Re: [VOTE] Release Apache Log4j 2.22.1 RC1
Can this noise be made quiet in the future please (mvn clean verify -U):
...
[INFO] --- bsh:1.4:run (process-sbom) @ log4j-api-java9 ---
[INFO] Executing Script
[INFO] file class java.lang.Object
[INFO] script class java.lang.String
[INFO] evaluating script import java.io.*;
import java.nio.file.*;
import java.util.*;
import javax.xml.transform.*;
import javax.xml.transform.stream.*;
import org.apache.commons.codec.digest.*;
// Compute parameters
final String xslt = project.getProperties().getProperty("sbom.xslt");
final File pomFile = project.getModel().getPomFile();
final byte[] digest = new
DigestUtils(MessageDigestAlgorithms.SHA_256).digest(pomFile);
final UUID bomSerialNumber = UUID.nameUUIDFromBytes(digest);
final String vdrUrl =
Objects.requireNonNull(project.getProperties().getProperty("vdr.url"),
"vdr.url");
// Move original SBOM file
final Path basedir = project.getBasedir().toPath();
final Path destPath = basedir.resolve("target/bom.xml");
final Path sourcePath = basedir.resolve("target/bom.orig.xml");
if (!Files.isReadable(destPath)) {
System.out.println("No CycloneDX SBOM file found, skipping
transformation.");
return;
}
Files.move(destPath, sourcePath, new CopyOption[]
{StandardCopyOption.REPLACE_EXISTING});
// Apply XSLT transformation
final StreamSource xsltSource = new StreamSource(new StringReader(xslt));
final TransformerFactory factory = TransformerFactory.newInstance();
final Transformer transformer = factory.newTransformer(xsltSource);
transformer.setParameter("sbom.serialNumber", bomSerialNumber.toString());
transformer.setParameter("vdr.url", vdrUrl);
final StreamSource source = new
StreamSource(sourcePath.toUri().toASCIIString());
final StreamResult result = new
StreamResult(destPath.toUri().toASCIIString());
transformer.transform(source, result);
No CycloneDX SBOM file found, skipping transformation.
[INFO]
[INFO] >>> spotbugs:4.8.2.0:check (default-spotbugs) > :spotbugs @
log4j-api-java9 >>>
Gary
On Fri, Dec 22, 2023 at 1:01 PM Piotr P. Karwasz
wrote:
>
> This is a vote to release the Apache Log4j 2.22.1.
>
> Website: https://logging.staged.apache.org/log4j/2.x/
> GitHub: https://github.com/apache/logging-log4j2
> Commit: 8469975a4f2b1f8f1bd4f25ca6d1989a52aefc1b
> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j
> Nexus:
> https://repository.apache.org/content/repositories/orgapachelogging-1254
> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
>
> Please download, test, and cast your votes on this mailing list.
>
> [ ] +1, release the artifacts
> [ ] -1, don't release, because...
>
> This vote is open for 72 hours and will pass unless getting a
> net negative vote count. All votes are welcome and we encourage
> everyone to test the release, but only the Logging Services PMC
> votes are officially counted.
>
> == Review Kit
>
> The minimum set of steps needed to review the uploaded distribution
> files in the Subversion repository can be summarized as follows:
>
> # Check out the distribution
> wget --recursive --no-parent --no-host-directories --cut-dirs=5
> https://dist.apache.org/repos/dist/dev/logging/log4j
>
> # Verify checksums
> sha512sum --check *.sha512
>
> # Verify signatures
> wget -O - https://downloads.apache.org/logging/KEYS | gpg --import
> for sigFile in *.asc; do gpg --verify $sigFile; done
>
> # Verify reproduciblity
> umask 0022
> unzip *-src.zip -d src
> cd src
> export
> NEXUS_REPO=https://repository.apache.org/content/repositories/orgapachelogging-1254
> sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO
>
> == Release Notes
>
> This release contains only dependency upgrades and bug fixes, which do
> not change the behavior of the artifacts.
>
> While maintaining compatibility with Java 8, the artifacts in this
> release where generated using JDK 17, unlike version `2.22.0` that
> used JDK 11.
