Hi all,

thanks Atita for prepping the release candidate, and thanks Richard for 
backporting the CVE fixes.

+1 (binding)

[x] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are present, 
along with .asc and .sha512 files for each.
[x] PGP signatures are valid for the release artifacts using the KEYS file from 
dist.apache.org
[x] SHA512 checksums are correct and verified.
[x] LICENSE and NOTICE files exist and are accurate.
[x] No unexpected binary files in the source release.
[x] All source files have appropriate ASF headers (excluding generated files 
and legacy files).
[x] Build completes successfully from source and the instruction to do so are 
clear.

Env used for Build checks (and for the records):

Apache Maven 3.9.14 (996c630dbc656c76214ce58821dcc58be960875b)
Maven home: /Applications/apache-maven-3
Java version: 1.8.0_492, vendor: Azul Systems, Inc., runtime: 
/Library/Java/JavaVirtualMachines/zulu-8u492.jdk/Contents/Home/jre
Default locale: de_DE, platform encoding: UTF-8
OS name: "mac os x", version: "26.5.1", arch: "aarch64", family: „mac“

The eval build in an Java 8 environment found here:
https://ci-builds.apache.org/job/OpenNLP/job/eval-tests-releases/32/
finished correctly: all passed.

Best 
Martin | mawiesne

> Am 18.06.2026 um 19:19 schrieb Richard Zowalla <[email protected]>:
> 
> Hi,
> 
> thanks for prepping.
> 
> [x] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are present, 
> along with .asc and .sha512 files for each.
> [x] PGP signatures are valid for the release artifacts using the KEYS file 
> from dist.apache.org
> [x] SHA512 checksums are correct and verified.
> [x] LICENSE and NOTICE files exist and are accurate.
> [x] No unexpected binary files in the source release.
> [x] All source files have appropriate ASF headers (excluding generated files 
> and legacy files).
> [x] Build completes successfully from source and the instruction to do so are 
> clear.
> 
> +1 (binding)
> 
> Some non blocking observations: 
> 
> 1.) NOTICE file has a old year.
> 
> Gruß
> Richard
> 
>> Am 18.06.2026 um 18:59 schrieb Atita Arora <[email protected]>:
>> 
>> Hi all,
>> 
>> I have posted a release candidate for the Apache OpenNLP 1.9.5 release and
>> it is ready for testing.
>> 
>> This is a maintenance release of the 1.9.x line, addressing several
>> security vulnerabilities (CVEs) that affect Apache Lucene 8.x and
>> downstream Solr 8.x which depend on OpenNLP 1.9.x:
>> 
>> - OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil
>> helper
>> - OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes
>> - OPENNLP-1821: Prevent OutOfMemory due to huge array allocation
>> - OPENNLP-1826: Fix for XML parser security options
>> - OPENNLP-1835: Tolerate unsupported XML parser security options
>> 
>> Thank you to everyone who contributed to this release, including all of our
>> users and the people who submitted bug reports, contributed code or
>> documentation enhancements.
>> 
>> The release was made using the OpenNLP release process, documented on the
>> website:
>> https://opennlp.apache.org/release.html
>> 
>> Maven Repo:
>> https://repository.apache.org/content/repositories/orgapacheopennlp-1067
>> 
>> <repositories>
>> <repository>
>>   <id>opennlp-1.9.5-rc1</id>
>>   <name>Testing OpenNLP 1.9.5 release candidate</name>
>>   <url>
>> https://repository.apache.org/content/repositories/orgapacheopennlp-1067
>> </url>
>> </repository>
>> </repositories>
>> 
>> Binaries & Source:
>> https://dist.apache.org/repos/dist/dev/opennlp/opennlp-1.9.5
>> 
>> Tag:
>> https://github.com/apache/opennlp/releases/tag/opennlp-1.9.5
>> 
>> Tag Hash: 558f83bd89ec0f324fd6331067a093ce2ae58d1c
>> 
>> Release notes:
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12355022
>> 
>> Reminder: The up-to-date KEYS file for signature verification can be
>> found here: https://dist.apache.org/repos/dist/release/opennlp/KEYS
>> 
>> Checklist for reference:
>> 
>> [ ] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are present,
>> along with .asc and .sha512 files for each.
>> [ ] PGP signatures are valid for the release artifacts using the KEYS file
>> from dist.apache.org
>> [ ] SHA512 checksums are correct and verified.
>> [ ] LICENSE and NOTICE files exist and are accurate.
>> [ ] No unexpected binary files in the source release.
>> [ ] All source files have appropriate ASF headers (excluding generated
>> files and legacy files).
>> [ ] Build completes successfully from source and the instruction to do so
>> are clear.
>> 
>> Please vote on releasing these packages as Apache OpenNLP 1.9.5. The
>> vote is open for at least the next 72 hours.
>> 
>> Only votes from OpenNLP PMC are binding, but everyone is welcome to
>> check the release candidate and vote.
>> The vote passes if at least three binding +1 votes are cast.
>> 
>> Please VOTE
>> 
>> [+1] go ship it
>> [+0] meh, don't care
>> [-1] stop, there is a ${showstopper}
>> 
>> Thanks!
>> 
>> Atita
> 

Reply via email to