You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by Andy Seaborne <an...@apache.org> on 2021/12/17 20:10:59 UTC

[VOTE] Apache Jena 4.3.2 RC 1

Hi,

** This is a fast-track release **

Here is a vote on the release of Apache Jena 4.3.2.
This is the first proposed release candidate.

The primary purpose of this release is to update log4j2 2.16.0 to 
address CVE-2021-45046

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
https://logging.apache.org/log4j/2.x/security.html

where the severity has been raised to Critical.

Apache Jena 4.3.1 addressed CVE-44228.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

The deadline is

      Sunday, 19 December 2021 at 06:00 UTC.

** Short deadline **

Please vote to approve this release:

         [ ] +1 Approve the release
         [ ]  0 Don't care
         [ ] -1 Don't release, because ...

==== Items in this release

JENA-2214: Update log4j2 to 2.16.0

JENA-2216: Depend on jena-cmds as does fuseki-main
JENA-2215: Make log4j impl scope-runtime for war-plugin
JENA-2215: Be clear that log4j is not optional to shading.

==== Release Vote

Everyone, not just committers, is invited to test and vote.
Please download and test the proposed release.

Staging repository:
   https://repository.apache.org/content/repositories/orgapachejena-1047

Proposed dist/ area:
   https://dist.apache.org/repos/dist/dev/jena/

Keys:
   https://svn.apache.org/repos/asf/jena/dist/KEYS

Git commit (browser URL):
   https://github.com/apache/jena/commit/7692c4cf4
Git Commit Hash:
   7692c4cf4a0cad18eb690a33653c8a256e8f424f
Git Commit Tag:
   jena-4.3.2

This vote will be open until at least

      Sunday, 19 December 2021 at 06:00 UTC.

** Short deadline **

If you expect to check the release but the time limit does not work
for you, please email within the schedule above.

Thanks,

       Andy

Checking needed:

+ are the GPG signatures fine?
+ are the checksums correct?
+ is there a source archive?

+ can the source archive be built?
           (NB This requires a "mvn install" first time)
+ is there a correct LICENSE and NOTICE file in each artifact
           (both source and binary artifacts)?
+ does the NOTICE file contain all necessary attributions?
+ have any licenses of dependencies changed due to upgrades?
            if so have LICENSE and NOTICE been upgraded appropriately?
+ does the tag/commit in the SCM contain reproducible sources?

[RESULT] Apache Jena 4.3.2 RC 1

Posted by Andy Seaborne <an...@apache.org>.

The vote passes with 3 +1 votes from Aaron, Bruno, and Andy and a 
community vote from Marco.

Thanks for the fast turn around.

     Andy


On 17/12/2021 20:10, Andy Seaborne wrote:
> Hi,
> 
> ** This is a fast-track release **
> 
> Here is a vote on the release of Apache Jena 4.3.2.
> This is the first proposed release candidate.
> 
> The primary purpose of this release is to update log4j2 2.16.0 to 
> address CVE-2021-45046
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
> https://logging.apache.org/log4j/2.x/security.html
> 
> where the severity has been raised to Critical.
> 
> Apache Jena 4.3.1 addressed CVE-44228.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
> 
> The deadline is
> 
>       Sunday, 19 December 2021 at 06:00 UTC.
> 
> ** Short deadline **
> 
> Please vote to approve this release:
> 
>          [ ] +1 Approve the release
>          [ ]  0 Don't care
>          [ ] -1 Don't release, because ...
> 
> ==== Items in this release
> 
> JENA-2214: Update log4j2 to 2.16.0
> 
> JENA-2216: Depend on jena-cmds as does fuseki-main
> JENA-2215: Make log4j impl scope-runtime for war-plugin
> JENA-2215: Be clear that log4j is not optional to shading.
> 
> ==== Release Vote
> 
> Everyone, not just committers, is invited to test and vote.
> Please download and test the proposed release.
> 
> Staging repository:
>    https://repository.apache.org/content/repositories/orgapachejena-1047
> 
> Proposed dist/ area:
>    https://dist.apache.org/repos/dist/dev/jena/
> 
> Keys:
>    https://svn.apache.org/repos/asf/jena/dist/KEYS
> 
> Git commit (browser URL):
>    https://github.com/apache/jena/commit/7692c4cf4
> Git Commit Hash:
>    7692c4cf4a0cad18eb690a33653c8a256e8f424f
> Git Commit Tag:
>    jena-4.3.2
> 
> This vote will be open until at least
> 
>       Sunday, 19 December 2021 at 06:00 UTC.
> 
> ** Short deadline **
> 
> If you expect to check the release but the time limit does not work
> for you, please email within the schedule above.
> 
> Thanks,
> 
>        Andy
> 
> Checking needed:
> 
> + are the GPG signatures fine?
> + are the checksums correct?
> + is there a source archive?
> 
> + can the source archive be built?
>            (NB This requires a "mvn install" first time)
> + is there a correct LICENSE and NOTICE file in each artifact
>            (both source and binary artifacts)?
> + does the NOTICE file contain all necessary attributions?
> + have any licenses of dependencies changed due to upgrades?
>             if so have LICENSE and NOTICE been upgraded appropriately?
> + does the tag/commit in the SCM contain reproducible sources?

