+1 - Verified all checksums and signatures. - Checked LICENSE and NOTICE. - Compared the files in the src tarball with the files in git. - Built from src tarball successfully.
- Reproduced the files in the bin tarball: -* It turns out that the jars are unsigned. -* Except for ratis-proto-3.2.2.jar, all the other jars in the rc can be reproduced exactly. -* The file ratis-proto-3.2.2.jar in rc somehow has an empty "annotations/" directory but my generated jar doesn't. -* After extracting the jar, all the files inside the jar are exactly the same as the files generated locally. - Passed all unit tests. - Able to run examples and shell with the bin tarball. Thanks for rolling out the RC! Tsz-Wo On Mon, Mar 30, 2026 at 10:45 AM Tsz Wo Sze <[email protected]> wrote: > Hi Xinyu, > > Thanks for the info! I got the same MD5 now: > > % md5 > ratis-common/target/classes/org/apache/ratis/conf/RaftProperties.class > MD5 > (ratis-common/target/classes/org/apache/ratis/conf/RaftProperties.class) = > faf62bea5c84206da70dfa626b03b004 > > Will continue verifying the release. > > Tsz-Wo > > On Sat, Mar 28, 2026 at 9:58 PM Xinyu Tan <[email protected]> wrote: > >> Hi, Tsz-wo >> >> Sorry for the late reply. >> >> I'm using jdk 1.8.0_472 with Zulu 8.90.0.19-CA-macos-aarch64. >> >> Best >> ---------------- >> Xinyu Tan >> >> On 2026/03/27 17:22:26 Tsz Wo Sze wrote: >> > Hi Xinyu, >> > >> > What is the jdk version you used to build the RCs? >> > >> > Extracted the jars and then compared the class file. However, the class >> > files are different. I probably need to use the exact jdk to reproduce >> the >> > binaries. >> > >> > % from the bin tarball >> > MD5 >> > >> (/Users/szetszwo/ratis/release/3.2.2/rc3/apache-ratis-3.2.2-bin/tmp/jars/ratis-common-3.2.2/org/apache/ratis/conf/RaftProperties.class) >> > = faf62bea5c84206da70dfa626b03b004 >> > >> > % generated locally using make_rc.sh >> > MD5 >> (jars/ratis-common-3.2.2/org/apache/ratis/conf/RaftProperties.class) = >> > 7a35e5b500c4cf6283ce705f4bbf31a3 >> > >> > Tsz-Wo >> > >> > >> > On Thu, Mar 26, 2026 at 8:16 PM Tsz Wo Sze <[email protected]> wrote: >> > >> > > I am verifying the rc3. >> > > >> > > Question: How to verify if the binary is reproducible? >> > > - I rebuilt the tarball. However, the resulting binary was different >> > > since my generated jars were signed by my signatures. >> > > - Also tried the diffoscope tool recommended by [1] but it showed a >> lot of >> > > difference (due to the signatures?). >> > > >> > > Tsz-Wo >> > > [1] https://reproducible-builds.org/tools/ >> > > >> > > On Sun, Mar 22, 2026 at 2:12 AM Attila Doroszlai < >> [email protected]> >> > > wrote: >> > > >> > >> > I’m calling a vote for Apache Ratis Release 3.2.2 rc3. >> > >> > https://github.com/apache/ratis/tree/ratis-3.2.2-rc3 >> > >> > https://dist.apache.org/repos/dist/dev/ratis/3.2.2/rc3 >> > >> > >> https://repository.apache.org/content/repositories/orgapacheratis-1178 >> > >> >> > >> +1 >> > >> >> > >> - Verified checksums, signatures, git hash >> > >> - Compared source tarball contents to git repo >> > >> - Built from source >> > >> - Ozone CI mostly passed (except a single test) with staged Maven >> > >> artifacts >> > >> >> > >> Thanks Xinyu for the RC (and fixing issues with previous RCs). >> > >> >> > >> -Attila >> > >> >> > > >> > >> >
