You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by Andy Seaborne <an...@apache.org> on 2021/12/17 20:10:59 UTC
[VOTE] Apache Jena 4.3.2 RC 1
Hi,
** This is a fast-track release **
Here is a vote on the release of Apache Jena 4.3.2.
This is the first proposed release candidate.
The primary purpose of this release is to update log4j2 2.16.0 to
address CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
https://logging.apache.org/log4j/2.x/security.html
where the severity has been raised to Critical.
Apache Jena 4.3.1 addressed CVE-44228.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
The deadline is
Sunday, 19 December 2021 at 06:00 UTC.
** Short deadline **
Please vote to approve this release:
[ ] +1 Approve the release
[ ] 0 Don't care
[ ] -1 Don't release, because ...
==== Items in this release
JENA-2214: Update log4j2 to 2.16.0
JENA-2216: Depend on jena-cmds as does fuseki-main
JENA-2215: Make log4j impl scope-runtime for war-plugin
JENA-2215: Be clear that log4j is not optional to shading.
==== Release Vote
Everyone, not just committers, is invited to test and vote.
Please download and test the proposed release.
Staging repository:
https://repository.apache.org/content/repositories/orgapachejena-1047
Proposed dist/ area:
https://dist.apache.org/repos/dist/dev/jena/
Keys:
https://svn.apache.org/repos/asf/jena/dist/KEYS
Git commit (browser URL):
https://github.com/apache/jena/commit/7692c4cf4
Git Commit Hash:
7692c4cf4a0cad18eb690a33653c8a256e8f424f
Git Commit Tag:
jena-4.3.2
This vote will be open until at least
Sunday, 19 December 2021 at 06:00 UTC.
** Short deadline **
If you expect to check the release but the time limit does not work
for you, please email within the schedule above.
Thanks,
Andy
Checking needed:
+ are the GPG signatures fine?
+ are the checksums correct?
+ is there a source archive?
+ can the source archive be built?
(NB This requires a "mvn install" first time)
+ is there a correct LICENSE and NOTICE file in each artifact
(both source and binary artifacts)?
+ does the NOTICE file contain all necessary attributions?
+ have any licenses of dependencies changed due to upgrades?
if so have LICENSE and NOTICE been upgraded appropriately?
+ does the tag/commit in the SCM contain reproducible sources?
[RESULT] Apache Jena 4.3.2 RC 1
Posted by Andy Seaborne <an...@apache.org>.
The vote passes with 3 +1 votes from Aaron, Bruno, and Andy and a
community vote from Marco.
Thanks for the fast turn around.
Andy
On 17/12/2021 20:10, Andy Seaborne wrote:
> Hi,
>
> ** This is a fast-track release **
>
> Here is a vote on the release of Apache Jena 4.3.2.
> This is the first proposed release candidate.
>
> The primary purpose of this release is to update log4j2 2.16.0 to
> address CVE-2021-45046
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
> https://logging.apache.org/log4j/2.x/security.html
>
> where the severity has been raised to Critical.
>
> Apache Jena 4.3.1 addressed CVE-44228.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>
> The deadline is
>
> Sunday, 19 December 2021 at 06:00 UTC.
>
> ** Short deadline **
>
> Please vote to approve this release:
>
> [ ] +1 Approve the release
> [ ] 0 Don't care
> [ ] -1 Don't release, because ...
>
> ==== Items in this release
>
> JENA-2214: Update log4j2 to 2.16.0
>
> JENA-2216: Depend on jena-cmds as does fuseki-main
> JENA-2215: Make log4j impl scope-runtime for war-plugin
> JENA-2215: Be clear that log4j is not optional to shading.
>
> ==== Release Vote
>
> Everyone, not just committers, is invited to test and vote.
> Please download and test the proposed release.
>
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachejena-1047
>
> Proposed dist/ area:
> https://dist.apache.org/repos/dist/dev/jena/
>
> Keys:
> https://svn.apache.org/repos/asf/jena/dist/KEYS
>
> Git commit (browser URL):
> https://github.com/apache/jena/commit/7692c4cf4
> Git Commit Hash:
> 7692c4cf4a0cad18eb690a33653c8a256e8f424f
> Git Commit Tag:
> jena-4.3.2
>
> This vote will be open until at least
>
> Sunday, 19 December 2021 at 06:00 UTC.
>
> ** Short deadline **
>
> If you expect to check the release but the time limit does not work
> for you, please email within the schedule above.
>
> Thanks,
>
> Andy
>
> Checking needed:
>
> + are the GPG signatures fine?
> + are the checksums correct?
> + is there a source archive?
>
> + can the source archive be built?
> (NB This requires a "mvn install" first time)
> + is there a correct LICENSE and NOTICE file in each artifact
> (both source and binary artifacts)?
> + does the NOTICE file contain all necessary attributions?
> + have any licenses of dependencies changed due to upgrades?
> if so have LICENSE and NOTICE been upgraded appropriately?
> + does the tag/commit in the SCM contain reproducible sources?
Re: [VOTE] Apache Jena 4.3.2 RC 1
Posted by Aaron Coburn <ac...@apache.org>.
+1 (binding)
checksums are good
signatures are good
LICENSE/NOTICE files are present and look good
Source distribution is buildable (MacOS, jdk11)
git tag is buildable (MacOS, jdk11)
Aaron
On Fri, 17 Dec 2021 at 15:17, Andy Seaborne <an...@apache.org> wrote:
> +1 (binding)
>
> Andy
>
> On 17/12/2021 20:10, Andy Seaborne wrote:
> > Hi,
> >
> > ** This is a fast-track release **
> >
> > Here is a vote on the release of Apache Jena 4.3.2.
> > This is the first proposed release candidate.
> >
> > The primary purpose of this release is to update log4j2 2.16.0 to
> > address CVE-2021-45046
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
> > https://logging.apache.org/log4j/2.x/security.html
> >
> > where the severity has been raised to Critical.
> >
> > Apache Jena 4.3.1 addressed CVE-44228.
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
> >
> > The deadline is
> >
> > Sunday, 19 December 2021 at 06:00 UTC.
> >
> > ** Short deadline **
> >
> > Please vote to approve this release:
> >
> > [ ] +1 Approve the release
> > [ ] 0 Don't care
> > [ ] -1 Don't release, because ...
> >
> > ==== Items in this release
> >
> > JENA-2214: Update log4j2 to 2.16.0
> >
> > JENA-2216: Depend on jena-cmds as does fuseki-main
> > JENA-2215: Make log4j impl scope-runtime for war-plugin
> > JENA-2215: Be clear that log4j is not optional to shading.
> >
> > ==== Release Vote
> >
> > Everyone, not just committers, is invited to test and vote.
> > Please download and test the proposed release.
> >
> > Staging repository:
> > https://repository.apache.org/content/repositories/orgapachejena-1047
> >
> > Proposed dist/ area:
> > https://dist.apache.org/repos/dist/dev/jena/
> >
> > Keys:
> > https://svn.apache.org/repos/asf/jena/dist/KEYS
> >
> > Git commit (browser URL):
> > https://github.com/apache/jena/commit/7692c4cf4
> > Git Commit Hash:
> > 7692c4cf4a0cad18eb690a33653c8a256e8f424f
> > Git Commit Tag:
> > jena-4.3.2
> >
> > This vote will be open until at least
> >
> > Sunday, 19 December 2021 at 06:00 UTC.
> >
> > ** Short deadline **
> >
> > If you expect to check the release but the time limit does not work
> > for you, please email within the schedule above.
> >
> > Thanks,
> >
> > Andy
> >
> > Checking needed:
> >
> > + are the GPG signatures fine?
> > + are the checksums correct?
> > + is there a source archive?
> >
> > + can the source archive be built?
> > (NB This requires a "mvn install" first time)
> > + is there a correct LICENSE and NOTICE file in each artifact
> > (both source and binary artifacts)?
