Re: [VOTE] Release Apache Hadoop 3.3.3

Fri, 06 May 2022 09:51:53 -0700 

+1 (advisory)

* Verified sha512 checksum was correct for source tarball
* Verified signature was correct for source tarball (not verified trust)
* Built source code from tarball on Ubuntu 20.04 (x86) and OpenJDK 8 in Amazon 
EC2
* Verified source tarball matches content of RC0 tag on GitHub
* Verified S3A (hadoop-tools/hadoop-aws) unit tests passing from src
* Verified S3A (hadoop-tools/hadoop-aws) integ tests passing from src against 
Amazon S3 in eu-west-1
  * There is a single failure, already known and described in 
https://issues.apache.org/jira/browse/HADOOP-18168

- Danny

On 03/05/2022, 12:25, "Steve Loughran" <ste...@cloudera.com> wrote:

    I have put together a release candidate (rc0) for Hadoop 3.3.3

    The RC is available at:
    https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/

    The git tag is release-3.3.3-RC0, commit d37586cbda3

    The maven artifacts are staged at
    https://repository.apache.org/content/repositories/orgapachehadoop-1348/

    You can find my public key at:
    https://dist.apache.org/repos/dist/release/hadoop/common/KEYS

    Change log
    https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/CHANGELOG.md

    Release notes
    https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/RELEASENOTES.md

    There's a very small number of changes, primarily critical code/packaging
    issues and security fixes.


       - The critical fixes which shipped in the 3.2.3 release.
       -  CVEs in our code and dependencies
       - Shaded client packaging issues.
       - A switch from log4j to reload4j


    reload4j is an active fork of the log4j 1.17 library with the classes which
    contain CVEs removed. Even though hadoop never used those classes, they
    regularly raised alerts on security scans and concen from users. Switching
    to the forked project allows us to ship a secure logging framework. It will
    complicate the builds of downstream maven/ivy/gradle projects which exclude
    our log4j artifacts, as they need to cut the new dependency instead/as well.

    See the release notes for details.

    This is my first release through the new docker build process, do please
    validate artifact signing &c to make sure it is good. I'll be trying builds
    of downstream projects.

    We know there are some outstanding issues with at least one library we are
    shipping (okhttp), but I don't want to hold this release up for it. If the
    docker based release process works smoothly enough we can do a followup
    security release in a few weeks.

    Please try the release and vote. The vote will run for 5 days.

    -Steve

Reply via email to