+1 (binding)

DAFFODIL

[OK] Verified signature of git tag
[OK] Verified hashes and signatures of source and helper binaries
[OK] Verified signatures use key in KEYS with apache email address
[OK] Verified source has no unexpected binary files
[OK] Verified source and git tag are same
[OK] Verified source and helper binaries include LICENSE/NOTICE/README
[OK] Verified online JavaDoc docs look correct
[OK] Compiled source and ran all tests & ratCheck (LANG set to both en_US and 
de_DE)
[NOT_OK] Verified builds are reproducible. Failing on sbom reproducibility
[OK] Verified jars built from source have same content as helper binary jars
[OK] Tested tgz/zip bin & rpm installers and checked `daffodil --version` output
[OK] Verified some public and private DFDL schema projects pass tests calling 
new release

DAFFODIL SBT
[OK] Verified signature of git tag
[OK] Verified hashes and signatures of source artifacts
[OK] Verified signatures use key in KEYS with apache email address
[OK] Verified source has no unexpected binary files
[OK] Verified source and git tag are same
[OK] Verified source includes LICENSE/NOTICE/README
[OK] Verified LICENSE/NOTICE/README look correct
[OK] Compiled source and ran all tests & ratCheck (LANG set to both en_US and 
de_DE)
[OK] Verified builds are reproducible
[NOTE] couldn't check regression test suite for the plugin due to some issues 
with Maven rate limiting; working on that but didn't want to delay this


--
Lola Kilo
________________________________
From: Steve Lawrence <[email protected]>
Sent: Thursday, July 2, 2026 11:34 AM
To: [email protected] <[email protected]>
Subject: Re: [VOTE] Release Apache Daffodil 4.2.0-rc1 and Apache Daffodil SBT 
Plugin 1.8.0-rc2

+1 (binding)

I checked in Daffodil:

[OK] release page has correct information, links, and documentation
[OK] hashes and signatures of source and helper binaries are correct
[OK] source and helper binaries are 100% reproducible
    - All artifacts are identical except for CycloneDX SBOMs due to component
      ordering. Verified the files are semantically equivalent and submitted a
      fix to sbt-sbom to address this in future releases.
[OK] signature of git tag verifies
[OK] source release matches git tag (minus KEYS file)
[OK] source compiles and all tests pass (both en_US and de_DE)
[OK] src, binaries, and jars include correct LICENSE/NOTICE
[OK] RAT check passes, no unexpected binaries in source
[OK] rpm and msi install and run with basic usage
[OK] regression suite of public and private DFDL projects pass tests
[OK] no issues found in JavaDoc
[OK] no open CVEs found using sbt dependencyCheck
    - One false positive
[OK] Daffodil NiFi processor builds and tests pass with minor updates

I checked in Daffodil SBT Plugin:

[OK] release page has correct information, links, and documentation
[OK] signature of git tag verifies
[OK] hashes and signatures of source and helper binaries are correct
[OK] source and helper binaries are 100% reproducible
[OK] source release matches git tag
[OK] source compiles and all tests pass
[OK] source and helper binaries include correct LICENSE/NOTICE
[OK] RAT check passes, no unexpected binaries in source
[OK] regression suite of public and private DFDL projects pass tests
[OK] packageDaffodilBin output works with all repsective daffodil CLI versions
[OK] no open CVE's found using sbt dependencyCheck
    - Found a number of CVEs, but they are all SBT provided dependencies. So
      whether or not those libraries are actually used depends on the SBT
      version and not anything we control


