+1 (binding) [OK] links in email are correct [NOT OK] verified Summary of Changes pages (maven, sbt, download and dnf). Maven still reverences japi, and sbt still refs sapi. [OK] verified download of binary and source [OK] Successfully used apache-daffodil-4.0.0-bin.tgz [OK] JavaDoc is correct
________________________________ From: Steve Lawrence <[email protected]> Sent: Friday, September 12, 2025 11:26 AM To: [email protected] <[email protected]> Subject: Re: [VOTE] Release Apache Daffodil 4.0.0-rc1 and Apache Daffodil SBT Plugin 1.5.0-rc1 +1 (binding) In Daffodil, I checked: [OK] hashes and signatures of source and helper binaries are correct [OK] source and helper binaries are 100% reproducible [OK] signature of git tag verifies [OK] source release matches git tag (minus KEYS file) [OK] source compiles and all tests pass (both en_US and de_DE) [OK] src, binaries, and jars include correct LICENSE/NOTICE [OK] RAT check passes [OK] no unexpected binaries in source [OK] rpm and msi install and run with basic usage [OK] ~80 public and private DFDL schema projects pass tests [OK] no issues found in JavaDoc [OK] no open CVEs found using sbt dependencyCheck - Three findings, but they are all either false positives or don't apply to Daffodil's usage [OK] Daffodil NiFi processor builds and tests pass with minor updates [OK] Daffodil SBT plugin builds and tests pass In Daffodil SBT Plugin, I checked: [OK] hashes and signatures of source and helper binaries are correct [OK] source and helper binaries are 100% reproducible [OK] signature of git tag verifies [OK] source release matches git tag [OK] source compiles and all tests pass [OK] source and helper binaries include correct LICENSE/NOTICE [OK] RAT check passes [OK] no unexpected binaries in source [OK] ~80 public and private DFDL schema projects pass tests [OK] no open CVE's found using sbt dependencyCheck - Found a number of CVEs, but they are all SBT provided dependencies. So whether or not those libraries are actually used depends on the SBT version, so not anything we control On 2025-09-09 12:18 PM, Steve Lawrence wrote: > Hi all, > > I'd like to call a vote for a dual release of Apache Daffodil 4.0.0-rc1 and > Apache Daffodil SBT Plugin 1.5.0-rc1. > > > For Apache Daffodil: > > All distribution packages, including signatures, digests, etc. can be found > at: > > https://dist.apache.org/repos/dist/dev/daffodil/4.0.0-rc1/ > > Staging artifacts can be found at: > > https://repository.apache.org/content/repositories/orgapachedaffodil-1057/ > > The release candidate has been tagged in git with v4.0.0-rc1. > > For reference, here is a list of all resolved JIRA issues tagged with 4.0.0: > > https://s.apache.org/daffodil-issues-4.0.0 > > For a summary of the changes in this release, see: > > https://daffodil.apache.org/releases/4.0.0/ > > > For Apache Daffodil SBT Plugin: > > All distribution packages, including signatures, digests, etc. can be found > at: > > https://dist.apache.org/repos/dist/dev/daffodil/daffodil-sbt/1.5.0-rc1/ > > Staging artifacts can be found at: > > https://repository.apache.org/content/repositories/orgapachedaffodil-1056/ > > The release candidate has been tagged in git with v1.5.0-rc1. > > For reference, here is a list of all resolved issues in the 1.5.0 milestone: > > https://github.com/apache/daffodil-sbt/milestone/6?closed=1 > > For a summary of the changes in this release, see: > > https://daffodil.apache.org/sbt/1.5.0/ > > > Both releases have been signed with PGP key > 24E1775CC44ED9CED4CF03672F0FBAA76B492842, corresponding to the Apache Daffodil > Automated Release Signing Key, which is included in the KEYS file here: > > https://downloads.apache.org/daffodil/KEYS > > > Please review and vote. Steps to automate some verification steps are > described > here: > > https://cwiki.apache.org/confluence/display/DAFFODIL/Release+Verification > > > The vote will be open for at least 72 hours (Friday, 12 September 2025, 12 > Noon > EST). > > [ ] +1 approve > [ ] +0 no opinion > [ ] -1 disapprove (and reason why) > > Thanks, > - Steve