>
>
> [#release-notes-2-22-1-fixed]
> === Fixed
>
> * Mark `JdkMapAdapterStringMap` as frozen if map is immutable. (#2098)
> * Fix NPE in `CloseableThreadContext`. (#1426)
> * Use the module name of Conversant Media Disruptor from version
> `1.2.16+` of the library.
> * Fix NPE in `RollingFileManager`. (#1645)
> * Fix `log4j-to-slf4j` JPMS and OSGi descriptors. (#1983)
> * Workaround a Coursier/Ivy dependency resolution bug affecting
> `log4j-slf4j-impl` and `log4j-mongodb3`. (#2065)
>
> [#release-notes-2-22-1-updated]
> === Updated
>
> * Bumped the minimum Java version required for the build to Java 17.
> Runtime requirements remain unchanged. (#2021)
> * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2030)
> * Update `com.google.guava:guava` to version `33.0.0-jre` (#2110)
> * Update `commons-codec:commons-codec` to version `1.16.0` (#2042)
> * Update `commons-io:commons-io` to version `2.15.1` (#2034)
> * Update `commons-logging:commons-logging` t
Week 51 in Log4j
Hello This is already the last update for this year :) Have a few great days ahead! Christian Ongoing work • Website structure & tooling exploration • Recyclers Completed work • log4j-jctools module in main • First part of plugin doc & XSD auto-generation completed: https://github.com/apache/logging-log4j-tools/pull/92 https://github.com/apache/logging-log4j-tools/pull/93>. Fixes • Dependabot updates of `logging-parent` GHA workflows • Disruptor 4 support in Log4j 2 • Coursier/Ivy fails to determine the effective POM External activities • Dependabot fails to determine the latest GHA workflow version https://github.com/dependabot/dependabot-core/issues/8654 • Dependabot opens PR for unreleased GHA workflows https://github.com/dependabot/dependabot-core/issues/6269 • Coursier/Ivy fails to determine the effective POM https://github.com/coursier/coursier/issues/2906 * OpenRewrite: rewrite Logback to Log4j https://github.com/openrewrite/rewrite-logging-frameworks/issues/97: ongoing work.
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
+1 - Tested src zip file - ASC OK - SHA512 OK - `mvn clean verify` OK - Using: Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae) Maven home: /usr/local/Cellar/maven/3.9.6/libexec Java version: 17.0.9, vendor: Homebrew, runtime: /usr/local/Cellar/openjdk@17/17.0.9/libexec/openjdk.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "14.2.1", arch: "x86_64", family: "mac" Darwin 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:54:10 PST 2023; root:xnu-10002.61.3~2/RELEASE_X86_64 x86_64 Gary On Fri, Dec 22, 2023 at 1:01 PM Piotr P. Karwasz wrote: > > This is a vote to release the Apache Log4j 2.22.1. > > Website: https://logging.staged.apache.org/log4j/2.x/ > GitHub: https://github.com/apache/logging-log4j2 > Commit: 8469975a4f2b1f8f1bd4f25ca6d1989a52aefc1b > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1254 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... > > This vote is open for 72 hours and will pass unless getting a > net negative vote count. All votes are welcome and we encourage > everyone to test the release, but only the Logging Services PMC > votes are officially counted. > > == Review Kit > > The minimum set of steps needed to review the uploaded distribution > files in the Subversion repository can be summarized as follows: > > # Check out the distribution > wget --recursive --no-parent --no-host-directories --cut-dirs=5 > https://dist.apache.org/repos/dist/dev/logging/log4j > > # Verify checksums > sha512sum --check *.sha512 > > # Verify signatures > wget -O - https://downloads.apache.org/logging/KEYS | gpg --import > for sigFile in *.asc; do gpg --verify $sigFile; done > > # Verify reproduciblity > umask 0022 > unzip *-src.zip -d src > cd src > export > NEXUS_REPO=https://repository.apache.org/content/repositories/orgapachelogging-1254 > sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO > > == Release Notes > > This release contains only dependency upgrades and bug fixes, which do > not change the behavior of the artifacts. > > While maintaining compatibility with Java 8, the artifacts in this > release where generated using JDK 17, unlike version `2.22.0` that > used JDK 11. > > > [#release-notes-2-22-1-fixed] > === Fixed > > * Mark `JdkMapAdapterStringMap` as frozen if map is immutable. (#2098) > * Fix NPE in `CloseableThreadContext`. (#1426) > * Use the module name of Conversant Media Disruptor from version > `1.2.16+` of the library. > * Fix NPE in `RollingFileManager`. (#1645) > * Fix `log4j-to-slf4j` JPMS and OSGi descriptors. (#1983) > * Workaround a Coursier/Ivy dependency resolution bug affecting > `log4j-slf4j-impl` and `log4j-mongodb3`. (#2065) > > [#release-notes-2-22-1-updated] > === Updated > > * Bumped the minimum Java version required for the build to Java 17. > Runtime requirements remain unchanged. (#2021) > * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2030) > * Update `com.google.guava:guava` to version `33.0.0-jre` (#2110) > * Update `commons-codec:commons-codec` to version `1.16.0` (#2042) > * Update `commons-io:commons-io` to version `2.15.1` (#2034) > * Update `commons-logging:commons-logging` to version `1.3.0` (#2050) > * Update `io.netty:netty-bom` to version `4.1.104.Final` (#2095) > * Update `org.apache.commons:commons-compress` to version `1.25.0` (#2045) > * Update `org.apache.commons:commons-dbcp2` to version `2.11.0` (#2048) > * Update `org.apache.commons:commons-lang3` to version `3.14.0` (#2047) > * Update `org.apache.commons:commons-pool2` to version `2.12.0` (#2057) > * Update `org.apache.kafka:kafka-clients` to version `3.6.1` (#2068) > * Update `org.apache.logging:logging-parent` to version `10.5.0` (#2119) > * Update `org.jctools:jctools-core` to version `4.0.2` (#1984) > * Update `org.springframework.boot:spring-boot` to version `2.7.18` (#1998) > * Update `org.springframework.cloud:spring-cloud-dependencies` to > version `2021.0.9` (#2109)
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
Question: Where is the git tag in these VOTE emails? I see a "Commit" but no named tag. Gary On Fri, Dec 22, 2023 at 1:01 PM Piotr P. Karwasz wrote: > > This is a vote to release the Apache Log4j 2.22.1. > > Website: https://logging.staged.apache.org/log4j/2.x/ > GitHub: https://github.com/apache/logging-log4j2 > Commit: 8469975a4f2b1f8f1bd4f25ca6d1989a52aefc1b > Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j > Nexus: > https://repository.apache.org/content/repositories/orgapachelogging-1254 > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0 > > Please download, test, and cast your votes on this mailing list. > > [ ] +1, release the artifacts > [ ] -1, don't release, because... > > This vote is open for 72 hours and will pass unless getting a > net negative vote count. All votes are welcome and we encourage > everyone to test the release, but only the Logging Services PMC > votes are officially counted. > > == Review Kit > > The minimum set of steps needed to review the uploaded distribution > files in the Subversion repository can be summarized as follows: > > # Check out the distribution > wget --recursive --no-parent --no-host-directories --cut-dirs=5 > https://dist.apache.org/repos/dist/dev/logging/log4j > > # Verify checksums > sha512sum --check *.sha512 > > # Verify signatures > wget -O - https://downloads.apache.org/logging/KEYS | gpg --import > for sigFile in *.asc; do gpg --verify $sigFile; done > > # Verify reproduciblity > umask 0022 > unzip *-src.zip -d src > cd src > export > NEXUS_REPO=https://repository.apache.org/content/repositories/orgapachelogging-1254 > sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO > > == Release Notes > > This release contains only dependency upgrades and bug fixes, which do > not change the behavior of the artifacts. > > While maintaining compatibility with Java 8, the artifacts in this > release