviewed blog post

Seth

On Mon, Dec 13, 2021 at 1:42 PM Jing Ge <ji...@ververica.com> wrote:

> +1   LGTM. Many thanks for your effort!
>
> On Mon, Dec 13, 2021 at 8:28 PM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> > Hi everyone,
> >
> > This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and
> > 1.14 to address CVE-2021-44228.
> > It covers all 4 releases as they contain the same changes (upgrading
> > Log4j to 2.15.0) and were prepared simultaneously by the same person.
> > (Hence, if something is broken, it likely applies to all releases)
> >
> > Please review and vote on the release candidate #1 for the versions
> > 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> > [ ] +1, Approve the releases
> > [ ] -1, Do not approve the releases (please provide specific comments)
> >
> > The complete staging area is available for your review, which includes:
> > * JIRA release notes [1],
> > * the official Apache source releases and binary convenience releases to
> > be deployed to dist.apache.org [2], which are signed with the key with
> > fingerprint C2EED7B111D464BA [3],
> > * all artifacts to be deployed to the Maven Central Repository [4],
> >      * *the jars for 1.13/1.14 are still being built*
> > * source code tags [5],
> > * website pull request listing the new releases and adding announcement
> > blog post [6].
> >
> > The vote will be open for at least 24 hours. The minimum vote time has
> > been shortened as the changes are minimal and the matter is urgent.
> > It is adopted by majority approval, with at least 3 PMC affirmative
> votes.
> >
> > Thanks,
> > Chesnay
> >
> > [1]
> > 1.11:
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> > 1.12:
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> > 1.13:
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> > 1.14:
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> > [2]
> > 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> > 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> > 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> > 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> > [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> > [4]
> > 1.11/1.12:
> > https://repository.apache.org/content/repositories/orgapacheflink-1455
> > 1.13:
> > https://repository.apache.org/content/repositories/orgapacheflink-1457
> > 1.14:
> > https://repository.apache.org/content/repositories/orgapacheflink-1456
> > [5]
> > 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> > 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> > 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> > 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> > [6] https://github.com/apache/flink-web/pull/489
> >
>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Jing Ge <ji...@ververica.com>]

+1   LGTM. Many thanks for your effort!

On Mon, Dec 13, 2021 at 8:28 PM Chesnay Schepler <ch...@apache.org> wrote:

> Hi everyone,
>
> This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and
> 1.14 to address CVE-2021-44228.
> It covers all 4 releases as they contain the same changes (upgrading
> Log4j to 2.15.0) and were prepared simultaneously by the same person.
> (Hence, if something is broken, it likely applies to all releases)
>
> Please review and vote on the release candidate #1 for the versions
> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> [ ] +1, Approve the releases
> [ ] -1, Do not approve the releases (please provide specific comments)
>
> The complete staging area is available for your review, which includes:
> * JIRA release notes [1],
> * the official Apache source releases and binary convenience releases to
> be deployed to dist.apache.org [2], which are signed with the key with
> fingerprint C2EED7B111D464BA [3],
> * all artifacts to be deployed to the Maven Central Repository [4],
>      * *the jars for 1.13/1.14 are still being built*
> * source code tags [5],
> * website pull request listing the new releases and adding announcement
> blog post [6].
>
> The vote will be open for at least 24 hours. The minimum vote time has
> been shortened as the changes are minimal and the matter is urgent.
> It is adopted by majority approval, with at least 3 PMC affirmative votes.
>
> Thanks,
> Chesnay
>
> [1]
> 1.11:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> 1.12:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> 1.13:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> 1.14:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> [2]
> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> [4]
> 1.11/1.12:
> https://repository.apache.org/content/repositories/orgapacheflink-1455
> 1.13:
> https://repository.apache.org/content/repositories/orgapacheflink-1457
> 1.14:
> https://repository.apache.org/content/repositories/orgapacheflink-1456
> [5]
> 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> [6] https://github.com/apache/flink-web/pull/489
>

Re: [CANCELLED] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Stephan Ewen <ew...@gmail.com>]

That's right, they are referenced in POMs published with the jars, though.
But that's minor.



