I had to monkey patch the release scripts a bit; it's unfortunate that
the changes ended up in the releases, but I don't think it's a blocker.
On 15/12/2021 11:01, Till Rohrmann wrote:
Thanks for driving these releases Chesnay!
+1
* Verified checksums and signatures
* Reviewed website PR
* Checked that build tags only contain log4j version bump
In the release-1.14.2-rc1 there are some changes to the
create_release_branch.sh script that don't seem necessary. But I think this
does not matter since we won't build upon release-1.14.2-rc1 in the future.
Cheers,
Till
On Wed, Dec 15, 2021 at 10:40 AM Yun Tang <myas...@live.com> wrote:
+ 1 (non-binding)
* Select several files of each release to verify the signature and
sha512sum.
* Reviewed the flink-web PR
* checked that those 4 release-branchs only contains fix to bump
log4j2 version to 2.15.0 and then to 2.16.0
* Checked the JIRA release notes and found that FLINK-25317 [1] was
tagged as 1.14.2 version to resolve by mistake.
[1] https://issues.apache.org/jira/browse/FLINK-25317
Best
Yun Tang
________________________________
From: Chesnay Schepler <ches...@apache.org>
Sent: Wednesday, December 15, 2021 10:55
To: dev@flink.apache.org <dev@flink.apache.org>
Subject: [VOTE] Release 1.11.6/1.12.7/1.13.5/1.14.2, release candidate #1
Hi everyone,
This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and
1.14 to address CVE-2021-44228/CVE-2021-45046.
It covers all 4 releases as they contain the same changes (upgrading
Log4j to 2.16.0) and were prepared simultaneously by the same person.
(Hence, if something is broken, it likely applies to all releases)
Note: 1.11/1.12 are still missing the Python Mac releases.
Please review and vote on the release candidate #1 for the versions
1.11.6, 1.12.7, 1.13.5 and 1.14.2, as follows:
[ ] +1, Approve the releases
[ ] -1, Do not approve the releases (please provide specific comments)
The complete staging area is available for your review, which includes:
* JIRA release notes [1],
* the official Apache source releases and binary convenience releases to
be deployed to dist.apache.org [2], which are signed with the key with
fingerprint C2EED7B111D464BA [3],
* all artifacts to be deployed to the Maven Central Repository [4],
* source code tags [5],
* website pull request listing the new releases and adding announcement
blog post [6].
The vote will be open for at least 24 hours. The minimum vote time has
been shortened as the changes are minimal and the matter is urgent.
It is adopted by majority approval, with at least 3 PMC affirmative votes.
Thanks,
Chesnay
[1]
1.11:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351056
1.12:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351057
1.13:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351058
1.14:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351059
[2]
1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.6-rc1/
1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.7-rc1/
1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.5-rc1/
1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.2-rc1/
[3] https://dist.apache.org/repos/dist/release/flink/KEYS
[4]
1.11:
https://repository.apache.org/content/repositories/orgapacheflink-1460
1.12:
https://repository.apache.org/content/repositories/orgapacheflink-1462
1.13:
https://repository.apache.org/content/repositories/orgapacheflink-1459
1.14:
https://repository.apache.org/content/repositories/orgapacheflink-1461
[5]
1.11: https://github.com/apache/flink/releases/tag/release-1.11.6-rc1
1.12: https://github.com/apache/flink/releases/tag/release-1.12.7-rc1
1.13: https://github.com/apache/flink/releases/tag/release-1.13.5-rc1
1.14: https://github.com/apache/flink/releases/tag/release-1.14.2-rc1
[6] https://github.com/apache/flink-web/pull/489
