+1 binding - Verified commit hash - Verified artifacts and checksums - Verified signatures - Tested build from source locally - Verified produced jars contained required LICENSE/NOTICE metadata
Sung On 2026/05/01 15:15:49 Russell Spitzer wrote: > +1 (binding) > > Ran through the normal things and did an llm assisted license check again. > > Apache Polaris 1.4.1 RC0 — Validation Report > Tag: apache-polaris-1.4.1-rc0 (9569f2d24c08f926cf768290fda7680cdb1e1611) > Signed by: Apache Polaris Automated Release Signing < > [email protected]> > Fingerprint: F2EEEB06110BEE1397EC74CBB8960FF52D9B1312 > Passed > ------ > > 1. GPG signature verification > $ gpg --verify apache-polaris-1.4.1.tar.gz.asc > apache-polaris-1.4.1.tar.gz > Good signature from "Apache Polaris Automated Release Signing < > [email protected]>" > > 2. SHA-512 checksum > $ shasum -a 512 apache-polaris-1.4.1.tar.gz > 1dab218abf43dd0e...9dfdde — matches .sha512 file > > 3. Source tarball contents > - LICENSE present (Apache License 2.0) > - NOTICE present (Copyright 2026 The Apache Software Foundation) > - No DISCLAIMER file (correct for a TLP) > - Binary files: 38 total, all images (PNG, ICO) for site/docs — > acceptable > > 4. Git tag verification > $ git rev-parse apache-polaris-1.4.1-rc0^{commit} > 9569f2d24c08f926cf768290fda7680cdb1e1611 — matches vote email > > 5. Build from source > $ ./gradlew build -x intTest -x rat --no-daemon > BUILD SUCCESSFUL in 11m 21s, 1433 tasks > All unit tests passed (including Testcontainers-based Postgres and > MongoDB tests) > > 6. Maven staging artifacts (orgapachepolaris-1065) > - 67 modules staged > - Spot-checked polaris-core, polaris-server, > polaris-api-management-model: > all have .jar, .pom, -sources.jar, -javadoc.jar, .asc, .md5, .sha1 > - Parent POM: correct groupId (org.apache.polaris), version (1.4.1), > license (Apache-2.0), SCM tag (apache-polaris-1.4.1), > SCM URL (https://github.com/apache/polaris) > > 7. Binary distribution (polaris-bin-1.4.1.tgz) > - LICENSE: 2055 lines, includes Apache 2.0 full text plus per-artifact > license declarations for all bundled dependencies > - NOTICE: 978 lines, reproduces NOTICE files from bundled projects > (Picocli, gRPC, Netty, Jackson, etc.) > - Non-Apache licenses found: BSD 2-Clause (org.crac) — Category A, > acceptable > > 8. Helm chart (polaris-1.4.1.tgz) > - Staged at dist.apache.org with .asc, .prov, .sha512 > > On Fri, May 1, 2026 at 7:30 AM Dmitri Bourlatchkov <[email protected]> wrote: > > > +1 (binding) > > > > Verified: > > * Checksums > > * Signatures > > * Local `gradle assemble` from source > > > > Cheers, > > Dmitri. > > > > On Fri, May 1, 2026 at 3:12 AM Jean-Baptiste Onofré <[email protected]> > > wrote: > > > > > Hi everyone, > > > > > > I propose that we release the following RC as the official Apache Polaris > > > 1.4.1 release. > > > > > > This corresponds to the tag: apache-polaris-1.4.1-rc0 > > > > > > https://github.com/apache/polaris/commits/apache-polaris-1.4.1-rc0 > > > > > > > > https://github.com/apache/polaris/tree/9569f2d24c08f926cf768290fda7680cdb1e1611 > > > > > > The release tarball, signature, and checksums are here: > > > > > > https://dist.apache.org/repos/dist/dev/polaris/1.4.1 > > > > > > Helm charts are available on: > > > > > > https://dist.apache.org/repos/dist/dev/polaris/helm-chart/1.4.1 > > > > > > NB: you have to build the Docker images locally in order to test Helm > > > charts. > > > > > > You can find the KEYS file here: > > > > > > https://downloads.apache.org/polaris/KEYS > > > > > > Convenience binary artifacts are staged on Nexus. > > > The Maven repository URL is: > > > > > > > > https://repository.apache.org/content/repositories/orgapachepolaris-1065/ > > > > > > Please download, verify, and test according to the release verification > > > guide, which can be found at: > > > > > > > > > > > https://polaris.apache.org/community/release-guides/release-verification-guide/ > > > > > > Because this release includes important security fixes, this vote is open > > > for 24 hours and will close as soon as it receives 3 binding votes. > > > > > > [ ] +1 Release this as Apache Polaris 1.4.1 > > > [ ] +0 > > > [ ] -1 Do not release this because... > > > > > > Only PMC members have binding votes, but other community members are > > > encouraged to cast non-binding votes. > > > This vote will pass as soon as there are 3 binding +1. > > > > > > Regards > > > JB > > > > > >