On Wed, Dec 15, 2021 at 12:28 PM Chesnay Schepler <ch...@apache.org>
wrote:

> AFAIK none of the jars we publish actually contains log4j.
> It's only bundled by the distribution/python binaries/docker images.
>
> Hence I don't think the jars help in this case.
>
> On 15/12/2021 10:42, Stephan Ewen wrote:
> > Given that these artifacts are published already, users can use them if
> > they want to update now:
> >
> > For example:
> > https://search.maven.org/artifact/org.apache.flink/flink-core/1.14.1/jar
> >
> > Just for the users that really want to update now (rather than rely on
> the
> > mitigation via config) and are not as much concerned about the remaining
> > weakness in log4j 2.15.0
> >
> > On Tue, Dec 14, 2021 at 11:18 PM Seth Wiesman <sj...@gmail.com>
> wrote:
> >
> >> Thank you for managing these updates Chesnay!
> >>
> >>
> >>
> >> On Tue, Dec 14, 2021 at 3:51 PM Chesnay Schepler <ch...@apache.org>
> >> wrote:
> >>
> >>> Since the maven artifacts have already been published we will use the
> >>> next patch version for each release, i.e.:
> >>> 1.11.6
> >>> 1.12.7
> >>> 1.13.5
> >>> 1.14.2
> >>>
> >>> (We could technically just update the source/binaries, but that seems
> >>> fishy).
> >>>
> >>> On 14/12/2021 22:38, Chesnay Schepler wrote:
> >>>> I'm canceling the release because the issue was not fully fixed in
> >>>> Log4j 2.15.0; see CVE-2021-45046.
> >>>>
> >>>> I will start preparing new release candidates that use Log4j 2.16.0 .
> >>>>
> >>>> On 14/12/2021 21:28, Chesnay Schepler wrote:
> >>>>> The vote duration has passed and we have approved the releases.
> >>>>>
> >>>>> Binding votes:
> >>>>> * Stephan
> >>>>> * Till
> >>>>> * Xintong
> >>>>> * Zhu
> >>>>> * Gordon
> >>>>>
> >>>>> I will not finalize the release.
> >>>>>
> >>>>> On 13/12/2021 20:28, Chesnay Schepler wrote:
> >>>>>> Hi everyone,
> >>>>>>
> >>>>>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13
> >>>>>> and 1.14 to address CVE-2021-44228.
> >>>>>> It covers all 4 releases as they contain the same changes (upgrading
> >>>>>> Log4j to 2.15.0) and were prepared simultaneously by the same
> person.
> >>>>>> (Hence, if something is broken, it likely applies to all releases)
> >>>>>>
> >>>>>> Please review and vote on the release candidate #1 for the versions
> >>>>>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> >>>>>> [ ] +1, Approve the releases
> >>>>>> [ ] -1, Do not approve the releases (please provide specific
> >> comments)
> >>>>>> The complete staging area is available for your review, which
> >> includes:
> >>>>>> * JIRA release notes [1],
> >>>>>> * the official Apache source releases and binary convenience
> >>>>>> releases to be deployed to dist.apache.org [2], which are signed
> >>>>>> with the key with fingerprint C2EED7B111D464BA [3],
> >>>>>> * all artifacts to be deployed to the Maven Central Repository [4],
> >>>>>>      * *the jars for 1.13/1.14 are still being built*
> >>>>>> * source code tags [5],
> >>>>>> * website pull request listing the new releases and adding
> >>>>>> announcement blog post [6].
> >>>>>>
> >>>>>> The vote will be open for at least 24 hours. The minimum vote time
> >>>>>> has been shortened as the changes are minimal and the matter is
> >> urgent.
> >>>>>> It is adopted by majority approval, with at least 3 PMC affirmative
> >>>>>> votes.
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Chesnay
> >>>>>>
> >>>>>> [1]
> >>>>>> 1.11:
> >>>>>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> >>>>>> 1.12:
> >>>>>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> >>>>>> 1.13:
> >>>>>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> >>>>>> 1.14:
> >>>>>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> >>>>>> [2]
> >>>>>> 1.11:
> https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> >>>>>> 1.12:
> https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> >>>>>> 1.13:
> https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> >>>>>> 1.14:
> https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> >>>>>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> >>>>>> [4]
> >>>>>> 1.11/1.12:
> >>>>>>
> >> https://repository.apache.org/content/repositories/orgapacheflink-1455
> >>>>>> 1.13:
> >>>>>>
> >> https://repository.apache.org/content/repositories/orgapacheflink-1457
> >>>>>> 1.14:
> >>>>>>
> >> https://repository.apache.org/content/repositories/orgapacheflink-1456
> >>>>>> [5]
> >>>>>> 1.11:
> >> https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> >>>>>> 1.12:
> >> https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> >>>>>> 1.13:
> >> https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> >>>>>> 1.14:
> >> https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> >>>>>> [6] https://github.com/apache/flink-web/pull/489
> >>>>>>
> >>>
>
>

