+1 (binding)
I checked in Daffodil:
[OK] release page has correct information, links, and documentation
[OK] hashes and signatures of source and helper binaries are correct
[OK] source and helper binaries are 100% reproducible
[OK] signature of git tag verifies
[OK] source release matches git tag (minus KEYS file)
[OK] source compiles and all tests pass (both en_US and de_DE)
[OK] src, binaries, and jars include correct LICENSE/NOTICE
[OK] RAT check passes, no unexpected binaries in source
[OK] rpm and msi install and run with basic usage
[OK] ~80 public and private DFDL schema projects pass tests
[OK] no issues found in JavaDoc
[OK] no open CVEs found using sbt dependencyCheck
- One false positive
[OK] Daffodil NiFi processor builds and tests pass with minor updates
I checked in Daffodil SBT Plugin:
[OK] release page has correct information, links, and documentation
[OK] signature of git tag verifies
[OK] hashes and signatures of source and helper binaries are correct
[OK] source and helper binaries are 100% reproducible
[OK] source release matches git tag
[OK] source compiles and all tests pass
[OK] source and helper binaries include correct LICENSE/NOTICE
[OK] RAT check passes, no unexpected binaries in source
[OK] ~80 public and private DFDL schema projects pass tests
[OK] no open CVE's found using sbt dependencyCheck
- Found a number of CVEs, but they are all SBT provided dependencies. So
whether or not those libraries are actually used depends on the SBT
version, so not anything we control
On 2026-02-02 11:50 AM, Kilo, Olabusayo wrote:
+1 (binding)
Daffodil 4.1.0
[OK] links in email are correct
[OK] verified Summary of Changes pages (maven, sbt, download and dnf)
[OK] verified download of binary and source
[OK] Successfully used binary in apache-daffodil-4.1.0-bin.tgz
[OK] JavaDoc is correct
[OK] Regression test suite passed
Daffodil SBT 1.6.0
[OK] links in email are correct
[OK] verified release page and links
[OK] verified download of source
--
Lola Kilo
________________________________
From: Steve Lawrence <[email protected]>
Sent: Wednesday, January 28, 2026 6:02 PM
To: [email protected] <[email protected]>
Subject: [VOTE] Release Apache Daffodil 4.1.0-rc1 and Apache Daffodil SBT
Plugin 1.6.0-rc1
Hi all,
I'd like to call a vote for a dual release of Apache Daffodil 4.1.0-rc1 and
Apache Daffodil SBT Plugin 1.6.0-rc1.
For Apache Daffodil:
All distribution packages, including signatures, digests, etc. can be found at:
https://dist.apache.org/repos/dist/dev/daffodil/4.1.0-rc1/
Staging artifacts can be found at:
https://repository.apache.org/content/repositories/orgapachedaffodil-1058/
The release candidate has been tagged in git with v4.1.0-rc1.
For reference, here is a list of all resolved JIRA issues tagged with 4.1.0:
https://s.apache.org/daffodil-issues-4.1.0
For a summary of the changes in this release, see:
https://daffodil.apache.org/releases/4.1.0/
For Apache Daffodil SBT Plugin:
All distribution packages, including signatures, digests, etc. can be found at:
https://dist.apache.org/repos/dist/dev/daffodil/daffodil-sbt/1.6.0-rc1/
Staging artifacts can be found at:
https://repository.apache.org/content/repositories/orgapachedaffodil-1059/
The release candidate has been tagged in git with v1.6.0-rc1.
For reference, here is a list of all resolved issues in the 1.6.0 milestone:
https://github.com/apache/daffodil-sbt/milestone/7?closed=1
For a summary of the changes in this release, see:
https://daffodil.apache.org/sbt/1.6.0/
Both releases have been signed with PGP key
24E1775CC44ED9CED4CF03672F0FBAA76B492842, corresponding to the Apache Daffodil
Automated Release Signing Key, which is included in the KEYS file here:
https://downloads.apache.org/daffodil/KEYS
Please review and vote. Steps to automate some verification steps are described
here:
https://cwiki.apache.org/confluence/display/DAFFODIL/Release+Verification
The vote will be open for at least 72 hours (Monday, 02 February 2026, 6:00 PM
EST).
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove (and reason why)
Thanks,
- Steve
