Hi,
This vote passes with the following +1 being cast:
- Richard Zowalla (binding)
- Martin Wiesner (binding)
- Atita Arora (binding)

Thanks to all voters. I'll proceed with the steps.

-Atita

On Fri, Jun 19, 2026 at 10:46 PM Martin Wiesner <[email protected]> wrote:

> Hi all,
>
> thanks Atita for prepping the release candidate, and thanks Richard for
> backporting the CVE fixes.
>
> +1 (binding)
>
> [x] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are
> present, along with .asc and .sha512 files for each.
> [x] PGP signatures are valid for the release artifacts using the KEYS file
> from dist.apache.org
> [x] SHA512 checksums are correct and verified.
> [x] LICENSE and NOTICE files exist and are accurate.
> [x] No unexpected binary files in the source release.
> [x] All source files have appropriate ASF headers (excluding generated
> files and legacy files).
> [x] Build completes successfully from source and the instruction to do so
> are clear.
>
> Env used for Build checks (and for the records):
>
> Apache Maven 3.9.14 (996c630dbc656c76214ce58821dcc58be960875b)
> Maven home: /Applications/apache-maven-3
> Java version: 1.8.0_492, vendor: Azul Systems, Inc., runtime:
> /Library/Java/JavaVirtualMachines/zulu-8u492.jdk/Contents/Home/jre
> Default locale: de_DE, platform encoding: UTF-8
> OS name: "mac os x", version: "26.5.1", arch: "aarch64", family: „mac“
>
> The eval build in an Java 8 environment found here:
> https://ci-builds.apache.org/job/OpenNLP/job/eval-tests-releases/32/
> finished correctly: all passed.
>
> Best
> Martin | mawiesne
>
> > Am 18.06.2026 um 19:19 schrieb Richard Zowalla <[email protected]>:
> >
> > Hi,
> >
> > thanks for prepping.
> >
> > [x] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are
> present, along with .asc and .sha512 files for each.
> > [x] PGP signatures are valid for the release artifacts using the KEYS
> file from dist.apache.org
> > [x] SHA512 checksums are correct and verified.
> > [x] LICENSE and NOTICE files exist and are accurate.
> > [x] No unexpected binary files in the source release.
> > [x] All source files have appropriate ASF headers (excluding generated
> files and legacy files).
> > [x] Build completes successfully from source and the instruction to do
> so are clear.
> >
> > +1 (binding)
> >
> > Some non blocking observations:
> >
> > 1.) NOTICE file has a old year.
> >
> > Gruß
> > Richard
> >
> >> Am 18.06.2026 um 18:59 schrieb Atita Arora <[email protected]>:
> >>
> >> Hi all,
> >>
> >> I have posted a release candidate for the Apache OpenNLP 1.9.5 release
> and
> >> it is ready for testing.
> >>
> >> This is a maintenance release of the 1.9.x line, addressing several
> >> security vulnerabilities (CVEs) that affect Apache Lucene 8.x and
> >> downstream Solr 8.x which depend on OpenNLP 1.9.x:
> >>
> >> - OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil
> >> helper
> >> - OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes
> >> - OPENNLP-1821: Prevent OutOfMemory due to huge array allocation
> >> - OPENNLP-1826: Fix for XML parser security options
> >> - OPENNLP-1835: Tolerate unsupported XML parser security options
> >>
> >> Thank you to everyone who contributed to this release, including all of
> our
> >> users and the people who submitted bug reports, contributed code or
> >> documentation enhancements.
> >>
> >> The release was made using the OpenNLP release process, documented on
> the
> >> website:
> >> https://opennlp.apache.org/release.html
> >>
> >> Maven Repo:
> >>
> https://repository.apache.org/content/repositories/orgapacheopennlp-1067
> >>
> >> <repositories>
> >> <repository>
> >>   <id>opennlp-1.9.5-rc1</id>
> >>   <name>Testing OpenNLP 1.9.5 release candidate</name>
> >>   <url>
> >>
> https://repository.apache.org/content/repositories/orgapacheopennlp-1067
> >> </url>
> >> </repository>
> >> </repositories>
> >>
> >> Binaries & Source:
> >> https://dist.apache.org/repos/dist/dev/opennlp/opennlp-1.9.5
> >>
> >> Tag:
> >> https://github.com/apache/opennlp/releases/tag/opennlp-1.9.5
> >>
> >> Tag Hash: 558f83bd89ec0f324fd6331067a093ce2ae58d1c
> >>
> >> Release notes:
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12355022
> >>
> >> Reminder: The up-to-date KEYS file for signature verification can be
> >> found here: https://dist.apache.org/repos/dist/release/opennlp/KEYS
> >>
> >> Checklist for reference:
> >>
> >> [ ] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are
> present,
> >> along with .asc and .sha512 files for each.
> >> [ ] PGP signatures are valid for the release artifacts using the KEYS
> file
> >> from dist.apache.org
> >> [ ] SHA512 checksums are correct and verified.
> >> [ ] LICENSE and NOTICE files exist and are accurate.
> >> [ ] No unexpected binary files in the source release.
> >> [ ] All source files have appropriate ASF headers (excluding generated
> >> files and legacy files).
> >> [ ] Build completes successfully from source and the instruction to do
> so
> >> are clear.
> >>
> >> Please vote on releasing these packages as Apache OpenNLP 1.9.5. The
> >> vote is open for at least the next 72 hours.
> >>
> >> Only votes from OpenNLP PMC are binding, but everyone is welcome to
> >> check the release candidate and vote.
> >> The vote passes if at least three binding +1 votes are cast.
> >>
> >> Please VOTE
> >>
> >> [+1] go ship it
> >> [+0] meh, don't care
> >> [-1] stop, there is a ${showstopper}
> >>
> >> Thanks!
> >>
> >> Atita
> >
>
>

Reply via email to