Re: [CANCELLED] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Chesnay Schepler <ch...@apache.org>]

AFAIK none of the jars we publish actually contains log4j.
It's only bundled by the distribution/python binaries/docker images.

Hence I don't think the jars help in this case.

On 15/12/2021 10:42, Stephan Ewen wrote:
> Given that these artifacts are published already, users can use them if
> they want to update now:
>
> For example:
> https://search.maven.org/artifact/org.apache.flink/flink-core/1.14.1/jar
>
> Just for the users that really want to update now (rather than rely on the
> mitigation via config) and are not as much concerned about the remaining
> weakness in log4j 2.15.0
>
> On Tue, Dec 14, 2021 at 11:18 PM Seth Wiesman <sj...@gmail.com> wrote:
>
>> Thank you for managing these updates Chesnay!
>>
>>
>>
>> On Tue, Dec 14, 2021 at 3:51 PM Chesnay Schepler <ch...@apache.org>
>> wrote:
>>
>>> Since the maven artifacts have already been published we will use the
>>> next patch version for each release, i.e.:
>>> 1.11.6
>>> 1.12.7
>>> 1.13.5
>>> 1.14.2
>>>
>>> (We could technically just update the source/binaries, but that seems
>>> fishy).
>>>
>>> On 14/12/2021 22:38, Chesnay Schepler wrote:
>>>> I'm canceling the release because the issue was not fully fixed in
>>>> Log4j 2.15.0; see CVE-2021-45046.
>>>>
>>>> I will start preparing new release candidates that use Log4j 2.16.0 .
>>>>
>>>> On 14/12/2021 21:28, Chesnay Schepler wrote:
>>>>> The vote duration has passed and we have approved the releases.
>>>>>
>>>>> Binding votes:
>>>>> * Stephan
>>>>> * Till
>>>>> * Xintong
>>>>> * Zhu
>>>>> * Gordon
>>>>>
>>>>> I will not finalize the release.
>>>>>
>>>>> On 13/12/2021 20:28, Chesnay Schepler wrote:
>>>>>> Hi everyone,
>>>>>>
>>>>>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13
>>>>>> and 1.14 to address CVE-2021-44228.
>>>>>> It covers all 4 releases as they contain the same changes (upgrading
>>>>>> Log4j to 2.15.0) and were prepared simultaneously by the same person.
>>>>>> (Hence, if something is broken, it likely applies to all releases)
>>>>>>
>>>>>> Please review and vote on the release candidate #1 for the versions
>>>>>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
>>>>>> [ ] +1, Approve the releases
>>>>>> [ ] -1, Do not approve the releases (please provide specific
>> comments)
>>>>>> The complete staging area is available for your review, which
>> includes:
>>>>>> * JIRA release notes [1],
>>>>>> * the official Apache source releases and binary convenience
>>>>>> releases to be deployed to dist.apache.org [2], which are signed
>>>>>> with the key with fingerprint C2EED7B111D464BA [3],
>>>>>> * all artifacts to be deployed to the Maven Central Repository [4],
>>>>>>      * *the jars for 1.13/1.14 are still being built*
>>>>>> * source code tags [5],
>>>>>> * website pull request listing the new releases and adding
>>>>>> announcement blog post [6].
>>>>>>
>>>>>> The vote will be open for at least 24 hours. The minimum vote time
>>>>>> has been shortened as the changes are minimal and the matter is
>> urgent.
>>>>>> It is adopted by majority approval, with at least 3 PMC affirmative
>>>>>> votes.
>>>>>>
>>>>>> Thanks,
>>>>>> Chesnay
>>>>>>
>>>>>> [1]
>>>>>> 1.11:
>>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
>>>>>> 1.12:
>>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
>>>>>> 1.13:
>>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
>>>>>> 1.14:
>>>>>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
>>>>>> [2]
>>>>>> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
>>>>>> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
>>>>>> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
>>>>>> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
>>>>>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
>>>>>> [4]
>>>>>> 1.11/1.12:
>>>>>>
>> https://repository.apache.org/content/repositories/orgapacheflink-1455
>>>>>> 1.13:
>>>>>>
>> https://repository.apache.org/content/repositories/orgapacheflink-1457
>>>>>> 1.14:
>>>>>>
>> https://repository.apache.org/content/repositories/orgapacheflink-1456
>>>>>> [5]
>>>>>> 1.11:
>> https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
>>>>>> 1.12:
>> https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
>>>>>> 1.13:
>> https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
>>>>>> 1.14:
>> https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
>>>>>> [6] https://github.com/apache/flink-web/pull/489
>>>>>>
>>>

