FWIW I did just delegate my download and validation (through the validation code) to copilot-cli, including the bit where it scps the artifacts to a raspberry pi and it was happy with the signatures and the commands. I'll be using that as my initial validation, though I'll still do manual commands as I like to look for error messages and other surprises.
On Fri, 20 Mar 2026 at 18:35, Chris Nauroth <[email protected]> wrote: > Great catch. This was a release process error on my part, which picked up > the same aarch64 tarball from RC0 instead of a new build. > > Let's cancel this vote and aim to bring in HADOOP-19843 with the next RC. > > Chris Nauroth > > > On Wed, Mar 18, 2026 at 10:49 PM Cheng Pan <[email protected]> wrote: > > > sorry, I need to cast -1 (non-binding) > > > > things look good to me: > > I integrated the jars deployed to the staging maven repo, the test > > results look good. > > > > I checked the x86_64 binary tarball and confirmed that the vulnerable > > lz4-java-1.8.0.jar has gone. > > $ wget > > > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.5.0-RC1/hadoop-3.5.0.tar.gz > > $ find hadoop-3.5.0 -iname '*lz4-java*' > > hadoop-3.5.0/share/hadoop/tools/lib/lz4-java-1.10.4.jar > > > > but it seems that the aarch64 binary tarball is problematic. I'm not > > sure if this is a packaging issue or something else > > $ wget > > > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.5.0-RC1/hadoop-3.5.0-aarch64.tar.gz > > $ find hadoop-3.5.0 -iname '*lz4-java*' > > hadoop-3.5.0/share/hadoop/tools/lib/lz4-java-1.8.0.jar > > > > another issue is > > https://lists.apache.org/thread/4sn3bb2qo9vz2kqgblhx3wdc35fkc3bd, > > I have opened HADOOP-19843 to track and am also trying to solve it, > > you may need to evaluate if this is a release blocker for hadoop 3.5.0 > > > > Thanks, > > Cheng Pan > > > > On Tue, Mar 17, 2026 at 1:35 AM Chris Nauroth <[email protected]> > wrote: > > > > > > FYI, I have also pushed updated configuration files to > > > hadoop-release-support to help with verification: > > > > > > > > > https://github.com/apache/hadoop-release-support/commit/ca5a3ffb3b4c9f3aef86d92e114694d2e4fc6cf2 > > > > > > Chris Nauroth > > > > > > > > > On Mon, Mar 16, 2026 at 10:19 AM Chris Nauroth <[email protected]> > > wrote: > > > > > > > I have put together a release candidate (RC1) for Hadoop 3.5.0. > > > > > > > > This is a new minor version focused on JDK 17 compatibility, new > cloud > > > > storage integrations, dependency upgrades, security patches, and new > > > > features. > > > > > > > > Change log > > > > > > > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.5.0-RC1/CHANGELOG.md > > > > > > > > Release notes > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.5.0-RC1/RELEASENOTES.md > > > > > > > > The RC is available at: > > > > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.5.0-RC1/ > > > > > > > > The git tag is release-3.5.0-RC1, commit > > > > f27666d8f137e0bbb3178b94ad25609dc16a77c0. > > > > > > > > The maven artifacts are staged at > > > > > > https://repository.apache.org/content/repositories/orgapachehadoop-1469 > > > > > > > > You can find my public key at: > > > > https://dist.apache.org/repos/dist/release/hadoop/common/KEYS > > > > > > > > Please try the RC and vote. This vote is intended to run for 5 days. > > > > > > > > Chris Nauroth > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > >
