+1 (binding) Verified sigs/sums/license/build/test (Java 17)
-Dan On Mon, May 11, 2026 at 11:46 AM Russell Spitzer <[email protected]> wrote: > +1 (Non-binding) > > Automated Verification Follows > --- > > Apache Parquet-Java 1.17.1 RC0 — Validation Report > Tag: apache-parquet-1.17.1-rc0 > (78a8d3230eb4769db93de5f2f2e18363c04cae81) > Signed by: Gang Wu <[email protected]> > fingerprint D7F359228AE6906022188C6D72A6333C8A461DF4 > Tarball: > https://dist.apache.org/repos/dist/dev/parquet/apache-parquet-1.17.1-rc0/ > Staging: > https://repository.apache.org/content/repositories/orgapacheparquet-1078/ > Passed > ------ > * GPG signature verified against the project KEYS file > (signer Gang Wu, key D7F35922...). > * SHA-512 checksum matches: > bd984a06a2b0010056cc1dfc1deb4315af4d84dfed5cd44aa9ce6e4ace770cb4 > 95d0438160ad881d53070ec638f417438ce2486e22117caea03ab3e5a729b8b8 > * Tag points at the commit declared in the vote email > (78a8d3230eb4769db93de5f2f2e18363c04cae81). > * Source tarball matches the git tag exactly (only deltas vs the > tag working tree are .git and a local .idea folder). > * Top-level LICENSE (Apache 2.0) and NOTICE files present. > No DISCLAIMER (correct — Parquet is a TLP). > * License headers present on all 617 source files > scanned by the validator. > * CHANGES align with the GitHub release notes: > 3 user-visible commits (proto Uint32Value fix; jackson 2.19.2 -> > 2.21.2; jackson 2.21.2 -> 2.21.3) plus the maven-release-plugin > bookkeeping commits. > * Source build (`./mvnw clean verify -DskipITs`) succeeded for all > modules I was able to build locally: > parquet-format-structures 2 tests > parquet-common 308 tests > parquet-encoding 32 tests > parquet-column 572 tests > parquet-arrow 25 tests > parquet-hadoop 650 tests (24 skipped) > parquet-variant 131 tests (1 skipped) > parquet-avro 408 tests (2 skipped) > parquet-benchmarks 109 tests > parquet-protobuf 64 tests (2 skipped) > parquet-hadoop-bundle packaging only (shade) > All 0 failures, 0 errors in those modules. > * Nexus staging artifact completeness — every published module has > jar/pom + sources/javadoc + .asc + .sha1 + .md5. (Two shade-only > modules, parquet-jackson and parquet-hadoop-bundle, intentionally > do not publish javadoc.jar — consistent with 1.17.0.) > * POM metadata correct: groupId org.apache.parquet, version 1.17.1, > Apache 2.0 license, scm tag apache-parquet-1.17.1-rc0. > * Published JAR MANIFEST.MF includes > git-SHA-1: 78a8d3230eb4769db93de5f2f2e18363c04cae81 > Implementation-Version: 1.17.1 > Build-Jdk-Spec: 11 > * Shaded dependencies are correctly relocated: > parquet-jackson -> shaded/parquet/com/fasterxml/jackson/... > parquet-format-structures -> shaded/parquet/org/apache/thrift/... > * Bundled-dep LICENSE/NOTICE in the modules that include third- > party code (parquet-jackson, parquet-cli, parquet-hadoop-bundle, > parquet-avro, parquet-protobuf) correctly enumerate Jackson, > Thrift, SLF4J, Lemire/JavaFastPFOR, fastutil, snappy-java, > commons-pool/compress, Guava, JCommander, OpenCSV, paranamer, xz. > > On Mon, May 11, 2026 at 7:26 AM Fokko Driesprong <[email protected]> wrote: > > > +1 (binding) > > > > Checked license, checksums, etc. Tested against Iceberg and it passes all > > the tests (https://github.com/apache/iceberg/pull/16257). > > > > Kind regards, > > Fokko > > > > On 2026/05/11 05:24:44 Gang Wu wrote: > > > Cast my own vote > > > > > > +1 (binding) > > > > > > I'd encourage PMC members to vote as we still need 2 more binding > votes. > > > > > > On Fri, May 8, 2026 at 8:19 PM Steve Loughran <[email protected]> > > wrote: > > > > > > > > > > > > > > > +1, non binding > > > > > > > > Got claude to to most of the work, which was primarily security > > validation > > > > plus regression testing of parquet-cli on hadoop 3.5.0 against the > > > > parquet-format reference files. > > > > > > > > I'm also experimenting with how good claude is at identifying > security > > > > fixes that an OSS project puts out with some nonchalant "improve > > testing of > > > > unzip" title hiding the key fix inside a larger diff. That used to > > work: > > > > not any more. Now OSS projects have to assume that as soon as a > > security > > > > fix is committed, it's announced. Apache httpd has hit this, and this > > week > > > > so has the linux kernel. > > > > > > > > Claude's security