+1 (binding)
I checked:
[OK] signature of git tag verifies
[OK] hashes and signatures of source and helper binaries are correct
[OK] source and helper binaries are 100% reproducible
[OK] source release matches git tag
[OK] source compiles and all tests pass
[OK] source and helper binaries include correct LICENSE/NOTICE
[OK] RAT check passes
[OK] no unexpected binaries in source
[OK] ~80 public and private DFDL schema projects pass tests
[OK] no open CVE's found using sbt dependencyCheck
- Found a number of CVEs, but they are all SBT provided dependencies. So
whether or not those libraries are actually used depends on the SBT
version, so not anything we control
On 2025-06-09 12:33 PM, Adams, Joshua wrote:
Hi all,
I'd like to call a vote to release Apache Daffodil SBT Plugin 1.4.0-rc1.
All distribution packages, including signatures, digests, etc. can be found at:
https://dist.apache.org/repos/dist/dev/daffodil/daffodil-sbt/1.4.0-rc1/
Staging artifacts can be found at:
https://repository.apache.org/content/repositories/orgapachedaffodil-1053
This release has been signed with PGP key 989D39300ACC1866, corresponding to jad...@apache.org, which is included in the KEYS file here:
https://downloads.apache.org/daffodil/KEYS
The release candidate has been tagged in git with v1.4.0-rc1.
For reference, here is a list of all resolved issues tagged for v1.4.0:
https://s.apache.org/daffodil-sbt-issues-1.4.0
For a summary of the changes in this release, see:
https://daffodil.apache.org/sbt/1.4.0/
Please review and vote. The vote will be open for at least 72 hours (Monday, 9 June, 13:00 EST).
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove (and reason why)
Thanks,
- Josh
