+1; I verified: * Staging repo contains 2 jars, 2 source jars, 2 javadoc jars, 3 poms, 1 source tarball as expected * source-release tarball in staging repo matches expected checksum in vote email * All artifacts signed with detached GPG signatures matching the fingerprint in the vote email * Both regular jars have corresponding source/javadoc jars and are sealed * All artifacts have expected md5/sha1 for the maven repo * MANIFEST in each jar match the git commit they were built from and matches the one in the vote email * source-release tarball matches the git repo contents (plus generated DEPENDENCIES file from apache parent POM) * license and notice files appear correct
Note: the generated DEPENDENCIES file seems to include some build-time dependencies (spotbugs, auto-service) that don't really matter, but do not include the actual dependencies that are marked as "provided" scope. These make the DEPENDENCIES files in the jars incomplete. However, I don't really see the value in these files, and don't really consider this a problem. The dependencies are much more explicitly stated in the Maven coordinates in the pom.xml. The generated DEPENDENCIES file is only put there as a minor convenience by the ASF parent POM configuration (which we only use for our own convenience, not because of any particular ASF rules), and I am content to just ignore it as relatively useless. On Tue, Feb 24, 2026 at 3:13 PM Christopher <[email protected]> wrote: > > Accumulo Developers, > > Please consider the following candidate for Apache Accumulo > ClassLoader Extras 1.0.0. > > Git Commit: > 6ac0da35d06421a9f2e43d65391b625b05756482 > Branch: > 1.0.0-rc2 > > If this vote passes, a gpg-signed tag will be created using: > git tag -f -s -m 'Apache Accumulo ClassLoader Extras 1.0.0' \ > rel/accumulo-classloader-extras-1.0.0 \ > 6ac0da35d06421a9f2e43d65391b625b05756482 > > Staging repo: > https://repository.apache.org/content/repositories/orgapacheaccumulo-1120 > Source (official release artifact): > https://repository.apache.org/content/repositories/orgapacheaccumulo-1120/org/apache/accumulo/accumulo-classloader-extras/1.0.0/accumulo-classloader-extras-1.0.0-source-release.tar.gz > > Append ".asc" to download the cryptographic signature for a given artifact. > (You can also append ".sha1" or ".md5" instead in order to verify the > checksums > generated by Maven to verify the integrity of the Nexus repository > staging area.) > > Signing keys are available at https://www.apache.org/dist/accumulo/KEYS > (Expected fingerprint: 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D) > > In addition to the tarballs and their signatures, the following checksum > files will be added to the dist/release SVN area after release: > accumulo-classloader-extras-1.0.0-source-release.tar.gz.sha512 will contain: > SHA512 (accumulo-classloader-extras-1.0.0-source-release.tar.gz) = > eac2aade39df2e28fdd6e6cb9b6d99aeef724c95204cae3eb9e548b4ee62af0b7c2ef9928201668685c2cb3bf9a20fa8722bfba92e88ae71988071cac842fbb2 > > Release testing instructions: > https://accumulo.apache.org/contributor/verifying-release > > Please vote one of: > [ ] +1 - I have verified and accept... > [ ] +0 - I have reservations, but not strong enough to vote against... > [ ] -1 - Because..., I do not accept... > ... these artifacts as the 1.0.0 release of Apache Accumulo ClassLoader > Extras. > > This vote will remain open until at least Fri Feb 27 08:30:00 PM UTC 2026. > (Fri Feb 27 03:30:00 PM EST 2026 / Fri Feb 27 12:30:00 PM PST 2026) > Voting can continue after this deadline until the release manager > sends an email ending the vote. > > Thanks! > > P.S. Hint: download the whole staging repo with > wget -erobots=off -r -l inf -np -nH \ > https://repository.apache.org/content/repositories/orgapacheaccumulo-1120/ > # note the trailing slash is needed