> > + does the NOTICE file contain all necessary attributions?
> > + have any licenses of dependencies changed due to upgrades?
> > if so have LICENSE and NOTICE been upgraded appropriately?
> > + does the tag/commit in the SCM contain reproducible sources?
>
Re: [VOTE] Apache Jena 4.3.2 RC 1
Posted by Andy Seaborne <an...@apache.org>.
+1 (binding)
Andy
On 17/12/2021 20:10, Andy Seaborne wrote:
> Hi,
>
> ** This is a fast-track release **
>
> Here is a vote on the release of Apache Jena 4.3.2.
> This is the first proposed release candidate.
>
> The primary purpose of this release is to update log4j2 2.16.0 to
> address CVE-2021-45046
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
> https://logging.apache.org/log4j/2.x/security.html
>
> where the severity has been raised to Critical.
>
> Apache Jena 4.3.1 addressed CVE-44228.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>
> The deadline is
>
> Sunday, 19 December 2021 at 06:00 UTC.
>
> ** Short deadline **
>
> Please vote to approve this release:
>
> [ ] +1 Approve the release
> [ ] 0 Don't care
> [ ] -1 Don't release, because ...
>
> ==== Items in this release
>
> JENA-2214: Update log4j2 to 2.16.0
>
> JENA-2216: Depend on jena-cmds as does fuseki-main
> JENA-2215: Make log4j impl scope-runtime for war-plugin
> JENA-2215: Be clear that log4j is not optional to shading.
>
> ==== Release Vote
>
> Everyone, not just committers, is invited to test and vote.
> Please download and test the proposed release.
>
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachejena-1047
>
> Proposed dist/ area:
> https://dist.apache.org/repos/dist/dev/jena/
>
> Keys:
> https://svn.apache.org/repos/asf/jena/dist/KEYS
>
> Git commit (browser URL):
> https://github.com/apache/jena/commit/7692c4cf4
> Git Commit Hash:
> 7692c4cf4a0cad18eb690a33653c8a256e8f424f
> Git Commit Tag:
> jena-4.3.2
>
> This vote will be open until at least
>
> Sunday, 19 December 2021 at 06:00 UTC.
>
> ** Short deadline **
>
> If you expect to check the release but the time limit does not work
> for you, please email within the schedule above.
>
> Thanks,
>
> Andy
>
> Checking needed:
>
> + are the GPG signatures fine?
> + are the checksums correct?
> + is there a source archive?
>
> + can the source archive be built?
> (NB This requires a "mvn install" first time)
> + is there a correct LICENSE and NOTICE file in each artifact
> (both source and binary artifacts)?
> + does the NOTICE file contain all necessary attributions?
> + have any licenses of dependencies changed due to upgrades?
> if so have LICENSE and NOTICE been upgraded appropriately?
> + does the tag/commit in the SCM contain reproducible sources?
Re: [VOTE] Apache Jena 4.3.2 RC 1
Posted by Marco Neumann <ma...@gmail.com>.
[x] +1 Approve the release
On Fri, Dec 17, 2021 at 8:12 PM Andy Seaborne <an...@apache.org> wrote:
> Hi,
>
> ** This is a fast-track release **
>
> Here is a vote on the release of Apache Jena 4.3.2.
> This is the first proposed release candidate.
>
> The primary purpose of this release is to update log4j2 2.16.0 to
> address CVE-2021-45046
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
> https://logging.apache.org/log4j/2.x/security.html
>
> where the severity has been raised to Critical.
>
> Apache Jena 4.3.1 addressed CVE-44228.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>
> The deadline is
>
> Sunday, 19 December 2021 at 06:00 UTC.
>
> ** Short deadline **
>
> Please vote to approve this release:
>
> [ ] +1 Approve the release
> [ ] 0 Don't care
> [ ] -1 Don't release, because ...
>
> ==== Items in this release
>
> JENA-2214: Update log4j2 to 2.16.0
>
> JENA-2216: Depend on jena-cmds as does fuseki-main
> JENA-2215: Make log4j impl scope-runtime for war-plugin
> JENA-2215: Be clear that log4j is not optional to shading.