Re: [VOTE] Apache Jena 4.3.2 RC 1

Posted by Aaron Coburn <ac...@apache.org>.

+1 (binding)

checksums are good
signatures are good
LICENSE/NOTICE files are present and look good
Source distribution is buildable (MacOS, jdk11)
git tag is buildable (MacOS, jdk11)

Aaron


On Fri, 17 Dec 2021 at 15:17, Andy Seaborne <an...@apache.org> wrote:

> +1 (binding)
>
>      Andy
>
> On 17/12/2021 20:10, Andy Seaborne wrote:
> > Hi,
> >
> > ** This is a fast-track release **
> >
> > Here is a vote on the release of Apache Jena 4.3.2.
> > This is the first proposed release candidate.
> >
> > The primary purpose of this release is to update log4j2 2.16.0 to
> > address CVE-2021-45046
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
> > https://logging.apache.org/log4j/2.x/security.html
> >
> > where the severity has been raised to Critical.
> >
> > Apache Jena 4.3.1 addressed CVE-44228.
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
> >
> > The deadline is
> >
> >       Sunday, 19 December 2021 at 06:00 UTC.
> >
> > ** Short deadline **
> >
> > Please vote to approve this release:
> >
> >          [ ] +1 Approve the release
> >          [ ]  0 Don't care
> >          [ ] -1 Don't release, because ...
> >
> > ==== Items in this release
> >
> > JENA-2214: Update log4j2 to 2.16.0
> >
> > JENA-2216: Depend on jena-cmds as does fuseki-main
> > JENA-2215: Make log4j impl scope-runtime for war-plugin
> > JENA-2215: Be clear that log4j is not optional to shading.
> >
> > ==== Release Vote
> >
> > Everyone, not just committers, is invited to test and vote.
> > Please download and test the proposed release.
> >
> > Staging repository:
> >    https://repository.apache.org/content/repositories/orgapachejena-1047
> >
> > Proposed dist/ area:
> >    https://dist.apache.org/repos/dist/dev/jena/
> >
> > Keys:
> >    https://svn.apache.org/repos/asf/jena/dist/KEYS
> >
> > Git commit (browser URL):
> >    https://github.com/apache/jena/commit/7692c4cf4
> > Git Commit Hash:
> >    7692c4cf4a0cad18eb690a33653c8a256e8f424f
> > Git Commit Tag:
> >    jena-4.3.2
> >
> > This vote will be open until at least
> >
> >       Sunday, 19 December 2021 at 06:00 UTC.
> >
> > ** Short deadline **
> >
> > If you expect to check the release but the time limit does not work
> > for you, please email within the schedule above.
> >
> > Thanks,
> >
> >        Andy
> >
> > Checking needed:
> >
> > + are the GPG signatures fine?
> > + are the checksums correct?
> > + is there a source archive?
> >
> > + can the source archive be built?
> >            (NB This requires a "mvn install" first time)
> > + is there a correct LICENSE and NOTICE file in each artifact
> >            (both source and binary artifacts)?
> > + does the NOTICE file contain all necessary attributions?
> > + have any licenses of dependencies changed due to upgrades?
> >             if so have LICENSE and NOTICE been upgraded appropriately?
> > + does the tag/commit in the SCM contain reproducible sources?
>

Re: [VOTE] Apache Jena 4.3.2 RC 1

Posted by Andy Seaborne <an...@apache.org>.

