Hi everyone, It took a bit longer than anticipated (learning about Perl builds, among other things), but I've created a RC0 of Avro 1.11.5. I'd like to propose to release this RC0 as the official Apache Avro 1.11.5 release.
The commit id is https://github.com/apache/avro/commit/a0d0130aea75b8319f251c3805f18a1776efa563 This corresponds to the tag: release-1.11.5-rc0: https://github.com/apache/avro/tree/release-1.11.5-RC0 The release tarball, signature, and checksums are here (revision r78771): https://dist.apache.org/repos/dist/dev/avro/avro-1.11.5-RC0/ The Maven artefacts are staged here: https://repository.apache.org/content/repositories/orgapacheavro-1042/org/apache/avro/ You can find the KEYS file here: https://dist.apache.org/repos/dist/release/avro/KEYS This release includes the following security fixes: * Prevent class with empty Java package being trusted by SpecificDatumReader (#3311) * Remove the default serializable packages and deprecated the property to introduce org.apache.avro.SERIALIZABLE_CLASSES instead (#3376) * java-[key-]class allowed packages must be packages (#3453) Did I leave anything important out? Please download, verify, and test. This vote will remain open for at least 72 hours. [ ] +1 Release this as Apache Avro 1.11.5 [ ] 0 [ ] -1 Do not release this because... Kind regards, Oscar -- ✉️ Oscar Westra van Holthe - Kind <opw...@apache.org> 🌐 https://github.com/opwvhk/