>
> ==== Release Vote
>
> Everyone, not just committers, is invited to test and vote.
> Please download and test the proposed release.
>
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachejena-1047
>
> Proposed dist/ area:
> https://dist.apache.org/repos/dist/dev/jena/
>
> Keys:
> https://svn.apache.org/repos/asf/jena/dist/KEYS
>
> Git commit (browser URL):
> https://github.com/apache/jena/commit/7692c4cf4
> Git Commit Hash:
> 7692c4cf4a0cad18eb690a33653c8a256e8f424f
> Git Commit Tag:
> jena-4.3.2
>
> This vote will be open until at least
>
> Sunday, 19 December 2021 at 06:00 UTC.
>
> ** Short deadline **
>
> If you expect to check the release but the time limit does not work
> for you, please email within the schedule above.
>
> Thanks,
>
> Andy
>
> Checking needed:
>
> + are the GPG signatures fine?
> + are the checksums correct?
> + is there a source archive?
>
> + can the source archive be built?
> (NB This requires a "mvn install" first time)
> + is there a correct LICENSE and NOTICE file in each artifact
> (both source and binary artifacts)?
> + does the NOTICE file contain all necessary attributions?
> + have any licenses of dependencies changed due to upgrades?
> if so have LICENSE and NOTICE been upgraded appropriately?
> + does the tag/commit in the SCM contain reproducible sources?
>
--
---
Marco Neumann
KONA
Re: [VOTE] Apache Jena 4.3.2 RC 1
Posted by "Bruno P. Kinoshita" <br...@yahoo.com.br.INVALID>.
[x] +1 Approve the release
Thanks!
Bruno
On Saturday, 18 December 2021, 09:11:13 am NZDT, Andy Seaborne <an...@apache.org> wrote:
Hi,
** This is a fast-track release **
Here is a vote on the release of Apache Jena 4.3.2.
This is the first proposed release candidate.
The primary purpose of this release is to update log4j2 2.16.0 to
address CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
https://logging.apache.org/log4j/2.x/security.html
where the severity has been raised to Critical.
Apache Jena 4.3.1 addressed CVE-44228.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
The deadline is
Sunday, 19 December 2021 at 06:00 UTC.
** Short deadline **
Please vote to approve this release:
[ ] +1 Approve the release
[ ] 0 Don't care
[ ] -1 Don't release, because ...
==== Items in this release
JENA-2214: Update log4j2 to 2.16.0
JENA-2216: Depend on jena-cmds as does fuseki-main
JENA-2215: Make log4j impl scope-runtime for war-plugin
JENA-2215: Be clear that log4j is not optional to shading.
==== Release Vote
Everyone, not just committers, is invited to test and vote.
Please download and test the proposed release.
Staging repository:
https://repository.apache.org/content/repositories/orgapachejena-1047
Proposed dist/ area:
https://dist.apache.org/repos/dist/dev/jena/
Keys:
https://svn.apache.org/repos/asf/jena/dist/KEYS
Git commit (browser URL):
https://github.com/apache/jena/commit/7692c4cf4
Git Commit Hash:
7692c4cf4a0cad18eb690a33653c8a256e8f424f
Git Commit Tag:
jena-4.3.2
This vote will be open until at least
Sunday, 19 December 2021 at 06:00 UTC.
** Short deadline **
If you expect to check the release but the time limit does not work
for you, please email within the schedule above.
Thanks,
Andy
Checking needed:
+ are the GPG signatures fine?
+ are the checksums correct?
+ is there a source archive?
+ can the source archive be built?
(NB This requires a "mvn install" first time)
+ is there a correct LICENSE and NOTICE file in each artifact
(both source and binary artifacts)?
+ does the NOTICE file contain all necessary attributions?
+ have any licenses of dependencies changed due to upgrades?
if so have LICENSE and NOTICE been upgraded appropriately?
+ does the tag/commit in the SCM contain reproducible sources?