analysis > > > > > > > > Only one security-relevant change: the Jackson upgrade. Net jump in > > this > > > > release is jackson 2.19.2 → 2.21.3 across jackson-core, > > jackson-databind, > > > > jackson-annotations, jackson-datatype-jsr310. > > > > > > > > This transitively absorbs every Jackson CVE/GHSA fix published > between > > > > those releases (mid-2025 → early-2026). No specific CVE IDs are > called > > out > > > > by the Parquet PR descriptions, but jackson-databind in particular > > > > routinely ships polymorphic-deserialization advisories, so the bump > > should > > > > be treated as the de facto security content of 1.17.1. > > > > > > > > Not security: the proto Uint32Value fix (ef00c463) is a > > data-correctness > > > > bug — old code mapped protobuf UInt32Value to Parquet INT64 then > > narrowed > > > > with Math.toIntExact, which would throw ArithmeticException on large > > > > values. New code maps it to INT32 directly and adds an addInt > handler. > > No > > > > exploit primitive; this is robustness, not a vulnerability fix. > > > > No Parquet-specific CVE fixes in this release — no CVE- references > in > > > > commit messages, no security advisory linked from the GitHub release > > notes, > > > > no entries in parquet-hadoop's encryption code path. > > > > > > > > The release is essentially: a patch-level security hygiene update > > > > (Jackson) plus one protobuf correctness fix. Worth merging from a > > security > > > > standpoint — it pulls in upstream Jackson hardening — but it does not > > > > address any Parquet-specific advisory. > > > > > > > > ----- > > > > > > > > After that I got it do a jvm bytecode audit of nexus staged artifacts > > > > against locally generated artifacts. > > > > > > > > While cutting the hadoop 3.4.3 release I ended up pushing up the JAR > > files > > > > built on an arm64 system, which I wanted to compare against the x86s > > ones. > > > > I've also been considering how the manual release manager is security > > risk > > > > to ASF projects. If I wanted to put malicious code out I'd do a legit > > RC > > > > while putting the malicious code into the staging maven binaries. I'd > > get > > > > the supply chain attack in while all reviews of the source and bin > > tarballs > > > > worked because they were consistent with the repository source. Who > > > > compares staged .jar files with local stuff? > > > > > > > > Hence, a new claude-authored kotlin tool, auditor, diffs jar files at > > the > > > > .class level, looking for differences in bytecodes, especially > > suspicious > > > > ones. > > > > > > > > https://github.com/steveloughran/auditor > > > > > > > > All good; only diff from my source build and the artifacts was the > > > > auto-generated version info strings. > > > > > > > > (Once Russel Spitzer's automated release process is in there'll be > less > > > > need for this, but it's still some good due diligence and is trivial > > to run) > > > > > > > > steve > > > > > > > > On Fri, 8 May 2026 at 03:17, Gang Wu <[email protected]> wrote: > > > > > > > >> Hi everyone, > > > >> > > > >> I propose the following RC to be released as the official Apache > > > >> Parquet-Java 1.17.1 release. > > > >> > > > >> The commit ID is 78a8d3230eb4769db93de5f2f2e18363c04cae81 > > > >> * This corresponds to the tag: apache-parquet-1.17.1-rc0 > > > >> * > > > >> > > > >> > > > https://github.com/apache/parquet-java/tree/78a8d3230eb4769db93de5f2f2e18363c04cae81 > > > >> > > > >> The release tarball, signature, and checksums are here: > > > >> * > > > >> > > https://dist.apache.org/repos/dist/dev/parquet/apache-parquet-1.17.1-rc0 > > > >> > > > >> You can find the KEYS file here: > > > >> * https://downloads.apache.org/parquet/KEYS > > > >> > > > >> You can find the changelog here: > > > >> * > > > >> > > > >> > > > https://github.com/apache/parquet-java/releases/tag/apache-parquet-1.17.1-rc0 > > > >> > > > >> Binary artifacts are staged in Nexus here: > > > >> * > > > >> > > > https://repository.apache.org/content/repositories/orgapacheparquet-1078/ > > > >> > > > >> Please download, verify, and test. > > > >> > > > >> Please vote in the next 72 hours. > > > >> > > > >> [ ] +1 Release this as Apache Parquet 1.17.1 > > > >> [ ] +0 > > > >> [ ] -1 Do not release this because... > > > >> > > > >> Kind regards, > > > >> Gang > > > >> > > > > > > > > > >