Re: [CANCELLED] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Stephan Ewen <ew...@gmail.com>]

Given that these artifacts are published already, users can use them if
they want to update now:

For example:
https://search.maven.org/artifact/org.apache.flink/flink-core/1.14.1/jar

Just for the users that really want to update now (rather than rely on the
mitigation via config) and are not as much concerned about the remaining
weakness in log4j 2.15.0

On Tue, Dec 14, 2021 at 11:18 PM Seth Wiesman <sj...@gmail.com> wrote:

> Thank you for managing these updates Chesnay!
>
>
>
> On Tue, Dec 14, 2021 at 3:51 PM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> > Since the maven artifacts have already been published we will use the
> > next patch version for each release, i.e.:
> > 1.11.6
> > 1.12.7
> > 1.13.5
> > 1.14.2
> >
> > (We could technically just update the source/binaries, but that seems
> > fishy).
> >
> > On 14/12/2021 22:38, Chesnay Schepler wrote:
> > > I'm canceling the release because the issue was not fully fixed in
> > > Log4j 2.15.0; see CVE-2021-45046.
> > >
> > > I will start preparing new release candidates that use Log4j 2.16.0 .
> > >
> > > On 14/12/2021 21:28, Chesnay Schepler wrote:
> > >> The vote duration has passed and we have approved the releases.
> > >>
> > >> Binding votes:
> > >> * Stephan
> > >> * Till
> > >> * Xintong
> > >> * Zhu
> > >> * Gordon
> > >>
> > >> I will not finalize the release.
> > >>
> > >> On 13/12/2021 20:28, Chesnay Schepler wrote:
> > >>> Hi everyone,
> > >>>
> > >>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13
> > >>> and 1.14 to address CVE-2021-44228.
> > >>> It covers all 4 releases as they contain the same changes (upgrading
> > >>> Log4j to 2.15.0) and were prepared simultaneously by the same person.
> > >>> (Hence, if something is broken, it likely applies to all releases)
> > >>>
> > >>> Please review and vote on the release candidate #1 for the versions
> > >>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> > >>> [ ] +1, Approve the releases
> > >>> [ ] -1, Do not approve the releases (please provide specific
> comments)
> > >>>
> > >>> The complete staging area is available for your review, which
> includes:
> > >>> * JIRA release notes [1],
> > >>> * the official Apache source releases and binary convenience
> > >>> releases to be deployed to dist.apache.org [2], which are signed
> > >>> with the key with fingerprint C2EED7B111D464BA [3],
> > >>> * all artifacts to be deployed to the Maven Central Repository [4],
> > >>>     * *the jars for 1.13/1.14 are still being built*
> > >>> * source code tags [5],
> > >>> * website pull request listing the new releases and adding
> > >>> announcement blog post [6].
> > >>>
> > >>> The vote will be open for at least 24 hours. The minimum vote time
> > >>> has been shortened as the changes are minimal and the matter is
> urgent.
> > >>> It is adopted by majority approval, with at least 3 PMC affirmative
> > >>> votes.
> > >>>
> > >>> Thanks,
> > >>> Chesnay
> > >>>
> > >>> [1]
> > >>> 1.11:
> > >>>
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> > >>> 1.12:
> > >>>
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> > >>> 1.13:
> > >>>
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> > >>> 1.14:
> > >>>
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> > >>> [2]
> > >>> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> > >>> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> > >>> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> > >>> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> > >>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> > >>> [4]
> > >>> 1.11/1.12:
> > >>>
> https://repository.apache.org/content/repositories/orgapacheflink-1455
> > >>> 1.13:
> > >>>
> https://repository.apache.org/content/repositories/orgapacheflink-1457
> > >>> 1.14:
> > >>>
> https://repository.apache.org/content/repositories/orgapacheflink-1456
> > >>> [5]
> > >>> 1.11:
> https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> > >>> 1.12:
> https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> > >>> 1.13:
> https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> > >>> 1.14:
> https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> > >>> [6] https://github.com/apache/flink-web/pull/489
> > >>>
> > >>
> > >
> >
> >
>