+1 (binding)

     Andy

On 17/12/2021 20:10, Andy Seaborne wrote:
> Hi,
> 
> ** This is a fast-track release **
> 
> Here is a vote on the release of Apache Jena 4.3.2.
> This is the first proposed release candidate.
> 
> The primary purpose of this release is to update log4j2 2.16.0 to 
> address CVE-2021-45046
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
> https://logging.apache.org/log4j/2.x/security.html
> 
> where the severity has been raised to Critical.
> 
> Apache Jena 4.3.1 addressed CVE-44228.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
> 
> The deadline is
> 
>       Sunday, 19 December 2021 at 06:00 UTC.
> 
> ** Short deadline **
> 
> Please vote to approve this release:
> 
>          [ ] +1 Approve the release
>          [ ]  0 Don't care
>          [ ] -1 Don't release, because ...
> 
> ==== Items in this release
> 
> JENA-2214: Update log4j2 to 2.16.0
> 
> JENA-2216: Depend on jena-cmds as does fuseki-main
> JENA-2215: Make log4j impl scope-runtime for war-plugin
> JENA-2215: Be clear that log4j is not optional to shading.
> 
> ==== Release Vote
> 
> Everyone, not just committers, is invited to test and vote.
> Please download and test the proposed release.
> 
> Staging repository:
>    https://repository.apache.org/content/repositories/orgapachejena-1047
> 
> Proposed dist/ area:
>    https://dist.apache.org/repos/dist/dev/jena/
> 
> Keys:
>    https://svn.apache.org/repos/asf/jena/dist/KEYS
> 
> Git commit (browser URL):
>    https://github.com/apache/jena/commit/7692c4cf4
> Git Commit Hash:
>    7692c4cf4a0cad18eb690a33653c8a256e8f424f
> Git Commit Tag:
>    jena-4.3.2
> 
> This vote will be open until at least
> 
>       Sunday, 19 December 2021 at 06:00 UTC.
> 
> ** Short deadline **
> 
> If you expect to check the release but the time limit does not work
> for you, please email within the schedule above.
> 
> Thanks,
> 
>        Andy
> 
> Checking needed:
> 
> + are the GPG signatures fine?
> + are the checksums correct?
> + is there a source archive?
> 
> + can the source archive be built?
>            (NB This requires a "mvn install" first time)
> + is there a correct LICENSE and NOTICE file in each artifact
>            (both source and binary artifacts)?
> + does the NOTICE file contain all necessary attributions?
> + have any licenses of dependencies changed due to upgrades?
>             if so have LICENSE and NOTICE been upgraded appropriately?
> + does the tag/commit in the SCM contain reproducible sources?

Re: [VOTE] Apache Jena 4.3.2 RC 1

Posted by Marco Neumann <ma...@gmail.com>.

         [x] +1 Approve the release

On Fri, Dec 17, 2021 at 8:12 PM Andy Seaborne <an...@apache.org> wrote:

