+1 (binding) - verified the differences of source releases to the corresponding latest releases, there are only dependency updates and release version update commits - verified versions of log4j dependencies in the all binary releases are 2.15.0 - ran example jobs against all the binary releases, logs look good - release notes and blogpost look good
Thanks, Zhu Xintong Song <tonysong...@gmail.com> 于2021年12月14日周二 10:23写道: > +1 (binding) > > - verified checksum and signature > - verified that release candidates only contain the log4j dependency > changes compared to previous releases. > - release notes and blogpost LGTM > > Thanks a lot for driving these emergency patch releases, Chesnay! > > Thank you~ > > Xintong Song > > > > On Tue, Dec 14, 2021 at 7:45 AM Chesnay Schepler <ches...@apache.org> > wrote: > > > I forgot to mention something important: > > > > The 1.11/1.12 releases do *NOT* contain flink-python releases for *mac* > > due to compile problems. > > > > On 13/12/2021 20:28, Chesnay Schepler wrote: > > > Hi everyone, > > > > > > This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and > > > 1.14 to address CVE-2021-44228. > > > It covers all 4 releases as they contain the same changes (upgrading > > > Log4j to 2.15.0) and were prepared simultaneously by the same person. > > > (Hence, if something is broken, it likely applies to all releases) > > > > > > Please review and vote on the release candidate #1 for the versions > > > 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows: > > > [ ] +1, Approve the releases > > > [ ] -1, Do not approve the releases (please provide specific comments) > > > > > > The complete staging area is available for your review, which includes: > > > * JIRA release notes [1], > > > * the official Apache source releases and binary convenience releases > > > to be deployed to dist.apache.org [2], which are signed with the key > > > with fingerprint C2EED7B111D464BA [3], > > > * all artifacts to be deployed to the Maven Central Repository [4], > > > * *the jars for 1.13/1.14 are still being built* > > > * source code tags [5], > > > * website pull request listing the new releases and adding > > > announcement blog post [6]. > > > > > > The vote will be open for at least 24 hours. The minimum vote time has > > > been shortened as the changes are minimal and the matter is urgent. > > > It is adopted by majority approval, with at least 3 PMC affirmative > > > votes. > > > > > > Thanks, > > > Chesnay > > > > > > [1] > > > 1.11: > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327 > > > 1.12: > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328 > > > 1.13: > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686 > > > 1.14: > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512 > > > [2] > > > 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/ > > > 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/ > > > 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/ > > > 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/ > > > [3] https://dist.apache.org/repos/dist/release/flink/KEYS > > > [4] > > > 1.11/1.12: > > > https://repository.apache.org/content/repositories/orgapacheflink-1455 > > > 1.13: > > > https://repository.apache.org/content/repositories/orgapacheflink-1457 > > > 1.14: > > > https://repository.apache.org/content/repositories/orgapacheflink-1456 > > > [5] > > > 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1 > > > 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1 > > > 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1 > > > 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1 > > > [6] https://github.com/apache/flink-web/pull/489 > > > > > >
