You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flink.apache.org by Chesnay Schepler <ch...@apache.org> on 2022/11/02 11:01:17 UTC
[VOTE] Release Apache Flink Elasticsearch connector 3.0.0, rc1
Hi everyone,
Please review and vote on the release candidate #1 for the version
3.0.0, as follows:
[ ] +1, Approve the release
[ ] -1, Do not approve the release (please provide specific comments)
The complete staging area is available for your review, which includes:
* JIRA release notes [1],
* the official Apache source release to be deployed to dist.apache.org
[2], which are signed with the key with fingerprint C2EED7B111D464BA [3],
* all artifacts to be deployed to the Maven Central Repository [4],
* source code tag [5],
* website pull request listing the new release [6].
The vote will be open for at least 72 hours. It is adopted by majority
approval, with at least 3 PMC affirmative votes.
Note: This is the first release of an externalized connector, relying on
a new set of scripts. Double-check _everything_.
Thanks,
Release Manager
[1] https://issues.apache.org/jira/projects/FLINK/versions/12352291
[2]
https://dist.apache.org/repos/dist/dev/flink/flink-connector-elasticsearch-3.0.0-rc1/
[3] https://dist.apache.org/repos/dist/release/flink/KEYS
[4] https://repository.apache.org/content/repositories/orgapacheflink-1543/
[5]
https://github.com/apache/flink-connector-elasticsearch/releases/tag/v3.0.0-rc1
[6] https://github.com/apache/flink-web/pull/579
[CANCELED][VOTE] Release Apache Flink Elasticsearch connector 3.0.0, rc1
Posted by Chesnay Schepler <ch...@apache.org>.
This RC is canceled.
On 02/11/2022 20:20, Danny Cranmer wrote:
> Hey,
>
> It is very exciting to see the first RC for an externalized connector!
> Thanks for all the effort setting up the release scripts and processes
> Chesnay.
>
> Just to confirm before I start verifying this, will there be an RC2 to bump
> the Jackson version?
>
> Danny,
>
> On Wed, Nov 2, 2022 at 6:22 PM Chesnay Schepler <ch...@apache.org> wrote:
>
>> Yeah we should bump that to be closer to the connector version released
>> with 1.16.0.
>>
>> On 02/11/2022 15:53, Sergey Nuyanzin wrote:
>>> still checking
>>> however there is at least one finding I would like to highlight
>>> currently elasticsearch connector depends on jackson-bom 2.13.2.20220328
>>> which has 2 CVEs CVE-2022-42003[1] CVE-2022-42004[2] fixed in
>>> 2.13.4.20221013 [3]
>>> Does it make sense to include it in this version?
>>>
>>> [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003
>>> [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42004
>>> [3]
>>>
>> https://github.com/FasterXML/jackson-databind/issues/3590#issue-1362567066
>>> On Wed, Nov 2, 2022 at 12:01 PM Chesnay Schepler <ch...@apache.org>
>> wrote:
>>>> Hi everyone,
>>>> Please review and vote on the release candidate #1 for the version
>>>> 3.0.0, as follows:
>>>> [ ] +1, Approve the release
>>>> [ ] -1, Do not approve the release (please provide specific comments)
>>>>
>>>> The complete staging area is available for your review, which includes:
>>>> * JIRA release notes [1],
>>>> * the official Apache source release to be deployed to dist.apache.org
>>>> [2], which are signed with the key with fingerprint C2EED7B111D464BA
>> [3],
>>>> * all artifacts to be deployed to the Maven Central Repository [4],
>>>> * source code tag [5],
>>>> * website pull request listing the new release [6].
>>>>
>>>> The vote will be open for at least 72 hours. It is adopted by majority
>>>> approval, with at least 3 PMC affirmative votes.
>>>>
>>>> Note: This is the first release of an externalized connector, relying on
>>>> a new set of scripts. Double-check _everything_.