Re: [CANCELLED] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Seth Wiesman <sj...@gmail.com>]

Thank you for managing these updates Chesnay!



On Tue, Dec 14, 2021 at 3:51 PM Chesnay Schepler <ch...@apache.org> wrote:

> Since the maven artifacts have already been published we will use the
> next patch version for each release, i.e.:
> 1.11.6
> 1.12.7
> 1.13.5
> 1.14.2
>
> (We could technically just update the source/binaries, but that seems
> fishy).
>
> On 14/12/2021 22:38, Chesnay Schepler wrote:
> > I'm canceling the release because the issue was not fully fixed in
> > Log4j 2.15.0; see CVE-2021-45046.
> >
> > I will start preparing new release candidates that use Log4j 2.16.0 .
> >
> > On 14/12/2021 21:28, Chesnay Schepler wrote:
> >> The vote duration has passed and we have approved the releases.
> >>
> >> Binding votes:
> >> * Stephan
> >> * Till
> >> * Xintong
> >> * Zhu
> >> * Gordon
> >>
> >> I will not finalize the release.
> >>
> >> On 13/12/2021 20:28, Chesnay Schepler wrote:
> >>> Hi everyone,
> >>>
> >>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13
> >>> and 1.14 to address CVE-2021-44228.
> >>> It covers all 4 releases as they contain the same changes (upgrading
> >>> Log4j to 2.15.0) and were prepared simultaneously by the same person.
> >>> (Hence, if something is broken, it likely applies to all releases)
> >>>
> >>> Please review and vote on the release candidate #1 for the versions
> >>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> >>> [ ] +1, Approve the releases
> >>> [ ] -1, Do not approve the releases (please provide specific comments)
> >>>
> >>> The complete staging area is available for your review, which includes:
> >>> * JIRA release notes [1],
> >>> * the official Apache source releases and binary convenience
> >>> releases to be deployed to dist.apache.org [2], which are signed
> >>> with the key with fingerprint C2EED7B111D464BA [3],
> >>> * all artifacts to be deployed to the Maven Central Repository [4],
> >>>     * *the jars for 1.13/1.14 are still being built*
> >>> * source code tags [5],
> >>> * website pull request listing the new releases and adding
> >>> announcement blog post [6].
> >>>
> >>> The vote will be open for at least 24 hours. The minimum vote time
> >>> has been shortened as the changes are minimal and the matter is urgent.
> >>> It is adopted by majority approval, with at least 3 PMC affirmative
> >>> votes.
> >>>
> >>> Thanks,
> >>> Chesnay
> >>>
> >>> [1]
> >>> 1.11:
> >>>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> >>> 1.12:
> >>>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> >>> 1.13:
> >>>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> >>> 1.14:
> >>>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> >>> [2]
> >>> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> >>> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> >>> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> >>> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> >>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> >>> [4]
> >>> 1.11/1.12:
> >>> https://repository.apache.org/content/repositories/orgapacheflink-1455
> >>> 1.13:
> >>> https://repository.apache.org/content/repositories/orgapacheflink-1457
> >>> 1.14:
> >>> https://repository.apache.org/content/repositories/orgapacheflink-1456
> >>> [5]
> >>> 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> >>> 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> >>> 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> >>> 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> >>> [6] https://github.com/apache/flink-web/pull/489
> >>>
> >>
> >
>
>

