Hi Manu,

Thanks for catching this and for doing the verification!

The two mismatches are limited to a CI workflow update and changelog
entries, and neither affects the released source code, license, build
output, or the artifacts users will consume. My inclination is that these
changes are not significant enough to justify cutting another RC.

That said, I understand the importance of having the signed tag and the
source tarball match exactly, so I’m happy to hear other opinions from the
community on whether we should bump the RC

Best,

Shawn



On Thu, Jul 2, 2026 at 9:07 AM Manu Zhang <[email protected]> wrote:

> -1 (non-binding)
>
> The ASF source tarball does not match the signed Git tag v0.10.0-rc.2
> (be6cc96eaeb1cac4574cabb11ea6e1e92e0aad45). A clean diff found two
> mismatched files:
>
>   - .github/workflows/bindings_python_ci.yml: ASF tarball contains a Rust
> setup/cache block (PR #2679) that the signed tag does not.
>   - CHANGELOG.md: ASF tarball includes PR #2745 and #2750 changelog
> entries that the signed tag does not.
>
> Thanks,
> Manu
>
> On Thu, Jul 2, 2026 at 4:07 PM Renjie Liu <[email protected]> wrote:
>
>> +1 binding
>>
>> Verified locally on ubunt 26.04
>>
>>
>>    - SHA-512
>>    - Signature
>>    - Header
>>    - Ran `dev/release/verify_rc.sh 0.10.0 2 --verify_signature 0
>>    --import_gpg_keys 1` for build and tests
>>
>> Thanks Danny for driving the release.
>>
>>
>> On Thu, Jul 2, 2026 at 12:19 PM Neelesh Salian <[email protected]>
>> wrote:
>>
>>> +1 (non-binding)
>>>
>>> Verified locally on macOS (M4 Max):
>>>
>>>    - SHA-512: matches
>>>    - GPG signature: Good signature from Shawn Chang <[email protected]>
>>>    - Git tag v0.10.0-rc.2 resolves (annotated) to commit
>>>    be6cc96eaeb1cac4574cabb11ea6e1e92e0aad45
>>>    - LICENSE / NOTICE / README.md present
>>>    - No unexpected binary files in the source tarball
>>>    - Builds from source: make build (cargo build --all-targets
>>>    --all-features --workspace) succeeded
>>>
>>> Separately, I checked the release tracking cross-check (#2527
>>> <https://github.com/apache/iceberg-rust/issues/2527>): all listed
>>> blockers are merged and present in the RC tag.
>>>
>>> Thanks for doing the release, Danny.
>>>
>>> On Wed, Jul 1, 2026 at 8:48 AM Jones, Danny <[email protected]>
>>> wrote:
>>>
>>>> Hello Apache Iceberg Rust Community,
>>>>
>>>>
>>>>
>>>> This is a call for a vote to release Apache Iceberg Rust version 0.10.0.
>>>>
>>>>
>>>>
>>>> The tag to be voted on is: v0.10.0-rc.2.
>>>>
>>>>
>>>>
>>>> The release candidate:
>>>>
>>>>
>>>>
>>>>
>>>> https://dist.apache.org/repos/dist/dev/iceberg/apache-iceberg-rust-0.10.0-rc2/
>>>>
>>>>
>>>>
>>>> Keys to verify the release candidate:
>>>>
>>>>
>>>>
>>>> https://downloads.apache.org/iceberg/KEYS
>>>>
>>>>
>>>>
>>>> Git tag for the release:
>>>>
>>>>
>>>>
>>>> https://github.com/apache/iceberg-rust/releases/tag/v0.10.0-rc.2
>>>>
>>>>
>>>>
>>>> Please download, verify, and test the release candidate.
>>>>
>>>>
>>>>
>>>> This vote will be open for at least 72 hours and will remain open until
>>>> the required number of votes is reached.
>>>>
>>>>
>>>>
>>>> Please vote accordingly:
>>>>
>>>> [ ] +1 Approve
>>>>
>>>> [ ] +0 No opinion
>>>>
>>>> [ ] -1 Disapprove (please provide a reason)
>>>>
>>>>
>>>>
>>>> To learn more about Apache Iceberg, please visit:
>>>>
>>>> https://rust.iceberg.apache.org/
>>>>
>>>>
>>>>
>>>> Checklist for reference:
>>>>
>>>> [ ] Download links are valid
>>>>
>>>> [ ] Checksums and signatures are correct
>>>>
>>>> [ ] LICENSE and NOTICE files are present
>>>>
>>>> [ ] No unexpected binary files are included
>>>>
>>>> [ ] All source files have ASF headers
>>>>
>>>> [ ] The project builds successfully from source
>>>>
>>>> [ ] pyiceberg-core builds and tests successfully
>>>>
>>>>
>>>>
>>>> For more details, please refer to:
>>>>
>>>> https://rust.iceberg.apache.org/release.html#how-to-verify-a-release
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Danny C Jones and Shawn Chang
>>>>
>>>>
>>>>
>>>

Reply via email to