Usually we don't put the rc in the staged artifacts, exactly to avoid to change the checksum files after (only the vote should have RC, not the artifacts).
I don't consider the License in package info as a blocker (the actual LICENSE file is included), but clearly to be fixed. Regarding, these issues, I suggest to cancel this vote to prepare a clean RC2 with clean artifacts and updated package info. Regards JB On Wed, Apr 22, 2026 at 4:02 PM Dmitri Bourlatchkov <[email protected]> wrote: > Hi JB, > > Thanks for fixing the checksum files. They pass validation now. Signatures > are OK too. The package installs fine. > > However, I still vote -1 because of the RC tags and missing "License" in > package info (details below). > > 1) SHA files still reference files with "rc1" in the name. If we publish > them, we'll have to modify the content after voting, which is not nice. > > $ cat apache_polaris-1.4.0rc1.tar.gz.sha512 > > 5c8b2d967965e9b578ca1e4e3e5d659a5bd5cdb3ee2ae1622a2eae95605e5e8683902b5d3044736220eb48c29d4dd70275eab95528270ebbb411a8e71f8c159c > apache_polaris-1.4.0rc1.tar.gz > > 2) Python package info still shows a version with "rc1" after installation. > As I noted before, I believe this will require re-packaging after the vote > (to avoid "RC" in the final release). > > $ venv/bin/pip show apache-polaris > Name: apache-polaris > Version: 1.4.0rc1 > Summary: Apache Polaris > Home-page: > Author: > Author-email: Apache Software Foundation <[email protected]> > License: > Location: > /home/dmitri/Downloads/pol-cli-rc1/venv/lib/python3.12/site-packages > Requires: boto3, prettytable, pydantic, python-dateutil, pyyaml, > typing-extensions, urllib3 > Required-by: > > Confirmed manually: the "rc1" tag is present in PKG-INFO inside the signed > archive too. So, removing the RC tag will require re-signing and will > invalidate signature checks during the vote. > > 3) Licence name is missing from package info. > > 4) (minor) Home-page and author email are missing from package info > > Sorry for being picky, but I believe these matters are important. > > Cheers, > Dmitri. > > On Wed, Apr 22, 2026 at 1:32 AM Jean-Baptiste Onofré <[email protected]> > wrote: > > > Hi folks, > > > > 1. The checksums are basically correct (in terms of pure checksum), you > can > > verify for instance with this sha512 content: > > > > > > > 5c8b2d967965e9b578ca1e4e3e5d659a5bd5cdb3ee2ae1622a2eae95605e5e8683902b5d3044736220eb48c29d4dd70275eab95528270ebbb411a8e71f8c159c > > apache_polaris-1.4.0rc1.tar.gz > > > > for instance. > > > > 2. Usually, to simplify the check, the path in the sha512 should use a > > relative local path (that's the issue here: the sha512 file should a > > relative path but relative to the root folder). > > 3. Since the checksums are correct, we can update dist.apache.org to use > > the related one level path. I fixed the sha512 files on dist.apache.org. > > > > @Yong and @Dmitri can you check again? It should be fine by default now. > > > > Regards > > JB > > > > On Wed, Apr 22, 2026 at 2:19 AM Dmitri Bourlatchkov <[email protected]> > > wrote: > > > > > Correction: I found the key. Signatures are OK. > > > > > > Still, the other issues remain. > > > > > > Cheers, > > > Dmitri. > > > > > > On Tue, Apr 21, 2026 at 8:06 PM Dmitri Bourlatchkov <[email protected]> > > > wrote: > > > > > > > Hi Adnan, > > > > > > > > -1 (binding) > > > > > > > > Sorry for nitpicks, but checksums do not easily match based on data > in > > > > dist - file