> Hi,
>
> ** This is a fast-track release **
>
> Here is a vote on the release of Apache Jena 4.3.2.
> This is the first proposed release candidate.
>
> The primary purpose of this release is to update log4j2 2.16.0 to
> address CVE-2021-45046
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
> https://logging.apache.org/log4j/2.x/security.html
>
> where the severity has been raised to Critical.
>
> Apache Jena 4.3.1 addressed CVE-44228.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>
> The deadline is
>
>       Sunday, 19 December 2021 at 06:00 UTC.
>
> ** Short deadline **
>
> Please vote to approve this release:
>
>          [ ] +1 Approve the release
>          [ ]  0 Don't care
>          [ ] -1 Don't release, because ...
>
> ==== Items in this release
>
> JENA-2214: Update log4j2 to 2.16.0
>
> JENA-2216: Depend on jena-cmds as does fuseki-main
> JENA-2215: Make log4j impl scope-runtime for war-plugin
> JENA-2215: Be clear that log4j is not optional to shading.
>
> ==== Release Vote
>
> Everyone, not just committers, is invited to test and vote.
> Please download and test the proposed release.
>
> Staging repository:
>    https://repository.apache.org/content/repositories/orgapachejena-1047
>
> Proposed dist/ area:
>    https://dist.apache.org/repos/dist/dev/jena/
>
> Keys:
>    https://svn.apache.org/repos/asf/jena/dist/KEYS
>
> Git commit (browser URL):
>    https://github.com/apache/jena/commit/7692c4cf4
> Git Commit Hash:
>    7692c4cf4a0cad18eb690a33653c8a256e8f424f
> Git Commit Tag:
>    jena-4.3.2
>
> This vote will be open until at least
>
>       Sunday, 19 December 2021 at 06:00 UTC.
>
> ** Short deadline **
>
> If you expect to check the release but the time limit does not work
> for you, please email within the schedule above.
>
> Thanks,
>
>        Andy
>
> Checking needed:
>
> + are the GPG signatures fine?
> + are the checksums correct?
> + is there a source archive?
>
> + can the source archive be built?
>            (NB This requires a "mvn install" first time)
> + is there a correct LICENSE and NOTICE file in each artifact
>            (both source and binary artifacts)?
> + does the NOTICE file contain all necessary attributions?
> + have any licenses of dependencies changed due to upgrades?
>             if so have LICENSE and NOTICE been upgraded appropriately?
> + does the tag/commit in the SCM contain reproducible sources?
>


-- 


---
Marco Neumann
KONA

Re: [VOTE] Apache Jena 4.3.2 RC 1

Posted by "Bruno P. Kinoshita" <br...@yahoo.com.br.INVALID>.

         [x] +1 Approve the release
Thanks!
Bruno

    On Saturday, 18 December 2021, 09:11:13 am NZDT, Andy Seaborne <an...@apache.org> wrote:  
 
 Hi,

** This is a fast-track release **

Here is a vote on the release of Apache Jena 4.3.2.
This is the first proposed release candidate.

The primary purpose of this release is to update log4j2 2.16.0 to 
address CVE-2021-45046

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
https://logging.apache.org/log4j/2.x/security.html

where the severity has been raised to Critical.

Apache Jena 4.3.1 addressed CVE-44228.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

The deadline is

      Sunday, 19 December 2021 at 06:00 UTC.

** Short deadline **

Please vote to approve this release:

        [ ] +1 Approve the release
        [ ]  0 Don't care
        [ ] -1 Don't release, because ...

==== Items in this release

JENA-2214: Update log4j2 to 2.16.0

JENA-2216: Depend on jena-cmds as does fuseki-main
JENA-2215: Make log4j impl scope-runtime for war-plugin
JENA-2215: Be clear that log4j is not optional to shading.

==== Release Vote

Everyone, not just committers, is invited to test and vote.
Please download and test the proposed release.

Staging repository:
  https://repository.apache.org/content/repositories/orgapachejena-1047

Proposed dist/ area:
  https://dist.apache.org/repos/dist/dev/jena/

Keys:
  https://svn.apache.org/repos/asf/jena/dist/KEYS

Git commit (browser URL):
  https://github.com/apache/jena/commit/7692c4cf4
Git Commit Hash:
  7692c4cf4a0cad18eb690a33653c8a256e8f424f
Git Commit Tag:
  jena-4.3.2

This vote will be open until at least

      Sunday, 19 December 2021 at 06:00 UTC.

** Short deadline **

If you expect to check the release but the time limit does not work
for you, please email within the schedule above.

Thanks,

      Andy

Checking needed:

+ are the GPG signatures fine?
+ are the checksums correct?
+ is there a source archive?

+ can the source archive be built?
          (NB This requires a "mvn install" first time)
+ is there a correct LICENSE and NOTICE file in each artifact
          (both source and binary artifacts)?
+ does the NOTICE file contain all necessary attributions?
+ have any licenses of dependencies changed due to upgrades?
            if so have LICENSE and NOTICE been upgraded appropriately?
+ does the tag/commit in the SCM contain reproducible sources?