Re: [CANCELLED] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Chesnay Schepler <ch...@apache.org>]

Since the maven artifacts have already been published we will use the 
next patch version for each release, i.e.:
1.11.6
1.12.7
1.13.5
1.14.2

(We could technically just update the source/binaries, but that seems 
fishy).

On 14/12/2021 22:38, Chesnay Schepler wrote:
> I'm canceling the release because the issue was not fully fixed in 
> Log4j 2.15.0; see CVE-2021-45046.
>
> I will start preparing new release candidates that use Log4j 2.16.0 .
>
> On 14/12/2021 21:28, Chesnay Schepler wrote:
>> The vote duration has passed and we have approved the releases.
>>
>> Binding votes:
>> * Stephan
>> * Till
>> * Xintong
>> * Zhu
>> * Gordon
>>
>> I will not finalize the release.
>>
>> On 13/12/2021 20:28, Chesnay Schepler wrote:
>>> Hi everyone,
>>>
>>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13 
>>> and 1.14 to address CVE-2021-44228.
>>> It covers all 4 releases as they contain the same changes (upgrading 
>>> Log4j to 2.15.0) and were prepared simultaneously by the same person.
>>> (Hence, if something is broken, it likely applies to all releases)
>>>
>>> Please review and vote on the release candidate #1 for the versions 
>>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
>>> [ ] +1, Approve the releases
>>> [ ] -1, Do not approve the releases (please provide specific comments)
>>>
>>> The complete staging area is available for your review, which includes:
>>> * JIRA release notes [1],
>>> * the official Apache source releases and binary convenience 
>>> releases to be deployed to dist.apache.org [2], which are signed 
>>> with the key with fingerprint C2EED7B111D464BA [3],
>>> * all artifacts to be deployed to the Maven Central Repository [4],
>>>     * *the jars for 1.13/1.14 are still being built*
>>> * source code tags [5],
>>> * website pull request listing the new releases and adding 
>>> announcement blog post [6].
>>>
>>> The vote will be open for at least 24 hours. The minimum vote time 
>>> has been shortened as the changes are minimal and the matter is urgent.
>>> It is adopted by majority approval, with at least 3 PMC affirmative 
>>> votes.
>>>
>>> Thanks,
>>> Chesnay
>>>
>>> [1]
>>> 1.11: 
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
>>> 1.12: 
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
>>> 1.13: 
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
>>> 1.14: 
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
>>> [2]
>>> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
>>> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
>>> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
>>> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
>>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
>>> [4]
>>> 1.11/1.12: 
>>> https://repository.apache.org/content/repositories/orgapacheflink-1455
>>> 1.13: 
>>> https://repository.apache.org/content/repositories/orgapacheflink-1457
>>> 1.14: 
>>> https://repository.apache.org/content/repositories/orgapacheflink-1456
>>> [5]
>>> 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
>>> 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
>>> 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
>>> 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
>>> [6] https://github.com/apache/flink-web/pull/489
>>>
>>
>

[CANCELLED] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Chesnay Schepler <ch...@apache.org>]

I'm canceling the release because the issue was not fully fixed in Log4j 
2.15.0; see CVE-2021-45046.

I will start preparing new release candidates that use Log4j 2.16.0 .

