+1 Tested with
Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937) Maven home: /opt/apache-maven-3.9.9 Java version: 25.0.3, vendor: Ubuntu, runtime: /usr/lib/jvm/java-25-openjdk-amd64 Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "7.0.0-22-generic", arch: "amd64", family: "unix" Builds OK! Site reports look good, changelog shows one issue/change, I think. No issues found! Thanks! Bruno On Thu, 25 Jun 2026 at 15:37, Arnout Engelen <[email protected]> wrote: > On Thu, Jun 25, 2026 at 1:21 AM Gary Gregory <[email protected]> > wrote: > > > > We have fixed one bug since the release of Apache Commons JEXL 3.6.3, > > so I would like to release Apache Commons JEXL 3.6.4. > > > > Apache Commons JEXL 3.6.4 RC1 is available for review here: > > https://dist.apache.org/repos/dist/dev/commons/jexl/3.6.4-RC1 (svn > > revision 85438) > > The source artifacts with sha512 ids > > 424b641da4a1fc7c8ebfdb71845280b97caf383a0a4262f2175aa9ec4a8c33ed0354ac1ca51bb4d4f98c5cfdb7f9c468ab1b5a6b41d60715a73715839a1ef2ac > and are correctly signed with Gary's key from > https://downloads.apache.org/commons/KEYS and only have expected > differences to git commit 022b5036898bd561795ad4110915a5242d125069 > > > The Git tag commons-jexl-3.6.4-RC1 commit for this RC is > > 022b5036898bd561795ad4110915a5242d125069, which you can browse here: > > > https://gitbox.apache.org/repos/asf?p=commons-jexl.git;a=commit;h=022b5036898bd561795ad4110915a5242d125069 > > You may checkout this tag using: > > git clone https://gitbox.apache.org/repos/asf/commons-jexl.git > > --branch commons-jexl-3.6.4-RC1 commons-jexl-3.6.4-RC1 > > > > Maven artifacts are here: > > > https://repository.apache.org/content/repositories/orgapachecommons-1951/org/apache/commons/commons-jexl3/3.6.4/ > > > > These are the artifacts and their hashes: > > > > #Release SHA-512s > > #Wed Jun 24 23:10:04 UTC 2026 > > > commons-jexl-3.6.4-bin.tar.gz=a7cf369f4ad60e1c5380c6e8967244d4daefb3b5bebeffc4fdf18dc32679ac9e29377ffa9fdf4b6ef310bdee2b6b6ca8a614ecb3f787abb4e2c7789490278740 > > > commons-jexl-3.6.4-bin.zip=d034a4bfd6e7a3ad4ecad4f26d85c34769dd58ed2bff4641c2a2b550ae5ad6b0155e2e0cfeefbd733cf933d67d1041124bb7c4436c1cd049e6ce3241ffc7dd55 > > > commons-jexl-3.6.4-src.tar.gz=424b641da4a1fc7c8ebfdb71845280b97caf383a0a4262f2175aa9ec4a8c33ed0354ac1ca51bb4d4f98c5cfdb7f9c468ab1b5a6b41d60715a73715839a1ef2ac > > > commons-jexl-3.6.4-src.zip=1486fd02a336718d580fe0c22ca762939544f445c5e812dfb7105f3b6ae43e604c6f4dd957526b4e35533103cd0b6dc131c786fb6c93214311599be9031374b4 > > > commons-jexl3-3.6.4-bom.json=29c1e535c5e03827205214be4b9127d757dc6e9e286500eb68baad0857a18ff6629eda9e5c58f51b47af5da896b43c284f74298c0867a2e4c5e351d7d5e79d0e > > > commons-jexl3-3.6.4-bom.xml=5198b0b4aa9d7b089f26cb47a2d4aec732572ffdf4fa0e58d4ae2d533f52a3c906c2c1ab983faf7cfb369c0fa44d84144ca2b3ed21ea26f1f4a0d5a2db963442 > > > commons-jexl3-3.6.4-javadoc.jar=8c63a7e85e36c52a3796bcef2a662b5ecc7b1e11a4c5caa279eee1a2cb966dc47942fed56b1b12b7826d1bfcb81cbdb95b13179452b90edfa0e25d14503aaa73 > > > commons-jexl3-3.6.4-sources.jar=8acc09ffcd13a495ab78aad195fa9185e8e7b50fc9ae158d463d0c7b58fe5862d1277d7479d16077e8b674065f278d437022668e3f634afb58eac71f46105fe5 > > > commons-jexl3-3.6.4-test-sources.jar=9cc37c59a3f646bdecf38b17fb1c923c3b6cbd3abc797a5f9ef46905c823b5f9aeda451e989ca856db4c2aef19c9641528c190e7258f66b6801d8d592c42ce9b > > > commons-jexl3-3.6.4-tests.jar=286b3d23deabb0a6c1ed8a5e56d7a253f0eeac9cc1cbcc909fac3becdf6e70cc22906c937de37c72f384587f3287d110f1b92fecb4aa53c8fd505e09567b4333 > > > org.apache.commons_commons-jexl3-3.6.4.spdx.json=d8edbbcbf9f04b383a4795a98b09db0573db895e4b159ecbdb6043b0a85b8c7c86151bd67b61c6cc22c867c97efb7e4c8efe4148c12438a721e70150672a4f55 > > I have verified a locally-built jar is a bit-by-bit match to the jar > on > https://repository.apache.org/content/repositories/orgapachecommons-1951/org/apache/commons/commons-jexl3/3.6.4/ > with sha > 07fda6753790a959566c133d00f71fb7078ef2efe738e77afd8f55449d51e0f70ce65523674a63e5bec5547f3a44e299184b547e1775d7c1f0fffbb6ed3beb84 > > "mvn verify artifact:compare > -Dreference.repo= > https://repository.apache.org/content/repositories/staging/"; > flagged commons-jexl3-3.6.4.spdx.json not being identical, but I don't > think that needs to hold back the release. > > I have not tested the code. > > > I have tested this with 'mvn' and 'mvn clean install site' using: > > > > openjdk