Hey all, Oh my...I did validated the hashes locally - but was using the files and forgot to update them in the email. And the docker hash was just remained there.
I was making quite a few mistakes arising from the fact that I needed to do some minor changes which didn't affected production code at all... but eventually I opted to do a small correct commit to master which then was cherry-picked to 36....that also meaned I had to restart. The correct hashes are: ==> apache-druid-36.0.0-bin.tar.gz.sha512 <== f83b4e2f56e434a01553db3e9e8709cf0f962297f786ca6034106a9fc18689fa70b5f2ea7bd6b46d54f637e81c648f6528ded6e94cb91b21ea3823c18a64b140 ==> apache-druid-36.0.0-src.tar.gz.sha512 <== 82708a9c08895041df8ef4bb47d738606db3c7454a17ad1bc84b5145cff02a112b43c332f78026570180b46efe865781be3833476919536b9999ca0658651865 It would be nice to have it a little bit more streamlined; so that its easier to do all this. I'll try to make some tool which could do this for us in the future. cheers, Zoltan On 2/6/26 12:03 AM, Clint Wylie wrote:
actually the source package hash in the email thread also doesn't match what is in the file either, here it is d4f78b627e0c46db0d328ce53460ae3f5639831f20efc50ed6c25c5999aa310dd089d4d7813c0994f7c6714a2df24594ab7b14ab087e360bb2fbc5992e6e7293 but in https://dist.apache.org/repos/dist/dev/druid/36.0.0-rc1/ it is 82708a9c08895041df8ef4bb47d738606db3c7454a17ad1bc84b5145cff02a112b43c332f78026570180b46efe865781be3833476919536b9999ca0658651865. The bin package hash matches what is in the artifacts. Not sure where this source hash came from, since i can't find it in any other email threads On Thu, Feb 5, 2026 at 2:57 PM Clint Wylie <[email protected]> wrote:+1 (binding) .. pending clarification on docker hash. This email thread has it as 528a78a68b1dde47a5984e60975203d8cdf0bd4f477f8b97b84a8b2b44e3c683, however dockerhub shows 36 RC1 as different: https://hub.docker.com/layers/apache/druid/36.0.0-rc1/images/sha256-65f7d09412ca3156bf1a7f13c00d7beed1eff48bda9f287be6d6d1384151669e. I searched dev list history and I believe maybe you just copied and pasted a previous voting thread of yours from Druid 33 RC2, which has the same hash, so I am just assuming this was a mistake. src package: * verified checksum and signature * LICENSE and NOTICE present * rat check passed * built release binary package, tested with quickstart configuration with kafka ingestion, ran some queries binary package: * verified checksum and signature * LICENSE and NOTICE present * tested with quickstart configuration with MSQ ingestion, ran some queries docker: * checksum in email thread does not match tag on dockerhub, which I see as 65f7d09412ca3156bf1a7f13c00d7beed1eff48bda9f287be6d6d1384151669e * tested using example docker-compose from source distribution with MSQ ingestion, ran some queries On Wed, Feb 4, 2026 at 12:49 PM Rich Bowen <[email protected]> wrote:On 2026/02/02 20:30:40 Zoltan Haindrich wrote:Hi all, I have created a build for Apache Druid 36.0.0, release candidate 1....[ ] +1 Release this package as Apache Druid 0.17.0 [ ] 0 I don't feel strongly about it, but I'm okay with the release [ ] -1 Do not release this package because...+1 (non-binding) * Verified signatures and hashes on the following files as per https://apache.org/info/verification.html - apache-druid-36.0.0-bin.tar.gz (SHA512, GPG signature) - apache-druid-36.0.0-src.tar.gz (SHA512, GPG signature) * Verified LICENSE and NOTICE files --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
OpenPGP_signature.asc
Description: OpenPGP digital signature
