Hi,

thanks for prepping.

[x] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are present, 
along with .asc and .sha512 files for each.
[x] PGP signatures are valid for the release artifacts using the KEYS file from 
dist.apache.org
[x] SHA512 checksums are correct and verified.
[x] LICENSE and NOTICE files exist and are accurate.
[x] No unexpected binary files in the source release.
[x] All source files have appropriate ASF headers (excluding generated files 
and legacy files).
[x] Build completes successfully from source and the instruction to do so are 
clear.

+1 (binding)

Some non blocking observations: 

1.) NOTICE file has a old year.

Gruß
Richard

> Am 18.06.2026 um 18:59 schrieb Atita Arora <[email protected]>:
> 
> Hi all,
> 
> I have posted a release candidate for the Apache OpenNLP 1.9.5 release and
> it is ready for testing.
> 
> This is a maintenance release of the 1.9.x line, addressing several
> security vulnerabilities (CVEs) that affect Apache Lucene 8.x and
> downstream Solr 8.x which depend on OpenNLP 1.9.x:
> 
> - OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil
> helper
> - OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes
> - OPENNLP-1821: Prevent OutOfMemory due to huge array allocation
> - OPENNLP-1826: Fix for XML parser security options
> - OPENNLP-1835: Tolerate unsupported XML parser security options
> 
> Thank you to everyone who contributed to this release, including all of our
> users and the people who submitted bug reports, contributed code or
> documentation enhancements.
> 
> The release was made using the OpenNLP release process, documented on the
> website:
> https://opennlp.apache.org/release.html
> 
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapacheopennlp-1067
> 
> <repositories>
>  <repository>
>    <id>opennlp-1.9.5-rc1</id>
>    <name>Testing OpenNLP 1.9.5 release candidate</name>
>    <url>
> https://repository.apache.org/content/repositories/orgapacheopennlp-1067
> </url>
>  </repository>
> </repositories>
> 
> Binaries & Source:
> https://dist.apache.org/repos/dist/dev/opennlp/opennlp-1.9.5
> 
> Tag:
> https://github.com/apache/opennlp/releases/tag/opennlp-1.9.5
> 
> Tag Hash: 558f83bd89ec0f324fd6331067a093ce2ae58d1c
> 
> Release notes:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12355022
> 
> Reminder: The up-to-date KEYS file for signature verification can be
> found here: https://dist.apache.org/repos/dist/release/opennlp/KEYS
> 
> Checklist for reference:
> 
> [ ] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are present,
> along with .asc and .sha512 files for each.
> [ ] PGP signatures are valid for the release artifacts using the KEYS file
> from dist.apache.org
> [ ] SHA512 checksums are correct and verified.
> [ ] LICENSE and NOTICE files exist and are accurate.
> [ ] No unexpected binary files in the source release.
> [ ] All source files have appropriate ASF headers (excluding generated
> files and legacy files).
> [ ] Build completes successfully from source and the instruction to do so
> are clear.
> 
> Please vote on releasing these packages as Apache OpenNLP 1.9.5. The
> vote is open for at least the next 72 hours.
> 
> Only votes from OpenNLP PMC are binding, but everyone is welcome to
> check the release candidate and vote.
> The vote passes if at least three binding +1 votes are cast.
> 
> Please VOTE
> 
> [+1] go ship it
> [+0] meh, don't care
> [-1] stop, there is a ${showstopper}
> 
> Thanks!
> 
> Atita

Reply via email to