Hi, This vote passes with the following +1 being cast: - Richard Zowalla (binding) - Martin Wiesner (binding) - Atita Arora (binding)
Thanks to all voters. I'll proceed with the steps. -Atita On Fri, Jun 19, 2026 at 10:46 PM Martin Wiesner <[email protected]> wrote: > Hi all, > > thanks Atita for prepping the release candidate, and thanks Richard for > backporting the CVE fixes. > > +1 (binding) > > [x] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are > present, along with .asc and .sha512 files for each. > [x] PGP signatures are valid for the release artifacts using the KEYS file > from dist.apache.org > [x] SHA512 checksums are correct and verified. > [x] LICENSE and NOTICE files exist and are accurate. > [x] No unexpected binary files in the source release. > [x] All source files have appropriate ASF headers (excluding generated > files and legacy files). > [x] Build completes successfully from source and the instruction to do so > are clear. > > Env used for Build checks (and for the records): > > Apache Maven 3.9.14 (996c630dbc656c76214ce58821dcc58be960875b) > Maven home: /Applications/apache-maven-3 > Java version: 1.8.0_492, vendor: Azul Systems, Inc., runtime: > /Library/Java/JavaVirtualMachines/zulu-8u492.jdk/Contents/Home/jre > Default locale: de_DE, platform encoding: UTF-8 > OS name: "mac os x", version: "26.5.1", arch: "aarch64", family: „mac“ > > The eval build in an Java 8 environment found here: > https://ci-builds.apache.org/job/OpenNLP/job/eval-tests-releases/32/ > finished correctly: all passed. > > Best > Martin | mawiesne > > > Am 18.06.2026 um 19:19 schrieb Richard Zowalla <[email protected]>: > > > > Hi, > > > > thanks for prepping. > > > > [x] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are > present, along with .asc and .sha512 files for each. > > [x] PGP signatures are valid for the release artifacts using the KEYS > file from dist.apache.org > > [x] SHA512 checksums are correct and verified. > > [x] LICENSE and NOTICE files exist and are accurate. > > [x] No unexpected binary files in the source release. > > [x] All source files have appropriate ASF headers (excluding generated > files and legacy files). > > [x] Build completes successfully from source and the instruction to do > so are clear. > > > > +1 (binding) > > > > Some non blocking observations: > > > > 1.) NOTICE file has a old year. > > > > Gruß > > Richard > > > >> Am 18.06.2026 um 18:59 schrieb Atita Arora <[email protected]>: > >> > >> Hi all, > >> > >> I have posted a release candidate for the Apache OpenNLP 1.9.5 release > and > >> it is ready for testing. > >> > >> This is a maintenance release of the 1.9.x line, addressing several > >> security vulnerabilities (CVEs) that affect Apache Lucene 8.x and > >> downstream Solr 8.x which depend on OpenNLP 1.9.x: > >> > >> - OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil > >> helper > >> - OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes > >> - OPENNLP-1821: Prevent OutOfMemory due to huge array allocation > >> - OPENNLP-1826: Fix for XML parser security options > >> - OPENNLP-1835: Tolerate unsupported XML parser security options > >> > >> Thank you to everyone who contributed to this release, including all of > our > >> users and the people who submitted bug reports, contributed code or > >> documentation enhancements. > >> > >> The release was made using the OpenNLP release process, documented on > the > >> website: > >> https://opennlp.apache.org/release.html > >> > >> Maven Repo: > >> > https://repository.apache.org/content/repositories/orgapacheopennlp-1067 > >> > >> <repositories> > >> <repository> > >> <id>opennlp-1.9.5-rc1</id> > >> <name>Testing OpenNLP 1.9.5 release candidate</name> > >> <url> > >> > https://repository.apache.org/content/repositories/orgapacheopennlp-1067 > >> </url> > >> </repository> > >> </repositories> > >> > >> Binaries & Source: > >> https://dist.apache.org/repos/dist/dev/opennlp/opennlp-1.9.5 > >> > >> Tag: > >> https://github.com/apache/opennlp/releases/tag/opennlp-1.9.5 > >> > >> Tag Hash: 558f83bd89ec0f324fd6331067a093ce2ae58d1c > >> > >> Release notes: > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12355022 > >> > >> Reminder: The up-to-date KEYS file for signature verification can be > >> found here: https://dist.apache.org/repos/dist/release/opennlp/KEYS > >> > >> Checklist for reference: > >> > >> [ ] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are > present, > >> along with .asc and .sha512 files for each. > >> [ ] PGP signatures are valid for the release artifacts using the KEYS > file > >> from dist.apache.org > >> [ ] SHA512 checksums are correct and verified. > >> [ ] LICENSE and NOTICE files exist and are accurate. > >> [ ] No unexpected binary files in the source release. > >> [ ] All source files have appropriate ASF headers (excluding generated > >> files and legacy files). > >> [ ] Build completes successfully from source and the instruction to do > so > >> are clear. > >> > >> Please vote on releasing these packages as Apache OpenNLP 1.9.5. The > >> vote is open for at least the next 72 hours. > >> > >> Only votes from OpenNLP PMC are binding, but everyone is welcome to > >> check the release candidate and vote. > >> The vote passes if at least three binding +1 votes are cast. > >> > >> Please VOTE > >> > >> [+1] go ship it > >> [+0] meh, don't care > >> [-1] stop, there is a ${showstopper} > >> > >> Thanks! > >> > >> Atita > > > >
