actually the source package hash in the email thread also doesn't match what is in the file either, here it is d4f78b627e0c46db0d328ce53460ae3f5639831f20efc50ed6c25c5999aa310dd089d4d7813c0994f7c6714a2df24594ab7b14ab087e360bb2fbc5992e6e7293 but in https://dist.apache.org/repos/dist/dev/druid/36.0.0-rc1/ it is 82708a9c08895041df8ef4bb47d738606db3c7454a17ad1bc84b5145cff02a112b43c332f78026570180b46efe865781be3833476919536b9999ca0658651865. The bin package hash matches what is in the artifacts. Not sure where this source hash came from, since i can't find it in any other email threads
On Thu, Feb 5, 2026 at 2:57 PM Clint Wylie <[email protected]> wrote: > > +1 (binding) > > .. pending clarification on docker hash. This email thread has it as > 528a78a68b1dde47a5984e60975203d8cdf0bd4f477f8b97b84a8b2b44e3c683, > however dockerhub shows 36 RC1 as different: > https://hub.docker.com/layers/apache/druid/36.0.0-rc1/images/sha256-65f7d09412ca3156bf1a7f13c00d7beed1eff48bda9f287be6d6d1384151669e. > I searched dev list history and I believe maybe you just copied and > pasted a previous voting thread of yours from Druid 33 RC2, which has > the same hash, so I am just assuming this was a mistake. > > src package: > * verified checksum and signature > * LICENSE and NOTICE present > * rat check passed > * built release binary package, tested with quickstart configuration > with kafka ingestion, ran some queries > > binary package: > * verified checksum and signature > * LICENSE and NOTICE present > * tested with quickstart configuration with MSQ ingestion, ran some queries > > docker: > * checksum in email thread does not match tag on dockerhub, which I > see as 65f7d09412ca3156bf1a7f13c00d7beed1eff48bda9f287be6d6d1384151669e > * tested using example docker-compose from source distribution with > MSQ ingestion, ran some queries > > On Wed, Feb 4, 2026 at 12:49 PM Rich Bowen <[email protected]> wrote: > > > > > > > > On 2026/02/02 20:30:40 Zoltan Haindrich wrote: > > > Hi all, > > > > > > I have created a build for Apache Druid 36.0.0, release candidate 1. > > > > > ... > > > [ ] +1 Release this package as Apache Druid 0.17.0 > > > [ ] 0 I don't feel strongly about it, but I'm okay with the release > > > [ ] -1 Do not release this package because... > > > > +1 (non-binding) > > > > * Verified signatures and hashes on the following files as per > > https://apache.org/info/verification.html > > - apache-druid-36.0.0-bin.tar.gz (SHA512, GPG signature) > > - apache-druid-36.0.0-src.tar.gz (SHA512, GPG signature) > > * Verified LICENSE and NOTICE files > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
