+1 (binding)

I checked in Daffodil:

[OK] release page has correct information, links, and documentation
[OK] hashes and signatures of source and helper binaries are correct
[OK] source and helper binaries are 100% reproducible
   - All artifacts are identical except for CycloneDX SBOMs due to component
     ordering. Verified the files are semantically equivalent and submitted a
     fix to sbt-sbom to address this in future releases.
[OK] signature of git tag verifies
[OK] source release matches git tag (minus KEYS file)
[OK] source compiles and all tests pass (both en_US and de_DE)
[OK] src, binaries, and jars include correct LICENSE/NOTICE
[OK] RAT check passes, no unexpected binaries in source
[OK] rpm and msi install and run with basic usage
[OK] regression suite of public and private DFDL projects pass tests
[OK] no issues found in JavaDoc
[OK] no open CVEs found using sbt dependencyCheck
   - One false positive
[OK] Daffodil NiFi processor builds and tests pass with minor updates

I checked in Daffodil SBT Plugin:

[OK] release page has correct information, links, and documentation
[OK] signature of git tag verifies
[OK] hashes and signatures of source and helper binaries are correct
[OK] source and helper binaries are 100% reproducible
[OK] source release matches git tag
[OK] source compiles and all tests pass
[OK] source and helper binaries include correct LICENSE/NOTICE
[OK] RAT check passes, no unexpected binaries in source
[OK] regression suite of public and private DFDL projects pass tests
[OK] packageDaffodilBin output works with all repsective daffodil CLI versions
[OK] no open CVE's found using sbt dependencyCheck
   - Found a number of CVEs, but they are all SBT provided dependencies. So
     whether or not those libraries are actually used depends on the SBT
     version and not anything we control


On 2026-06-30 10:16 AM, Kilo, Olabusayo wrote:
I'd like to call a vote for a dual release of Apache Daffodil 4.2.0-rc1 and
Apache Daffodil SBT Plugin 1.8.0-rc2.


For Apache Daffodil:

All distribution packages, including signatures, digests, etc. can be found at:

https://dist.apache.org/repos/dist/dev/daffodil/4.2.0-rc1/

Staging artifacts can be found at:

https://repository.apache.org/content/repositories/orgapachedaffodil-1061/

The release candidate has been tagged in git with v4.2.0-rc1.

For reference, here is a list of all resolved JIRA issues tagged with 4.2.0:

https://s.apache.org/daffodil-issues-4.2.0

For a summary of the changes in this release, see:

https://daffodil.apache.org/releases/4.2.0/


For Apache Daffodil SBT Plugin:

All distribution packages, including signatures, digests, etc. can be found at:

https://dist.apache.org/repos/dist/dev/daffodil/daffodil-sbt/1.8.0-rc2/

Staging artifacts can be found at:

https://repository.apache.org/content/repositories/orgapachedaffodil-1063/

The release candidate has been tagged in git with v1.8.0-rc2.

For reference, here is a list of all resolved issues in the 1.8.0 milestone:

https://github.com/apache/daffodil-sbt/milestone/9?closed=1

For a summary of the changes in this release, see:

https://daffodil.apache.org/sbt/1.8.0/


Both releases have been signed with PGP key
0282D02F3C465616, corresponding to [email protected],
which is included in the KEYS file here:

https://downloads.apache.org/daffodil/KEYS


Please review and vote. Steps to automate some verification steps are described
here:

https://cwiki.apache.org/confluence/display/DAFFODIL/Release+Verification


The vote will be open for at least 72 hours (Friday, 3 Julu 2026, 10:30 AM
EST).

[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove (and reason why)




--
Lola Kilo


Reply via email to