Seeking more reviews here. I've been reading about SLSA "Supply-chain Levels for Software Artifacts" and other than the gpg signatures we don't have a strong process here (or elsewhere in the ASF?)
https://slsa.dev/spec/v1.1/verifying-artifacts Ideally it should be possible to verify that the source tarball matches that of the git commit/tag (automatable), *and* that the compiled artifacts are derived from that source. That's an interesting problem as I suspect different jdk's produce different bytecodes. FWIW if I were to run malicious code in downstream systems, I'd hide it in the native binaries. If I wanted to run malicious code in developer systems I'd have added some maven plugin to do that already -so there's no need to worry about the redistributables there. We build our software assuming trust and competence of everyone whose artifacts we use to compile and run. You'll all have to trust me (and soon: Chris), and as for the competence, well, I don't see us being any worse than the rest of the stack. To close: please test, please vote. If you want to be rigorous: do it in an isolated container with no external network access, or mayber set to flag if any external network requests are made. On Mon, 16 Feb 2026 at 17:00, Steve Loughran <[email protected]> wrote: > > > Apache Hadoop 3.4.3 > > I have put together a release candidate (RC1) for Hadoop 3.4.3. > > What we would like is for anyone who can to verify the tarballs, especially > anyone who can try the arm64 binaries as we want to include them too. > > The RC is available at: > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.4.3-RC1/ > > The git tag is release-3.4.3-RC1, commit 9d50c688466 > > The maven artifacts are staged at > https://repository.apache.org/content/repositories/orgapachehadoop-1465 > > You can find my public key at: > https://dist.apache.org/repos/dist/release/hadoop/common/KEYS > > Change log > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.4.3-RC1/CHANGELOG.md > > Release notes > > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-3.4.3-RC1/RELEASENOTES.md > > Build note: the maven artifacts are off the aarch64 release, not the x86; > single builds on ec2 VMs through our cloud infra kept resulting in > multiple staging repos, > probably a side effect of our VPN setup. > > AWS SDK > ------- > > Previous releases included a "lean" tar without the AWS SDK, and/or > encountered > problems with the size of the .tar artifacts. > > Now all releases are built without the AWS SDK; it must be explicitly > added to > share/hadoop/common/lib/ > > To add aws support to hadoop, download from Maven Central the version of > the SDK > you wish to use: > > > https://central.sonatype.com/artifact/software.amazon.awssdk/bundle/versions > > For this release, the version to download is 2.35.4 > https://repo1.maven.org/maven2/software/amazon/awssdk/bundle/2.35.4/) > > 1. Download the bundle-2.35.4.jar artifact and check its signature with > the accompanying bundle-2.35.4.jar.asc file. > > 2. Copy the JAR to share/hadoop/common/lib/ > > Newer AWS SDK versions _should_ work, though regressions are almost > inevitable. > > Please try the release and vote. The vote will run for 5 days. > > Here's my vote (with artifacts verified, including presence of > hadoop-azure and hadoop-aws in common/lib) > > +1 (binding) > > Steve >