where generated using JDK 17, unlike version `2.22.0` that > used JDK 11. > > > [#release-notes-2-22-1-fixed] > === Fixed > > * Mark `JdkMapAdapterStringMap` as frozen if map is immutable. (#2098) > * Fix NPE in `CloseableThreadContext`. (#1426) > * Use the module name of Conversant Media Disruptor from version > `1.2.16+` of the library. > * Fix NPE in `RollingFileManager`. (#1645) > * Fix `log4j-to-slf4j` JPMS and OSGi descriptors. (#1983) > * Workaround a Coursier/Ivy dependency resolution bug affecting > `log4j-slf4j-impl` and `log4j-mongodb3`. (#2065) > > [#release-notes-2-22-1-updated] > === Updated > > * Bumped the minimum Java version required for the build to Java 17. > Runtime requirements remain unchanged. (#2021) > * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2030) > * Update `com.google.guava:guava` to version `33.0.0-jre` (#2110) > * Update `commons-codec:commons-codec` to version `1.16.0` (#2042) > * Update `commons-io:commons-io` to version `2.15.1` (#2034) > * Update `commons-logging:commons-logging` to version `1.3.0` (#2050) > * Update `io.netty:netty-bom` to version `4.1.104.Final` (#2095) > * Update `org.apache.commons:commons-compress` to version `1.25.0` (#2045) > * Update `org.apache.commons:commons-dbcp2` to version `2.11.0` (#2048) > * Update `org.apache.commons:commons-lang3` to version `3.14.0` (#2047) > * Update `org.apache.commons:commons-pool2` to version `2.12.0` (#2057) > * Update `org.apache.kafka:kafka-clients` to version `3.6.1` (#2068) > * Update `org.apache.logging:logging-parent` to version `10.5.0` (#2119) > * Update `org.jctools:jctools-core` to version `4.0.2` (#1984) > * Update `org.springframework.boot:spring-boot` to version `2.7.18` (#1998) > * Update `org.springframework.cloud:spring-cloud-dependencies` to > version `2021.0.9` (#2109)
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
Hi Gary, On Sat, 23 Dec 2023 at 16:23, Gary Gregory wrote: > > Can this noise be made quiet in the future please (mvn clean verify -U): This is a temporary workaround for three `cyclonedx-maven-plugin` limitations. We are still waiting for two fixes and a release of the plugin: https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/419 https://github.com/CycloneDX/cyclonedx-maven-plugin/pull/428 Piotr
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
TY for the references. Gary On Sat, Dec 23, 2023 at 2:20 PM Piotr P. Karwasz wrote: > > Hi Gary, > > On Sat, 23 Dec 2023 at 16:23, Gary Gregory wrote: > > > > Can this noise be made quiet in the future please (mvn clean verify -U): > > This is a temporary workaround for three `cyclonedx-maven-plugin` limitations. > We are still waiting for two fixes and a release of the plugin: > > https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/419 > https://github.com/CycloneDX/cyclonedx-maven-plugin/pull/428 > > Piotr
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
Hi Gary, On Sat, 23 Dec 2023 at 17:47, Gary Gregory wrote: > > Question: Where is the git tag in these VOTE emails? I see a "Commit" > but no named tag. The CI does not create tags, but it works on a separate branch `release/x.y.z` and the commit should be the last commit of the branch. Of course providing a SHA1 is safer. Should we also add a tag? Piotr
Re: [VOTE] Release Apache Log4j 2.22.1 RC1
Hi Piotr, I'm pretty sure there aren't any Apache requirements around tagging in git (or svn) but it seems nice to me to have tags for release candidates. Not that big of a deal probably. Gary On Sat, Dec 23, 2023, 2:51 PM Piotr P. Karwasz wrote: > Hi Gary, > > On Sat, 23 Dec 2023 at 17:47, Gary Gregory wrote: > > > > Question: Where is the git tag in these VOTE emails? I see a "Commit" > > but no named tag. > > The CI does not create tags, but it works on a separate branch > `release/x.y.z` and the commit should be the last commit of the > branch. > Of course providing a SHA1 is safer. Should we also add a tag? > > Piotr >