version "21.0.11" 2026-04-21 > > OpenJDK Runtime Environment Homebrew (build 21.0.11) > > OpenJDK 64-Bit Server VM Homebrew (build 21.0.11, mixed mode, sharing) > > > > Apache Maven 3.9.16 (2bdd9fddda4b155ebf8000e807eb73fd829a51d5) > > Maven home: /opt/homebrew/Cellar/maven/3.9.16/libexec > > Java version: 21.0.11, vendor: Homebrew, runtime: > > /opt/homebrew/Cellar/openjdk@21 > /21.0.11/libexec/openjdk.jdk/Contents/Home > > Default locale: en_US, platform encoding: UTF-8 > > OS name: "mac os x", version: "26.5.1", arch: "aarch64", family: "mac" > > > > Darwin ****.local 25.5.0 Darwin Kernel Version 25.5.0: Mon Apr 27 > > 20:41:15 PDT 2026; root:xnu-12377.121.6~2/RELEASE_ARM64_T6041 arm64 > > > > Docker version 29.4.3, build 055a478 > > > > > > Details of changes since 3.6.3 are in the release notes: > > > https://dist.apache.org/repos/dist/dev/commons/jexl/3.6.4-RC1/RELEASE-NOTES.txt > > > https://dist.apache.org/repos/dist/dev/commons/jexl/3.6.4-RC1/site/changes.html > > > > Site: > > > https://dist.apache.org/repos/dist/dev/commons/jexl/3.6.4-RC1/site/index.html > > (Note some *relative* links are broken and the 3.6.4 directories > > are not yet created - these will be OK once the site is deployed.) > > > > JApiCmp Report (compared to 3.6.3): > > > https://dist.apache.org/repos/dist/dev/commons/jexl/3.6.4-RC1/site/japicmp.html > > > > RAT Report: > > > https://dist.apache.org/repos/dist/dev/commons/jexl/3.6.4-RC1/site/rat-report.html > > > > KEYS: > > https://downloads.apache.org/commons/KEYS > > > > Please review the release candidate and vote. > > This vote will close no sooner than 72 hours from now. > > > > [x] +1 Release these artifacts > > [ ] +0 OK, but... > > [ ] -0 OK, but really should fix... > > [ ] -1 I oppose this release because... > > This is my +1 > > > Kind regards, > > Arnout Engelen > Apache Commons PMC > > > > > Thank you, > > > > Gary Gregory, > > Release Manager (using key 530AA5F25C25011F) > > > > The following is intended as a helper and refresher for reviewers. > > > > Validating a release candidate > > ============================== > > > > These guidelines are NOT complete. > > > > Requirements: Git, Java, and Maven. > > > > You can validate a release from a release candidate (RC) tag as follows. > > > > 1a) Download and decompress the source archive from: > > > > https://dist.apache.org/repos/dist/dev/commons/jexl/3.6.4-RC1/source > > > > 1b) Check out the RC tag from git (optional) > > > > This is optional, as a reviewer must at least check source > distributions. > > > > git clone https://gitbox.apache.org/repos/asf/commons-jexl.git > > --branch commons-jexl-3.6.4-RC1 commons-jexl-3.6.4-RC1 > > cd commons-jexl-3.6.4-RC1 > > > > 2) Checking the build > > > > All components should include a default Maven goal, such that you can > > run 'mvn' from the command line by itself. > > > > 2) Check Apache licenses > > > > This step is not required if the site includes a RAT report page, > > which you then must check. > > This check should be included in the default Maven build, but you can > > check it with: > > > > mvn apache-rat:check > > > > 3) Check binary compatibility > > > > This step is not required if the site includes a JApiCmp report page, > > which you then must check. > > This check should be included in the default Maven build, but you can > > check it with: > > > > mvn verify -DskipTests -P japicmp japicmp:cmp > > > > 4) Build the package > > > > This check should be included in the default Maven build, but you can > > check it with: > > > > mvn -V clean package > > > > You can record the Maven and Java version produced by -V in your VOTE > reply. > > To gather OS information from a command line: > > Windows: ver > > Linux: uname -a > > > > 4b) Check reproducibility > > > > To check that a build is reproducible, run: > > > > mvn clean verify artifact:compare -DskipTests > > -Dreference.repo= > https://repository.apache.org/content/repositories/staging/ > > '-Dbuildinfo.ignore=*/*.spdx.json' > > > > Note that this excludes SPDX files from the check. > > > > 5) Build the site for a single module project > > > > Note: Some plugins require the components to be installed instead of > packaged. > > > > mvn site > > Check the site reports in: > > - Windows: target\site\index.html > > - Linux: target/site/index.html > > > > -the end- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
