Hi all, thanks Atita for prepping the release candidate, and thanks Richard for backporting the CVE fixes.
+1 (binding) [x] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are present, along with .asc and .sha512 files for each. [x] PGP signatures are valid for the release artifacts using the KEYS file from dist.apache.org [x] SHA512 checksums are correct and verified. [x] LICENSE and NOTICE files exist and are accurate. [x] No unexpected binary files in the source release. [x] All source files have appropriate ASF headers (excluding generated files and legacy files). [x] Build completes successfully from source and the instruction to do so are clear. Env used for Build checks (and for the records): Apache Maven 3.9.14 (996c630dbc656c76214ce58821dcc58be960875b) Maven home: /Applications/apache-maven-3 Java version: 1.8.0_492, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8u492.jdk/Contents/Home/jre Default locale: de_DE, platform encoding: UTF-8 OS name: "mac os x", version: "26.5.1", arch: "aarch64", family: „mac“ The eval build in an Java 8 environment found here: https://ci-builds.apache.org/job/OpenNLP/job/eval-tests-releases/32/ finished correctly: all passed. Best Martin | mawiesne > Am 18.06.2026 um 19:19 schrieb Richard Zowalla <[email protected]>: > > Hi, > > thanks for prepping. > > [x] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are present, > along with .asc and .sha512 files for each. > [x] PGP signatures are valid for the release artifacts using the KEYS file > from dist.apache.org > [x] SHA512 checksums are correct and verified. > [x] LICENSE and NOTICE files exist and are accurate. > [x] No unexpected binary files in the source release. > [x] All source files have appropriate ASF headers (excluding generated files > and legacy files). > [x] Build completes successfully from source and the instruction to do so are > clear. > > +1 (binding) > > Some non blocking observations: > > 1.) NOTICE file has a old year. > > Gruß > Richard > >> Am 18.06.2026 um 18:59 schrieb Atita Arora <[email protected]>: >> >> Hi all, >> >> I have posted a release candidate for the Apache OpenNLP 1.9.5 release and >> it is ready for testing. >> >> This is a maintenance release of the 1.9.x line, addressing several >> security vulnerabilities (CVEs) that affect Apache Lucene 8.x and >> downstream Solr 8.x which depend on OpenNLP 1.9.x: >> >> - OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil >> helper >> - OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes >> - OPENNLP-1821: Prevent OutOfMemory due to huge array allocation >> - OPENNLP-1826: Fix for XML parser security options >> - OPENNLP-1835: Tolerate unsupported XML parser security options >> >> Thank you to everyone who contributed to this release, including all of our >> users and the people who submitted bug reports, contributed code or >> documentation enhancements. >> >> The release was made using the OpenNLP release process, documented on the >> website: >> https://opennlp.apache.org/release.html >> >> Maven Repo: >> https://repository.apache.org/content/repositories/orgapacheopennlp-1067 >> >> <repositories> >> <repository> >> <id>opennlp-1.9.5-rc1</id> >> <name>Testing OpenNLP 1.9.5 release candidate</name> >> <url> >> https://repository.apache.org/content/repositories/orgapacheopennlp-1067 >> </url> >> </repository> >> </repositories> >> >> Binaries & Source: >> https://dist.apache.org/repos/dist/dev/opennlp/opennlp-1.9.5 >> >> Tag: >> https://github.com/apache/opennlp/releases/tag/opennlp-1.9.5 >> >> Tag Hash: 558f83bd89ec0f324fd6331067a093ce2ae58d1c >> >> Release notes: >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12355022 >> >> Reminder: The up-to-date KEYS file for signature verification can be >> found here: https://dist.apache.org/repos/dist/release/opennlp/KEYS >> >> Checklist for reference: >> >> [ ] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are present, >> along with .asc and .sha512 files for each. >> [ ] PGP signatures are valid for the release artifacts using the KEYS file >> from dist.apache.org >> [ ] SHA512 checksums are correct and verified. >> [ ] LICENSE and NOTICE files exist and are accurate. >> [ ] No unexpected binary files in the source release. >> [ ] All source files have appropriate ASF headers (excluding generated >> files and legacy files). >> [ ] Build completes successfully from source and the instruction to do so >> are clear. >> >> Please vote on releasing these packages as Apache OpenNLP 1.9.5. The >> vote is open for at least the next 72 hours. >> >> Only votes from OpenNLP PMC are binding, but everyone is welcome to >> check the release candidate and vote. >> The vote passes if at least three binding +1 votes are cast. >> >> Please VOTE >> >> [+1] go ship it >> [+0] meh, don't care >> [-1] stop, there is a ${showstopper} >> >> Thanks! >> >> Atita >