On 2026-06-30 10:16 AM, Kilo, Olabusayo wrote:
> I'd like to call a vote for a dual release of Apache Daffodil 4.2.0-rc1 and
> Apache Daffodil SBT Plugin 1.8.0-rc2.
>
>
> For Apache Daffodil:
>
> All distribution packages, including signatures, digests, etc. can be found 
> at:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fdaffodil%2F4.2.0-rc1%2F&data=05%7C02%7Cokilo%40owlcyberdefense.com%7C50199bd35171485af12c08ded84f6046%7C0c7a5d8a53f744d2b6c963bab40ba995%7C0%7C0%7C639186032609768801%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=PjgzCvwTha9Oew%2FJ1VxtTjn9sVL1I7oiNPwn7PWTtSU%3D&reserved=0<https://dist.apache.org/repos/dist/dev/daffodil/4.2.0-rc1/>
>
> Staging artifacts can be found at:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Frepository.apache.org%2Fcontent%2Frepositories%2Forgapachedaffodil-1061%2F&data=05%7C02%7Cokilo%40owlcyberdefense.com%7C50199bd35171485af12c08ded84f6046%7C0c7a5d8a53f744d2b6c963bab40ba995%7C0%7C0%7C639186032609788894%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=4PLPRIYZsu6iE1PaOFD7f0O2mgrHZxwmEeFPTtsFhfE%3D&reserved=0<https://repository.apache.org/content/repositories/orgapachedaffodil-1061/>
>
> The release candidate has been tagged in git with v4.2.0-rc1.
>
> For reference, here is a list of all resolved JIRA issues tagged with 4.2.0:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fs.apache.org%2Fdaffodil-issues-4.2.0&data=05%7C02%7Cokilo%40owlcyberdefense.com%7C50199bd35171485af12c08ded84f6046%7C0c7a5d8a53f744d2b6c963bab40ba995%7C0%7C0%7C639186032609803312%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=c%2BpmG9uSUUztJdj6iTMrYIJ1InJqXmrb7ux8LDnf9W4%3D&reserved=0<https://s.apache.org/daffodil-issues-4.2.0>
>
> For a summary of the changes in this release, see:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fdaffodil.apache.org%2Freleases%2F4.2.0%2F&data=05%7C02%7Cokilo%40owlcyberdefense.com%7C50199bd35171485af12c08ded84f6046%7C0c7a5d8a53f744d2b6c963bab40ba995%7C0%7C0%7C639186032609815450%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=GZqzzoX3Y0Thq7r6gjDfa0IBXpl2SeTaOKSc7pN7cFM%3D&reserved=0<https://daffodil.apache.org/releases/4.2.0/>
>
>
> For Apache Daffodil SBT Plugin:
>
> All distribution packages, including signatures, digests, etc. can be found 
> at:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fdaffodil%2Fdaffodil-sbt%2F1.8.0-rc2%2F&data=05%7C02%7Cokilo%40owlcyberdefense.com%7C50199bd35171485af12c08ded84f6046%7C0c7a5d8a53f744d2b6c963bab40ba995%7C0%7C0%7C639186032609828117%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=%2FS1FfFKeD5BDFr0YA3YTj6H9ewmKxhBxF2%2B55zz%2Bfec%3D&reserved=0<https://dist.apache.org/repos/dist/dev/daffodil/daffodil-sbt/1.8.0-rc2/>
>
> Staging artifacts can be found at:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Frepository.apache.org%2Fcontent%2Frepositories%2Forgapachedaffodil-1063%2F&data=05%7C02%7Cokilo%40owlcyberdefense.com%7C50199bd35171485af12c08ded84f6046%7C0c7a5d8a53f744d2b6c963bab40ba995%7C0%7C0%7C639186032609841197%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=eesx%2FrYcWCfgSkbbENLChn5pVoVFPRHPTfs%2FdCwLFYg%3D&reserved=0<https://repository.apache.org/content/repositories/orgapachedaffodil-1063/>
>
> The release candidate has been tagged in git with v1.8.0-rc2.
>
> For reference, here is a list of all resolved issues in the 1.8.0 milestone:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fdaffodil-sbt%2Fmilestone%2F9%3Fclosed%3D1&data=05%7C02%7Cokilo%40owlcyberdefense.com%7C50199bd35171485af12c08ded84f6046%7C0c7a5d8a53f744d2b6c963bab40ba995%7C0%7C0%7C639186032609853153%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=tFT5HXNy0uGrskKOii5YnzKOl%2BS%2BybLLcaIfEK%2Fxsog%3D&reserved=0<https://github.com/apache/daffodil-sbt/milestone/9?closed=1>
>
> For a summary of the changes in this release, see:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fdaffodil.apache.org%2Fsbt%2F1.8.0%2F&data=05%7C02%7Cokilo%40owlcyberdefense.com%7C50199bd35171485af12c08ded84f6046%7C0c7a5d8a53f744d2b6c963bab40ba995%7C0%7C0%7C639186032609867093%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=yAcvHS7rQdP2%2BqoEcjVIJC8NZvmqawqfjrq%2BZ70Wh%2BY%3D&reserved=0<https://daffodil.apache.org/sbt/1.8.0/>
>
>
> Both releases have been signed with PGP key
> 0282D02F3C465616, corresponding to [email protected],
> which is included in the KEYS file here:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fdownloads.apache.org%2Fdaffodil%2FKEYS&data=05%7C02%7Cokilo%40owlcyberdefense.com%7C50199bd35171485af12c08ded84f6046%7C0c7a5d8a53f744d2b6c963bab40ba995%7C0%7C0%7C639186032609881234%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=c5nam4vq6bcFOf6cS8sEGbZiakoooUB37YMBdza%2FrWs%3D&reserved=0<https://downloads.apache.org/daffodil/KEYS>
>
>
> Please review and vote. Steps to automate some verification steps are 
> described
> here:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FDAFFODIL%2FRelease%2BVerification&data=05%7C02%7Cokilo%40owlcyberdefense.com%7C50199bd35171485af12c08ded84f6046%7C0c7a5d8a53f744d2b6c963bab40ba995%7C0%7C0%7C639186032609893021%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=mYsWfSiMESbEGSKT%2FsYvyfFvt8k%2FgZBcWEP0IN2pgEU%3D&reserved=0<https://cwiki.apache.org/confluence/display/DAFFODIL/Release+Verification>
>
>
> The vote will be open for at least 72 hours (Friday, 3 Julu 2026, 10:30 AM
> EST).
>
> [ ] +1 approve
> [ ] +0 no opinion
> [ ] -1 disapprove (and reason why)
>
>
>
>
> --
> Lola Kilo
>

Reply via email to