>>>>
>>>> Thanks,
>>>> Release Manager
>>>>
>>>> [1] https://issues.apache.org/jira/projects/FLINK/versions/12352291
>>>> [2]
>>>>
>>>>
>> https://dist.apache.org/repos/dist/dev/flink/flink-connector-elasticsearch-3.0.0-rc1/
>>>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
>>>> [4]
>>>> https://repository.apache.org/content/repositories/orgapacheflink-1543/
>>>> [5]
>>>>
>>>>
>> https://github.com/apache/flink-connector-elasticsearch/releases/tag/v3.0.0-rc1
>>>> [6] https://github.com/apache/flink-web/pull/579
>>>>
>>>>
>>
Re: [VOTE] Release Apache Flink Elasticsearch connector 3.0.0, rc1
Posted by Danny Cranmer <da...@apache.org>.
Hey,
It is very exciting to see the first RC for an externalized connector!
Thanks for all the effort setting up the release scripts and processes
Chesnay.
Just to confirm before I start verifying this, will there be an RC2 to bump
the Jackson version?
Danny,
On Wed, Nov 2, 2022 at 6:22 PM Chesnay Schepler <ch...@apache.org> wrote:
> Yeah we should bump that to be closer to the connector version released
> with 1.16.0.
>
> On 02/11/2022 15:53, Sergey Nuyanzin wrote:
> > still checking
> > however there is at least one finding I would like to highlight
> > currently elasticsearch connector depends on jackson-bom 2.13.2.20220328
> > which has 2 CVEs CVE-2022-42003[1] CVE-2022-42004[2] fixed in
> > 2.13.4.20221013 [3]
> > Does it make sense to include it in this version?
> >
> > [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003
> > [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42004
> > [3]
> >
> https://github.com/FasterXML/jackson-databind/issues/3590#issue-1362567066
> >
> > On Wed, Nov 2, 2022 at 12:01 PM Chesnay Schepler <ch...@apache.org>
> wrote:
> >
> >> Hi everyone,
> >> Please review and vote on the release candidate #1 for the version
> >> 3.0.0, as follows:
> >> [ ] +1, Approve the release
> >> [ ] -1, Do not approve the release (please provide specific comments)
> >>
> >> The complete staging area is available for your review, which includes:
> >> * JIRA release notes [1],
> >> * the official Apache source release to be deployed to dist.apache.org
> >> [2], which are signed with the key with fingerprint C2EED7B111D464BA
> [3],
> >> * all artifacts to be deployed to the Maven Central Repository [4],
> >> * source code tag [5],
> >> * website pull request listing the new release [6].
> >>
> >> The vote will be open for at least 72 hours. It is adopted by majority
> >> approval, with at least 3 PMC affirmative votes.
> >>
> >> Note: This is the first release of an externalized connector, relying on
> >> a new set of scripts. Double-check _everything_.
> >>
> >> Thanks,
> >> Release Manager
> >>
> >> [1] https://issues.apache.org/jira/projects/FLINK/versions/12352291
> >> [2]
> >>
> >>
> https://dist.apache.org/repos/dist/dev/flink/flink-connector-elasticsearch-3.0.0-rc1/
> >> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> >> [4]
> >> https://repository.apache.org/content/repositories/orgapacheflink-1543/
> >> [5]
> >>
> >>
> https://github.com/apache/flink-connector-elasticsearch/releases/tag/v3.0.0-rc1
> >> [6] https://github.com/apache/flink-web/pull/579
> >>
> >>
>
>
Re: [VOTE] Release Apache Flink Elasticsearch connector 3.0.0, rc1
Posted by Chesnay Schepler <ch...@apache.org>.
Yeah we should bump that to be closer to the connector version released
with 1.16.0.
On 02/11/2022 15:53, Sergey Nuyanzin wrote:
> still checking
> however there is at least one finding I would like to highlight
> currently elasticsearch connector depends on jackson-bom 2.13.2.20220328
> which has 2 CVEs CVE-2022-42003[1] CVE-2022-42004[2] fixed in
> 2.13.4.20221013 [3]
> Does it make sense to include it in this version?
