Thank you all!
On 2026/06/22 12:12:31 Atita Arora wrote: > Hi, > This vote passes with the following +1 being cast: > - Richard Zowalla (binding) > - Martin Wiesner (binding) > - Atita Arora (binding) > > Thanks to all voters. I'll proceed with the steps. > > -Atita > > On Fri, Jun 19, 2026 at 10:46 PM Martin Wiesner <[email protected]> wrote: > > > Hi all, > > > > thanks Atita for prepping the release candidate, and thanks Richard for > > backporting the CVE fixes. > > > > +1 (binding) > > > > [x] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are > > present, along with .asc and .sha512 files for each. > > [x] PGP signatures are valid for the release artifacts using the KEYS file > > from dist.apache.org > > [x] SHA512 checksums are correct and verified. > > [x] LICENSE and NOTICE files exist and are accurate. > > [x] No unexpected binary files in the source release. > > [x] All source files have appropriate ASF headers (excluding generated > > files and legacy files). > > [x] Build completes successfully from source and the instruction to do so > > are clear. > > > > Env used for Build checks (and for the records): > > > > Apache Maven 3.9.14 (996c630dbc656c76214ce58821dcc58be960875b) > > Maven home: /Applications/apache-maven-3 > > Java version: 1.8.0_492, vendor: Azul Systems, Inc., runtime: > > /Library/Java/JavaVirtualMachines/zulu-8u492.jdk/Contents/Home/jre > > Default locale: de_DE, platform encoding: UTF-8 > > OS name: "mac os x", version: "26.5.1", arch: "aarch64", family: „mac“ > > > > The eval build in an Java 8 environment found here: > > https://ci-builds.apache.org/job/OpenNLP/job/eval-tests-releases/32/ > > finished correctly: all passed. > > > > Best > > Martin | mawiesne > > > > > Am 18.06.2026 um 19:19 schrieb Richard Zowalla <[email protected]>: > > > > > > Hi, > > > > > > thanks for prepping. > > > > > > [x] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are > > present, along with .asc and .sha512 files for each. > > > [x] PGP signatures are valid for the release artifacts using the KEYS > > file from dist.apache.org > > > [x] SHA512 checksums are correct and verified. > > > [x] LICENSE and NOTICE files exist and are accurate. > > > [x] No unexpected binary files in the source release. > > > [x] All source files have appropriate ASF headers (excluding generated > > files and legacy files). > > > [x] Build completes successfully from source and the instruction to do > > so are clear. > > > > > > +1 (binding) > > > > > > Some non blocking observations: > > > > > > 1.) NOTICE file has a old year. > > > > > > Gruß > > > Richard > > > > > >> Am 18.06.2026 um 18:59 schrieb Atita Arora <[email protected]>: > > >> > > >> Hi all, > > >> > > >> I have posted a release candidate for the Apache OpenNLP 1.9.5 release > > and > > >> it is ready for testing. > > >> > > >> This is a maintenance release of the 1.9.x line, addressing several > > >> security vulnerabilities (CVEs) that affect Apache Lucene 8.x and > > >> downstream Solr 8.x which depend on OpenNLP 1.9.x: > > >> > > >> - OPENNLP-1819: Align DictionaryEntryPersistor XML parsing with XmlUtil > > >> helper > > >> - OPENNLP-1820: Restrict ExtensionLoader to allowlisted package prefixes > > >> - OPENNLP-1821: Prevent OutOfMemory due to huge array allocation > > >> - OPENNLP-1826: Fix for XML parser security options > > >> - OPENNLP-1835: Tolerate unsupported XML parser security options > > >> > > >> Thank you to everyone who contributed to this release, including all of > > our > > >> users and the people who submitted bug reports, contributed code or > > >> documentation enhancements. > > >> > > >> The release was made using the OpenNLP release process, documented on > > the > > >> website: > > >> https://opennlp.apache.org/release.html > > >> > > >> Maven Repo: > > >> > > https://repository.apache.org/content/repositories/orgapacheopennlp-1067 > > >> > > >> <repositories> > > >> <repository> > > >> <id>opennlp-1.9.5-rc1</id> > > >> <name>Testing OpenNLP 1.9.5 release candidate</name> > > >> <url> > > >> > > https://repository.apache.org/content/repositories/orgapacheopennlp-1067 > > >> </url> > > >> </repository> > > >> </repositories> > > >> > > >> Binaries & Source: > > >> https://dist.apache.org/repos/dist/dev/opennlp/opennlp-1.9.5 > > >> > > >> Tag: > > >> https://github.com/apache/opennlp/releases/tag/opennlp-1.9.5 > > >> > > >> Tag Hash: 558f83bd89ec0f324fd6331067a093ce2ae58d1c > > >> > > >> Release notes: > > >> > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311215&version=12355022 > > >> > > >> Reminder: The up-to-date KEYS file for signature verification can be > > >> found here: https://dist.apache.org/repos/dist/release/opennlp/KEYS > > >> > > >> Checklist for reference: > > >> > > >> [ ] Both source (tar.gz/zip) and binary artifacts (tar.gz/zip) are > > present, > > >> along with .asc and .sha512 files for each. > > >> [ ] PGP signatures are valid for the release artifacts using the KEYS > > file > > >> from dist.apache.org > > >> [ ] SHA512 checksums are correct and verified. > > >> [ ] LICENSE and NOTICE files exist and are accurate. > > >> [ ] No unexpected binary files in the source release. > > >> [ ] All source files have appropriate ASF headers (excluding generated > > >> files and legacy files). > > >> [ ] Build completes successfully from source and the instruction to do > > so > > >> are clear. > > >> > > >> Please vote on releasing these packages as Apache OpenNLP 1.9.5. The > > >> vote is open for at least the next 72 hours. > > >> > > >> Only votes from OpenNLP PMC are binding, but everyone is welcome to > > >> check the release candidate and vote. > > >> The vote passes if at least three binding +1 votes are cast. > > >> > > >> Please VOTE > > >> > > >> [+1] go ship it > > >> [+0] meh, don't care > > >> [-1] stop, there is a ${showstopper} > > >> > > >> Thanks! > > >> > > >> Atita > > > > > > > >