On 14/12/2021 21:28, Chesnay Schepler wrote:
> The vote duration has passed and we have approved the releases.
>
> Binding votes:
> * Stephan
> * Till
> * Xintong
> * Zhu
> * Gordon
>
> I will not finalize the release.
>
> On 13/12/2021 20:28, Chesnay Schepler wrote:
>> Hi everyone,
>>
>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13 
>> and 1.14 to address CVE-2021-44228.
>> It covers all 4 releases as they contain the same changes (upgrading 
>> Log4j to 2.15.0) and were prepared simultaneously by the same person.
>> (Hence, if something is broken, it likely applies to all releases)
>>
>> Please review and vote on the release candidate #1 for the versions 
>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
>> [ ] +1, Approve the releases
>> [ ] -1, Do not approve the releases (please provide specific comments)
>>
>> The complete staging area is available for your review, which includes:
>> * JIRA release notes [1],
>> * the official Apache source releases and binary convenience releases 
>> to be deployed to dist.apache.org [2], which are signed with the key 
>> with fingerprint C2EED7B111D464BA [3],
>> * all artifacts to be deployed to the Maven Central Repository [4],
>>     * *the jars for 1.13/1.14 are still being built*
>> * source code tags [5],
>> * website pull request listing the new releases and adding 
>> announcement blog post [6].
>>
>> The vote will be open for at least 24 hours. The minimum vote time 
>> has been shortened as the changes are minimal and the matter is urgent.
>> It is adopted by majority approval, with at least 3 PMC affirmative 
>> votes.
>>
>> Thanks,
>> Chesnay
>>
>> [1]
>> 1.11: 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
>> 1.12: 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
>> 1.13: 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
>> 1.14: 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
>> [2]
>> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
>> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
>> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
>> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
>> [4]
>> 1.11/1.12: 
>> https://repository.apache.org/content/repositories/orgapacheflink-1455
>> 1.13: 
>> https://repository.apache.org/content/repositories/orgapacheflink-1457
>> 1.14: 
>> https://repository.apache.org/content/repositories/orgapacheflink-1456
>> [5]
>> 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
>> 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
>> 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
>> 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
>> [6] https://github.com/apache/flink-web/pull/489
>>
>

Re: [VOTE] Release 1.11.5/1.12.6/1.13.4/1.14.1, release candidate #1

[Chesnay Schepler <ch...@apache.org>]

The vote duration has passed and we have approved the releases.

Binding votes:
* Stephan
* Till
* Xintong
* Zhu
* Gordon

I will not finalize the release.

On 13/12/2021 20:28, Chesnay Schepler wrote:
> Hi everyone,
>
> This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and 
> 1.14 to address CVE-2021-44228.
> It covers all 4 releases as they contain the same changes (upgrading 
> Log4j to 2.15.0) and were prepared simultaneously by the same person.
> (Hence, if something is broken, it likely applies to all releases)
>
> Please review and vote on the release candidate #1 for the versions 
> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
> [ ] +1, Approve the releases
> [ ] -1, Do not approve the releases (please provide specific comments)
>
> The complete staging area is available for your review, which includes:
> * JIRA release notes [1],
> * the official Apache source releases and binary convenience releases 
> to be deployed to dist.apache.org [2], which are signed with the key 
> with fingerprint C2EED7B111D464BA [3],
> * all artifacts to be deployed to the Maven Central Repository [4],
>     * *the jars for 1.13/1.14 are still being built*
> * source code tags [5],
> * website pull request listing the new releases and adding 
> announcement blog post [6].
>
> The vote will be open for at least 24 hours. The minimum vote time has 
> been shortened as the changes are minimal and the matter is urgent.
> It is adopted by majority approval, with at least 3 PMC affirmative 
> votes.
>
> Thanks,
> Chesnay
>
> [1]
> 1.11: 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
> 1.12: 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
> 1.13: 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
> 1.14: 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
> [2]
> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> [4]
> 1.11/1.12: 
> https://repository.apache.org/content/repositories/orgapacheflink-1455
> 1.13: 
> https://repository.apache.org/content/repositories/orgapacheflink-1457
> 1.14: 
> https://repository.apache.org/content/repositories/orgapacheflink-1456
> [5]
> 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
> 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
> 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
> 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
> [6] https://github.com/apache/flink-web/pull/489
>