[Wolfi Package Update]: zookeeper-3.9 #78638
Description
Package name
zookeeper
Current version in Wolfi
3.9.4.2-r5
Requested version
No response
Upstream project URL
https://github.com/apache/zookeeper
Problem
The most recent version of zookeeper-3.9 in the Wolfi repo is 3.9.4.2-r5:
Lines 1 to 4 in 25f5887
However, the versions in the wolfi base image are different:
% docker run -it cgr.dev/chainguard/wolfi-base
d160fcea683d:/# apk update
fetch https://apk.cgr.dev/chainguard/aarch64/APKINDEX.tar.gz
[https://apk.cgr.dev/chainguard]
OK: 149665 distinct packages available
d160fcea683d:/# apk list -a zookeeper-3.9
zookeeper-3.9-3.9.3.2-r2 aarch64 {zookeeper-3.9} (Apache-2.0)
zookeeper-3.9-3.9.3.2-r40 aarch64 {zookeeper-3.9} (Apache-2.0)
zookeeper-3.9-3.9.4-r0 aarch64 {zookeeper-3.9} (Apache-2.0)
zookeeper-3.9-3.9.4-r1 aarch64 {zookeeper-3.9} (Apache-2.0)
zookeeper-3.9-3.9.4-r2 aarch64 {zookeeper-3.9} (Apache-2.0)
Note that these zookeeper-3.9-3.9.4-* versions seem to be rogue / not aligned with what is in wolfi.
They also are producing an incorrect package artifact at /conf that should be located at /usr/share/java/zookeeper/conf. This is not an issue in the zookeeper-3.9-3.9.3.2-* versions.
The results in the build do not seem to match the manifest:
Lines 66 to 68 in 25f5887
Steps to reproduce
No response
Root cause (if known)
No response
Proposed solution
No response
Testing performed
No response
Acceptance criteria
- The requested version is the latest stable upstream release (no pre-releases or RCs)
- The upstream project uses an OSI-approved license
- The change aligns with Wolfi’s packaging and security model
- The package can be reasonably maintained over time
- There are no known unresolved security or supply-chain concerns