Great catch. This was a release process error on my part, which picked up the same aarch64 tarball from RC0 instead of a new build.
Let's cancel this vote and aim to bring in HADOOP-19843 with the next RC. Chris Nauroth On Wed, Mar 18, 2026 at 10:49 PM Cheng Pan <[email protected]> wrote: > sorry, I need to cast -1 (non-binding) > > things look good to me: > I integrated the jars deployed to the staging maven repo, the test > results look good. > > I checked the x86_64 binary tarball and confirmed that the vulnerable > lz4-java-1.8.0.jar has gone. > $ wget > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.5.0-RC1/hadoop-3.5.0.tar.gz > $ find hadoop-3.5.0 -iname '*lz4-java*' > hadoop-3.5.0/share/hadoop/tools/lib/lz4-java-1.10.4.jar > > but it seems that the aarch64 binary tarball is problematic. I'm not > sure if this is a packaging issue or something else > $ wget > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.5.0-RC1/hadoop-3.5.0-aarch64.tar.gz > $ find hadoop-3.5.0 -iname '*lz4-java*' > hadoop-3.5.0/share/hadoop/tools/lib/lz4-java-1.8.0.jar > > another issue is > https://lists.apache.org/thread/4sn3bb2qo9vz2kqgblhx3wdc35fkc3bd, > I have opened HADOOP-19843 to track and am also trying to solve it, > you may need to evaluate if this is a release blocker for hadoop 3.5.0 > > Thanks, > Cheng Pan > > On Tue, Mar 17, 2026 at 1:35 AM Chris Nauroth <[email protected]> wrote: > > > > FYI, I have also pushed updated configuration files to > > hadoop-release-support to help with verification: > > > > > https://github.com/apache/hadoop-release-support/commit/ca5a3ffb3b4c9f3aef86d92e114694d2e4fc6cf2 > > > > Chris Nauroth > > > > > > On Mon, Mar 16, 2026 at 10:19 AM Chris Nauroth <[email protected]> > wrote: > > > > > I have put together a release candidate (RC1) for Hadoop 3.5.0. > > > > > > This is a new minor version focused on JDK 17 compatibility, new cloud > > > storage integrations, dependency upgrades, security patches, and new > > > features. > > > > > > Change log > > > > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.5.0-RC1/CHANGELOG.md > > > > > > Release notes > > > > > > > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.5.0-RC1/RELEASENOTES.md > > > > > > The RC is available at: > > > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.5.0-RC1/ > > > > > > The git tag is release-3.5.0-RC1, commit > > > f27666d8f137e0bbb3178b94ad25609dc16a77c0. > > > > > > The maven artifacts are staged at > > > > https://repository.apache.org/content/repositories/orgapachehadoop-1469 > > > > > > You can find my public key at: > > > https://dist.apache.org/repos/dist/release/hadoop/common/KEYS > > > > > > Please try the RC and vote. This vote is intended to run for 5 days. > > > > > > Chris Nauroth > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
