Cast my own vote +1 (binding)
I'd encourage PMC members to vote as we still need 2 more binding votes. On Fri, May 8, 2026 at 8:19 PM Steve Loughran <[email protected]> wrote: > > > +1, non binding > > Got claude to to most of the work, which was primarily security validation > plus regression testing of parquet-cli on hadoop 3.5.0 against the > parquet-format reference files. > > I'm also experimenting with how good claude is at identifying security > fixes that an OSS project puts out with some nonchalant "improve testing of > unzip" title hiding the key fix inside a larger diff. That used to work: > not any more. Now OSS projects have to assume that as soon as a security > fix is committed, it's announced. Apache httpd has hit this, and this week > so has the linux kernel. > > Claude's security analysis > > Only one security-relevant change: the Jackson upgrade. Net jump in this > release is jackson 2.19.2 → 2.21.3 across jackson-core, jackson-databind, > jackson-annotations, jackson-datatype-jsr310. > > This transitively absorbs every Jackson CVE/GHSA fix published between > those releases (mid-2025 → early-2026). No specific CVE IDs are called out > by the Parquet PR descriptions, but jackson-databind in particular > routinely ships polymorphic-deserialization advisories, so the bump should > be treated as the de facto security content of 1.17.1. > > Not security: the proto Uint32Value fix (ef00c463) is a data-correctness > bug — old code mapped protobuf UInt32Value to Parquet INT64 then narrowed > with Math.toIntExact, which would throw ArithmeticException on large > values. New code maps it to INT32 directly and adds an addInt handler. No > exploit primitive; this is robustness, not a vulnerability fix. > No Parquet-specific CVE fixes in this release — no CVE- references in > commit messages, no security advisory linked from the GitHub release notes, > no entries in parquet-hadoop's encryption code path. > > The release is essentially: a patch-level security hygiene update > (Jackson) plus one protobuf correctness fix. Worth merging from a security > standpoint — it pulls in upstream Jackson hardening — but it does not > address any Parquet-specific advisory. > > ----- > > After that I got it do a jvm bytecode audit of nexus staged artifacts > against locally generated artifacts. > > While cutting the hadoop 3.4.3 release I ended up pushing up the JAR files > built on an arm64 system, which I wanted to compare against the x86s ones. > I've also been considering how the manual release manager is security risk > to ASF projects. If I wanted to put malicious code out I'd do a legit RC > while putting the malicious code into the staging maven binaries. I'd get > the supply chain attack in while all reviews of the source and bin tarballs > worked because they were consistent with the repository source. Who > compares staged .jar files with local stuff? > > Hence, a new claude-authored kotlin tool, auditor, diffs jar files at the > .class level, looking for differences in bytecodes, especially suspicious > ones. > > https://github.com/steveloughran/auditor > > All good; only diff from my source build and the artifacts was the > auto-generated version info strings. > > (Once Russel Spitzer's automated release process is in there'll be less > need for this, but it's still some good due diligence and is trivial to run) > > steve > > On Fri, 8 May 2026 at 03:17, Gang Wu <[email protected]> wrote: > >> Hi everyone, >> >> I propose the following RC to be released as the official Apache >> Parquet-Java 1.17.1 release. >> >> The commit ID is 78a8d3230eb4769db93de5f2f2e18363c04cae81 >> * This corresponds to the tag: apache-parquet-1.17.1-rc0 >> * >> >> https://github.com/apache/parquet-java/tree/78a8d3230eb4769db93de5f2f2e18363c04cae81 >> >> The release tarball, signature, and checksums are here: >> * >> https://dist.apache.org/repos/dist/dev/parquet/apache-parquet-1.17.1-rc0 >> >> You can find the KEYS file here: >> * https://downloads.apache.org/parquet/KEYS >> >> You can find the changelog here: >> * >> >> https://github.com/apache/parquet-java/releases/tag/apache-parquet-1.17.1-rc0 >> >> Binary artifacts are staged in Nexus here: >> * >> https://repository.apache.org/content/repositories/orgapacheparquet-1078/ >> >> Please download, verify, and test. >> >> Please vote in the next 72 hours. >> >> [ ] +1 Release this as Apache Parquet 1.17.1 >> [ ] +0 >> [ ] -1 Do not release this because... >> >> Kind regards, >> Gang >> >