>
> [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003
> [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42004
> [3]
> https://github.com/FasterXML/jackson-databind/issues/3590#issue-1362567066
>
> On Wed, Nov 2, 2022 at 12:01 PM Chesnay Schepler <ch...@apache.org> wrote:
>
>> Hi everyone,
>> Please review and vote on the release candidate #1 for the version
>> 3.0.0, as follows:
>> [ ] +1, Approve the release
>> [ ] -1, Do not approve the release (please provide specific comments)
>>
>> The complete staging area is available for your review, which includes:
>> * JIRA release notes [1],
>> * the official Apache source release to be deployed to dist.apache.org
>> [2], which are signed with the key with fingerprint C2EED7B111D464BA [3],
>> * all artifacts to be deployed to the Maven Central Repository [4],
>> * source code tag [5],
>> * website pull request listing the new release [6].
>>
>> The vote will be open for at least 72 hours. It is adopted by majority
>> approval, with at least 3 PMC affirmative votes.
>>
>> Note: This is the first release of an externalized connector, relying on
>> a new set of scripts. Double-check _everything_.
>>
>> Thanks,
>> Release Manager
>>
>> [1] https://issues.apache.org/jira/projects/FLINK/versions/12352291
>> [2]
>>
>> https://dist.apache.org/repos/dist/dev/flink/flink-connector-elasticsearch-3.0.0-rc1/
>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
>> [4]
>> https://repository.apache.org/content/repositories/orgapacheflink-1543/
>> [5]
>>
>> https://github.com/apache/flink-connector-elasticsearch/releases/tag/v3.0.0-rc1
>> [6] https://github.com/apache/flink-web/pull/579
>>
>>
Re: [VOTE] Release Apache Flink Elasticsearch connector 3.0.0, rc1
Posted by Sergey Nuyanzin <sn...@gmail.com>.
still checking
however there is at least one finding I would like to highlight
currently elasticsearch connector depends on jackson-bom 2.13.2.20220328
which has 2 CVEs CVE-2022-42003[1] CVE-2022-42004[2] fixed in
2.13.4.20221013 [3]
Does it make sense to include it in this version?
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42004
[3]
https://github.com/FasterXML/jackson-databind/issues/3590#issue-1362567066
On Wed, Nov 2, 2022 at 12:01 PM Chesnay Schepler <ch...@apache.org> wrote:
> Hi everyone,
> Please review and vote on the release candidate #1 for the version
> 3.0.0, as follows:
> [ ] +1, Approve the release
> [ ] -1, Do not approve the release (please provide specific comments)
>
> The complete staging area is available for your review, which includes:
> * JIRA release notes [1],
> * the official Apache source release to be deployed to dist.apache.org
> [2], which are signed with the key with fingerprint C2EED7B111D464BA [3],
> * all artifacts to be deployed to the Maven Central Repository [4],
> * source code tag [5],
> * website pull request listing the new release [6].
>
> The vote will be open for at least 72 hours. It is adopted by majority
> approval, with at least 3 PMC affirmative votes.
>
> Note: This is the first release of an externalized connector, relying on
> a new set of scripts. Double-check _everything_.
>
> Thanks,
> Release Manager
>
> [1] https://issues.apache.org/jira/projects/FLINK/versions/12352291
> [2]
>
> https://dist.apache.org/repos/dist/dev/flink/flink-connector-elasticsearch-3.0.0-rc1/
> [3] https://dist.apache.org/repos/dist/release/flink/KEYS
> [4]
> https://repository.apache.org/content/repositories/orgapacheflink-1543/
> [5]
>
> https://github.com/apache/flink-connector-elasticsearch/releases/tag/v3.0.0-rc1
> [6] https://github.com/apache/flink-web/pull/579
>
>
--
Best regards,
Sergey