paths are not aligned: > > > > > > > > $ sha512sum -c *.sha512 > > > > sha512sum: > client/python/dist/apache_polaris-1.4.0rc1-py3-none-any.whl: > > > No > > > > such file or directory > > > > client/python/dist/apache_polaris-1.4.0rc1-py3-none-any.whl: FAILED > > open > > > > or read > > > > sha512sum: WARNING: 1 listed file could not be read > > > > sha512sum: client/python/dist/apache_polaris-1.4.0rc1.tar.gz: No such > > > file > > > > or directory > > > > client/python/dist/apache_polaris-1.4.0rc1.tar.gz: FAILED open or > read > > > > sha512sum: WARNING: 1 listed file could not be read > > > > > > > > Signature verification failed: > > > > > > > > $ gpg --verify apache_polaris-1.4.0rc1-py3-none-any.whl.asc > > > > apache_polaris-1.4.0rc1-py3-none-any.whl > > > > gpg: Signature made Tue 21 Apr 2026 01:30:38 AM EDT > > > > gpg: using RSA key > > > 81010346A868FB157879A81354F298C6A64BECCC > > > > gpg: Can't check signature: No public key > > > > > > > > I downloaded the latest KEYS file... Did I miss something?.. What is > > this > > > > RSA key? > > > > > > > > Also file names contain "rc1", which I think is still not great. I > > > believe > > > > the RC set of files on dist/dev should be exactly as the final set of > > > > release files if the vote is successful, right? > > > > > > > > Cheers, > > > > Dmitri. > > > > > > > > On Tue, Apr 21, 2026 at 1:38 AM Adnan Hemani via dev < > > > > [email protected]> wrote: > > > > > > > >> Uploaded the source distribution on dist.apache.org. > > > >> > > > >> Yong, I'm not sure what you're pointing out. Can you explain > further? > > > >> > > > >> Best, > > > >> Adnan Hemani > > > >> > > > >> On Mon, Apr 20, 2026 at 10:03 PM Yong Zheng <[email protected]> > > wrote: > > > >> > > > >> > Maybe wrong path in the sha512: > > > >> > cat apache_polaris-1.4.0rc1-py3-none-any.whl.sha512 > > > >> > > > > >> > > > > > > beedace582c330e2602a643364fbf5806c3c7564897384f42e1ac546ed69e06c64cb29d7ab32787b05078785416c387be6ce66ce63e20ba6ebf9a36d16332e7d > > > >> > client/python/dist/apache_polaris-1.4.0rc1-py3-none-any.whl > > > >> > > > > >> > Thanks, > > > >> > Yong Zheng > > > >> > > > > >> > On 2026/04/20 23:41:04 Adnan Hemani via dev wrote: > > > >> > > Hi all, > > > >> > > > > > >> > > I propose that we release the following RC as the official > Apache > > > >> Polaris > > > >> > > Python CLI 1.4.0 release. > > > >> > > > > > >> > > SVN: > > > >> https://dist.apache.org/repos/dist/dev/polaris/python-client/1.4.0/ > > > >> > > Test PyPI: > https://test.pypi.org/project/apache-polaris/1.4.0rc1/ > > > >> > > > > > >> > > Starting with Apache Polaris 1.5.0, the CLI should be released > > > >> alongside > > > >> > > all other release artifacts within the full Polaris Release > > > Candidate. > > > >> > Work > > > >> > > to make this happen can be found here: > > > >> > > https://github.com/apache/polaris/pull/4220 > > > >> > > > > > >> > > Please vote in the next 72 hours. > > > >> > > > > > >> > > [ ] +1 Release this as Apache Polaris 1.4.0 > > > >> > > [ ] +0 > > > >> > > [ ] -1 Do not release this because... > > > >> > > > > > >> > > Only PMC members have binding votes, but other community members > > are > > > >> > > encouraged to cast non-binding votes. > > > >> > > This vote will pass if there are 3 binding +1 votes and more > > binding > > > >> +1 > > > >> > > votes than -1 votes. > > > >> > > > > > >> > > Best, > > > >> > > Adnan Hemani > > > >> > > > > > >> > > > > >> > > > > > > > > > >
