+1 (Non-binding) Automated Verification Follows ---
Apache Parquet-Java 1.17.1 RC0 — Validation Report Tag: apache-parquet-1.17.1-rc0 (78a8d3230eb4769db93de5f2f2e18363c04cae81) Signed by: Gang Wu <[email protected]> fingerprint D7F359228AE6906022188C6D72A6333C8A461DF4 Tarball: https://dist.apache.org/repos/dist/dev/parquet/apache-parquet-1.17.1-rc0/ Staging: https://repository.apache.org/content/repositories/orgapacheparquet-1078/ Passed ------ * GPG signature verified against the project KEYS file (signer Gang Wu, key D7F35922...). * SHA-512 checksum matches: bd984a06a2b0010056cc1dfc1deb4315af4d84dfed5cd44aa9ce6e4ace770cb4 95d0438160ad881d53070ec638f417438ce2486e22117caea03ab3e5a729b8b8 * Tag points at the commit declared in the vote email (78a8d3230eb4769db93de5f2f2e18363c04cae81). * Source tarball matches the git tag exactly (only deltas vs the tag working tree are .git and a local .idea folder). * Top-level LICENSE (Apache 2.0) and NOTICE files present. No DISCLAIMER (correct — Parquet is a TLP). * License headers present on all 617 source files scanned by the validator. * CHANGES align with the GitHub release notes: 3 user-visible commits (proto Uint32Value fix; jackson 2.19.2 -> 2.21.2; jackson 2.21.2 -> 2.21.3) plus the maven-release-plugin bookkeeping commits. * Source build (`./mvnw clean verify -DskipITs`) succeeded for all modules I was able to build locally: parquet-format-structures 2 tests parquet-common 308 tests parquet-encoding 32 tests parquet-column 572 tests parquet-arrow 25 tests parquet-hadoop 650 tests (24 skipped) parquet-variant 131 tests (1 skipped) parquet-avro 408 tests (2 skipped) parquet-benchmarks 109 tests parquet-protobuf 64 tests (2 skipped) parquet-hadoop-bundle packaging only (shade) All 0 failures, 0 errors in those modules. * Nexus staging artifact completeness — every published module has jar/pom + sources/javadoc + .asc + .sha1 + .md5. (Two shade-only modules, parquet-jackson and parquet-hadoop-bundle, intentionally do not publish javadoc.jar — consistent with 1.17.0.) * POM metadata correct: groupId org.apache.parquet, version 1.17.1, Apache 2.0 license, scm tag apache-parquet-1.17.1-rc0. * Published JAR MANIFEST.MF includes git-SHA-1: 78a8d3230eb4769db93de5f2f2e18363c04cae81 Implementation-Version: 1.17.1 Build-Jdk-Spec: 11 * Shaded dependencies are correctly relocated: parquet-jackson -> shaded/parquet/com/fasterxml/jackson/... parquet-format-structures -> shaded/parquet/org/apache/thrift/... * Bundled-dep LICENSE/NOTICE in the modules that include third- party code (parquet-jackson, parquet-cli, parquet-hadoop-bundle, parquet-avro, parquet-protobuf) correctly enumerate Jackson, Thrift, SLF4J, Lemire/JavaFastPFOR, fastutil, snappy-java, commons-pool/compress, Guava, JCommander, OpenCSV, paranamer, xz. On Mon, May 11, 2026 at 7:26 AM Fokko Driesprong <[email protected]> wrote: > +1 (binding) > > Checked license, checksums, etc. Tested against Iceberg and it passes all > the tests (https://github.com/apache/iceberg/pull/16257). > > Kind regards, > Fokko > > On 2026/05/11 05:24:44 Gang Wu wrote: > > Cast my own vote > > > > +1 (binding) > > > > I'd encourage PMC members to vote as we still need 2 more binding votes. > > > > On Fri, May 8, 2026 at 8:19 PM Steve Loughran <[email protected]> > wrote: > > > > > > > > > > > +1, non binding > > > > > > Got claude to to most of the work, which was primarily security > validation > > > plus regression testing of parquet-cli on hadoop 3.5.0 against the > > > parquet-format reference files. > > > > > > I'm also experimenting with how good claude is at identifying security > > > fixes that an OSS project puts out with some nonchalant "improve > testing of > > > unzip" title hiding the key fix inside a larger diff. That used to > work: > > > not any more. Now OSS projects have to assume that as soon as a > security > > > fix is committed, it's announced. Apache httpd has hit this, and this > week > > > so has the linux kernel. > > > > > > Claude's security analysis > > > > > > Only one security-relevant change: