Thanks for driving these releases Chesnay! +1
* Verified checksums and signatures * Reviewed website PR * Checked that build tags only contain log4j version bump In the release-1.14.2-rc1 there are some changes to the create_release_branch.sh script that don't seem necessary. But I think this does not matter since we won't build upon release-1.14.2-rc1 in the future. Cheers, Till On Wed, Dec 15, 2021 at 10:40 AM Yun Tang <myas...@live.com> wrote: > > + 1 (non-binding) > > > * Select several files of each release to verify the signature and > sha512sum. > * Reviewed the flink-web PR > * checked that those 4 release-branchs only contains fix to bump > log4j2 version to 2.15.0 and then to 2.16.0 > * Checked the JIRA release notes and found that FLINK-25317 [1] was > tagged as 1.14.2 version to resolve by mistake. > > [1] https://issues.apache.org/jira/browse/FLINK-25317 > > Best > Yun Tang > ________________________________ > From: Chesnay Schepler <ches...@apache.org> > Sent: Wednesday, December 15, 2021 10:55 > To: dev@flink.apache.org <dev@flink.apache.org> > Subject: [VOTE] Release 1.11.6/1.12.7/1.13.5/1.14.2, release candidate #1 > > Hi everyone, > > This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and > 1.14 to address CVE-2021-44228/CVE-2021-45046. > It covers all 4 releases as they contain the same changes (upgrading > Log4j to 2.16.0) and were prepared simultaneously by the same person. > (Hence, if something is broken, it likely applies to all releases) > > Note: 1.11/1.12 are still missing the Python Mac releases. > > > Please review and vote on the release candidate #1 for the versions > 1.11.6, 1.12.7, 1.13.5 and 1.14.2, as follows: > [ ] +1, Approve the releases > [ ] -1, Do not approve the releases (please provide specific comments) > > The complete staging area is available for your review, which includes: > * JIRA release notes [1], > * the official Apache source releases and binary convenience releases to > be deployed to dist.apache.org [2], which are signed with the key with > fingerprint C2EED7B111D464BA [3], > * all artifacts to be deployed to the Maven Central Repository [4], > * source code tags [5], > * website pull request listing the new releases and adding announcement > blog post [6]. > > The vote will be open for at least 24 hours. The minimum vote time has > been shortened as the changes are minimal and the matter is urgent. > It is adopted by majority approval, with at least 3 PMC affirmative votes. > > Thanks, > Chesnay > > [1] > 1.11: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351056 > 1.12: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351057 > 1.13: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351058 > 1.14: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351059 > [2] > 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.6-rc1/ > 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.7-rc1/ > 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.5-rc1/ > 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.2-rc1/ > [3] https://dist.apache.org/repos/dist/release/flink/KEYS > [4] > 1.11: > https://repository.apache.org/content/repositories/orgapacheflink-1460 > 1.12: > https://repository.apache.org/content/repositories/orgapacheflink-1462 > 1.13: > https://repository.apache.org/content/repositories/orgapacheflink-1459 > 1.14: > https://repository.apache.org/content/repositories/orgapacheflink-1461 > [5] > 1.11: https://github.com/apache/flink/releases/tag/release-1.11.6-rc1 > 1.12: https://github.com/apache/flink/releases/tag/release-1.12.7-rc1 > 1.13: https://github.com/apache/flink/releases/tag/release-1.13.5-rc1 > 1.14: https://github.com/apache/flink/releases/tag/release-1.14.2-rc1 > [6] https://github.com/apache/flink-web/pull/489 > > >
