Hi, thanks for prepping.
[x] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are present, along with .asc and .sha512 files for each. [x] PGP signatures are valid for the release artifacts using the KEYS file from dist.apache.org [x] SHA512 checksums are correct and verified. [x] LICENSE and NOTICE files exist and are accurate. [x] No unexpected binary files in the source release. [x] All source files have appropriate ASF headers (excluding generated files and legacy files). [x] Build completes successfully from source and the instruction to do so are clear. +1 (binding) Some non blocking observations: 1.) NOTICE file has a old year. Gruß Richard > Am 18.06.2026 um 18:59 schrieb Atita Arora <[email protected]>: > > Hi all, > > I have posted a release candidate for the Apache OpenNLP 1.9.5 release and > it is ready for testing. > > This is a maintenance release of the 1.9.x line, addressing several > security vulnerabilities (CVEs) that affect Apache Lucene 8.x and > downstream Solr 8.x which depend on OpenNLP 1.9.x: > > - OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil > helper > - OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes > - OPENNLP-1821: Prevent OutOfMemory due to huge array allocation > - OPENNLP-1826: Fix for XML parser security options > - OPENNLP-1835: Tolerate unsupported XML parser security options > > Thank you to everyone who contributed to this release, including all of our > users and the people who submitted bug reports, contributed code or > documentation enhancements. > > The release was made using the OpenNLP release process, documented on the > website: > https://opennlp.apache.org/release.html > > Maven Repo: > https://repository.apache.org/content/repositories/orgapacheopennlp-1067 > > <repositories> > <repository> > <id>opennlp-1.9.5-rc1</id> > <name>Testing OpenNLP 1.9.5 release candidate</name> > <url> > https://repository.apache.org/content/repositories/orgapacheopennlp-1067 > </url> > </repository> > </repositories> > > Binaries & Source: > https://dist.apache.org/repos/dist/dev/opennlp/opennlp-1.9.5 > > Tag: > https://github.com/apache/opennlp/releases/tag/opennlp-1.9.5 > > Tag Hash: 558f83bd89ec0f324fd6331067a093ce2ae58d1c > > Release notes: > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12355022 > > Reminder: The up-to-date KEYS file for signature verification can be > found here: https://dist.apache.org/repos/dist/release/opennlp/KEYS > > Checklist for reference: > > [ ] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are present, > along with .asc and .sha512 files for each. > [ ] PGP signatures are valid for the release artifacts using the KEYS file > from dist.apache.org > [ ] SHA512 checksums are correct and verified. > [ ] LICENSE and NOTICE files exist and are accurate. > [ ] No unexpected binary files in the source release. > [ ] All source files have appropriate ASF headers (excluding generated > files and legacy files). > [ ] Build completes successfully from source and the instruction to do so > are clear. > > Please vote on releasing these packages as Apache OpenNLP 1.9.5. The > vote is open for at least the next 72 hours. > > Only votes from OpenNLP PMC are binding, but everyone is welcome to > check the release candidate and vote. > The vote passes if at least three binding +1 votes are cast. > > Please VOTE > > [+1] go ship it > [+0] meh, don't care > [-1] stop, there is a ${showstopper} > > Thanks! > > Atita