the Jackson upgrade. Net jump in > this > > > release is jackson 2.19.2 → 2.21.3 across jackson-core, > jackson-databind, > > > jackson-annotations, jackson-datatype-jsr310. > > > > > > This transitively absorbs every Jackson CVE/GHSA fix published between > > > those releases (mid-2025 → early-2026). No specific CVE IDs are called > out > > > by the Parquet PR descriptions, but jackson-databind in particular > > > routinely ships polymorphic-deserialization advisories, so the bump > should > > > be treated as the de facto security content of 1.17.1. > > > > > > Not security: the proto Uint32Value fix (ef00c463) is a > data-correctness > > > bug — old code mapped protobuf UInt32Value to Parquet INT64 then > narrowed > > > with Math.toIntExact, which would throw ArithmeticException on large > > > values. New code maps it to INT32 directly and adds an addInt handler. > No > > > exploit primitive; this is robustness, not a vulnerability fix. > > > No Parquet-specific CVE fixes in this release — no CVE- references in > > > commit messages, no security advisory linked from the GitHub release > notes, > > > no entries in parquet-hadoop's encryption code path. > > > > > > The release is essentially: a patch-level security hygiene update > > > (Jackson) plus one protobuf correctness fix. Worth merging from a > security > > > standpoint — it pulls in upstream Jackson hardening — but it does not > > > address any Parquet-specific advisory. > > > > > > ----- > > > > > > After that I got it do a jvm bytecode audit of nexus staged artifacts > > > against locally generated artifacts. > > > > > > While cutting the hadoop 3.4.3 release I ended up pushing up the JAR > files > > > built on an arm64 system, which I wanted to compare against the x86s > ones. > > > I've also been considering how the manual release manager is security > risk > > > to ASF projects. If I wanted to put malicious code out I'd do a legit > RC > > > while putting the malicious code into the staging maven binaries. I'd > get > > > the supply chain attack in while all reviews of the source and bin > tarballs > > > worked because they were consistent with the repository source. Who > > > compares staged .jar files with local stuff? > > > > > > Hence, a new claude-authored kotlin tool, auditor, diffs jar files at > the > > > .class level, looking for differences in bytecodes, especially > suspicious > > > ones. > > > > > > https://github.com/steveloughran/auditor > > > > > > All good; only diff from my source build and the artifacts was the > > > auto-generated version info strings. > > > > > > (Once Russel Spitzer's automated release process is in there'll be less > > > need for this, but it's still some good due diligence and is trivial > to run) > > > > > > steve > > > > > > On Fri, 8 May 2026 at 03:17, Gang Wu <[email protected]> wrote: > > > > > >> Hi everyone, > > >> > > >> I propose the following RC to be released as the official Apache > > >> Parquet-Java 1.17.1 release. > > >> > > >> The commit ID is 78a8d3230eb4769db93de5f2f2e18363c04cae81 > > >> * This corresponds to the tag: apache-parquet-1.17.1-rc0 > > >> * > > >> > > >> > https://github.com/apache/parquet-java/tree/78a8d3230eb4769db93de5f2f2e18363c04cae81 > > >> > > >> The release tarball, signature, and checksums are here: > > >> * > > >> > https://dist.apache.org/repos/dist/dev/parquet/apache-parquet-1.17.1-rc0 > > >> > > >> You can find the KEYS file here: > > >> * https://downloads.apache.org/parquet/KEYS > > >> > > >> You can find the changelog here: > > >> * > > >> > > >> > https://github.com/apache/parquet-java/releases/tag/apache-parquet-1.17.1-rc0 > > >> > > >> Binary artifacts are staged in Nexus here: > > >> * > > >> > https://repository.apache.org/content/repositories/orgapacheparquet-1078/ > > >> > > >> Please download, verify, and test. > > >> > > >> Please vote in the next 72 hours. > > >> > > >> [ ] +1 Release this as Apache Parquet 1.17.1 > > >> [ ] +0 > > >> [ ] -1 Do not release this because... > > >> > > >> Kind regards, > > >> Gang > > >> > > > > > >
