+1 (binding) Checked license, checksums, etc. Tested against Iceberg and it passes all the tests (https://github.com/apache/iceberg/pull/16257).
Kind regards, Fokko On 2026/05/11 05:24:44 Gang Wu wrote: > Cast my own vote > > +1 (binding) > > I'd encourage PMC members to vote as we still need 2 more binding votes. > > On Fri, May 8, 2026 at 8:19 PM Steve Loughran <[email protected]> wrote: > > > > > > > +1, non binding > > > > Got claude to to most of the work, which was primarily security validation > > plus regression testing of parquet-cli on hadoop 3.5.0 against the > > parquet-format reference files. > > > > I'm also experimenting with how good claude is at identifying security > > fixes that an OSS project puts out with some nonchalant "improve testing of > > unzip" title hiding the key fix inside a larger diff. That used to work: > > not any more. Now OSS projects have to assume that as soon as a security > > fix is committed, it's announced. Apache httpd has hit this, and this week > > so has the linux kernel. > > > > Claude's security analysis > > > > Only one security-relevant change: the Jackson upgrade. Net jump in this > > release is jackson 2.19.2 → 2.21.3 across jackson-core, jackson-databind, > > jackson-annotations, jackson-datatype-jsr310. > > > > This transitively absorbs every Jackson CVE/GHSA fix published between > > those releases (mid-2025 → early-2026). No specific CVE IDs are called out > > by the Parquet PR descriptions, but jackson-databind in particular > > routinely ships polymorphic-deserialization advisories, so the bump should > > be treated as the de facto security content of 1.17.1. > > > > Not security: the proto Uint32Value fix (ef00c463) is a data-correctness > > bug — old code mapped protobuf UInt32Value to Parquet INT64 then narrowed > > with Math.toIntExact, which would throw ArithmeticException on large > > values. New code maps it to INT32 directly and adds an addInt handler. No > > exploit primitive; this is robustness, not a vulnerability fix. > > No Parquet-specific CVE fixes in this release — no CVE- references in > > commit messages, no security advisory linked from the GitHub release notes, > > no entries in parquet-hadoop's encryption code path. > > > > The release is essentially: a patch-level security hygiene update > > (Jackson) plus one protobuf correctness fix. Worth merging from a security > > standpoint — it pulls in upstream Jackson hardening — but it does not > > address any Parquet-specific advisory. > > > > ----- > > > > After that I got it do a jvm bytecode audit of nexus staged artifacts > > against locally generated artifacts. > > > > While cutting the hadoop 3.4.3 release I ended up pushing up the JAR files > > built on an arm64 system, which I wanted to compare against the x86s ones. > > I've also been considering how the manual release manager is security risk > > to ASF projects. If I wanted to put malicious code out I'd do a legit RC > > while putting the malicious code into the staging maven binaries. I'd get > > the supply chain attack in while all reviews of the source and bin tarballs > > worked because they were consistent with the repository source. Who > > compares staged .jar files with local stuff? > > > > Hence, a new claude-authored kotlin tool, auditor, diffs jar files at the > > .class level, looking for differences in bytecodes, especially suspicious > > ones. > > > > https://github.com/steveloughran/auditor > > > > All good; only diff from my source build and the artifacts was the > > auto-generated version info strings. > > > > (Once Russel Spitzer's automated release process is in there'll be less > > need for this, but it's still some good due diligence and is trivial to run) > > > > steve > > > > On Fri, 8 May 2026 at 03:17, Gang Wu <[email protected]> wrote: > > > >> Hi everyone, > >> > >> I propose the following RC to be released as the official Apache > >> Parquet-Java 1.17.1 release. > >> > >> The commit ID is 78a8d3230eb4769db93de5f2f2e18363c04cae81 > >> * This corresponds to the tag: apache-parquet-1.17.1-rc0 > >> * > >> > >> https://github.com/apache/parquet-java/tree/78a8d3230eb4769db93de5f2f2e18363c04cae81 > >> > >> The release tarball, signature, and checksums are here: > >> * > >> https://dist.apache.org/repos/dist/dev/parquet/apache-parquet-1.17.1-rc0 > >> > >> You can find the KEYS file here: > >> * https://downloads.apache.org/parquet/KEYS > >> > >> You can find the changelog here: > >> * > >> > >> https://github.com/apache/parquet-java/releases/tag/apache-parquet-1.17.1-rc0 > >> > >> Binary artifacts are staged in Nexus here: > >> * > >> https://repository.apache.org/content/repositories/orgapacheparquet-1078/ > >> > >> Please download, verify, and test. > >> > >> Please vote in the next 72 hours. > >> > >> [ ] +1 Release this as Apache Parquet 1.17.1 > >> [ ] +0 > >> [ ] -1 Do not release this because... > >> > >> Kind regards, > >> Gang > >> > > >
