+1 (binding) Verified things below: - SHA-512 matches bd984a06…29b8b8. - GPG signature good — Gang Wu, fp D7F3 5922 8AE6 9060 2218 8C6D 72A6 333C 8A46 1DF4 (also signs every Nexus jar I sampled). - Tag apache-parquet-1.17.1-rc0 resolves to 78a8d3230eb4769db93de5f2f2e18363c04cae81 per the vote email. - Source tarball is byte-identical to the git tag working tree (only delta is .git/).
On Mon, May 11, 2026 at 12:28 PM Daniel Weeks <[email protected]> wrote: > +1 (binding) > > Verified sigs/sums/license/build/test (Java 17) > > -Dan > > On Mon, May 11, 2026 at 11:46 AM Russell Spitzer < > [email protected]> > wrote: > > > +1 (Non-binding) > > > > Automated Verification Follows > > --- > > > > Apache Parquet-Java 1.17.1 RC0 — Validation Report > > Tag: apache-parquet-1.17.1-rc0 > > (78a8d3230eb4769db93de5f2f2e18363c04cae81) > > Signed by: Gang Wu <[email protected]> > > fingerprint D7F359228AE6906022188C6D72A6333C8A461DF4 > > Tarball: > > > https://dist.apache.org/repos/dist/dev/parquet/apache-parquet-1.17.1-rc0/ > > Staging: > > > https://repository.apache.org/content/repositories/orgapacheparquet-1078/ > > Passed > > ------ > > * GPG signature verified against the project KEYS file > > (signer Gang Wu, key D7F35922...). > > * SHA-512 checksum matches: > > bd984a06a2b0010056cc1dfc1deb4315af4d84dfed5cd44aa9ce6e4ace770cb4 > > 95d0438160ad881d53070ec638f417438ce2486e22117caea03ab3e5a729b8b8 > > * Tag points at the commit declared in the vote email > > (78a8d3230eb4769db93de5f2f2e18363c04cae81). > > * Source tarball matches the git tag exactly (only deltas vs the > > tag working tree are .git and a local .idea folder). > > * Top-level LICENSE (Apache 2.0) and NOTICE files present. > > No DISCLAIMER (correct — Parquet is a TLP). > > * License headers present on all 617 source files > > scanned by the validator. > > * CHANGES align with the GitHub release notes: > > 3 user-visible commits (proto Uint32Value fix; jackson 2.19.2 -> > > 2.21.2; jackson 2.21.2 -> 2.21.3) plus the maven-release-plugin > > bookkeeping commits. > > * Source build (`./mvnw clean verify -DskipITs`) succeeded for all > > modules I was able to build locally: > > parquet-format-structures 2 tests > > parquet-common 308 tests > > parquet-encoding 32 tests > > parquet-column 572 tests > > parquet-arrow 25 tests > > parquet-hadoop 650 tests (24 skipped) > > parquet-variant 131 tests (1 skipped) > > parquet-avro 408 tests (2 skipped) > > parquet-benchmarks 109 tests > > parquet-protobuf 64 tests (2 skipped) > > parquet-hadoop-bundle packaging only (shade) > > All 0 failures, 0 errors in those modules. > > * Nexus staging artifact completeness — every published module has > > jar/pom + sources/javadoc + .asc + .sha1 + .md5. (Two shade-only > > modules, parquet-jackson and parquet-hadoop-bundle, intentionally > > do not publish javadoc.jar — consistent with 1.17.0.) > > * POM metadata correct: groupId org.apache.parquet, version 1.17.1, > > Apache 2.0 license, scm tag apache-parquet-1.17.1-rc0. > > * Published JAR MANIFEST.MF includes > > git-SHA-1: 78a8d3230eb4769db93de5f2f2e18363c04cae81 > > Implementation-Version: 1.17.1 > > Build-Jdk-Spec: 11 > > * Shaded dependencies are correctly relocated: > > parquet-jackson -> shaded/parquet/com/fasterxml/jackson/... > > parquet-format-structures -> shaded/parquet/org/apache/thrift/... > > * Bundled-dep LICENSE/NOTICE in the modules that include third- > > party code (parquet-jackson, parquet-cli, parquet-hadoop-bundle, > > parquet-avro, parquet-protobuf) correctly enumerate Jackson, > > Thrift, SLF4J, Lemire/JavaFastPFOR, fastutil, snappy-java, > > commons-pool/compress, Guava, JCommander, OpenCSV, paranamer, xz. > > > > On Mon, May 11, 2026 at 7:26 AM Fokko Driesprong <[email protected]> > wrote: > > > > > +1 (binding) > > > > > > Checked license, checksums, etc. Tested against Iceberg and it passes > all > > > the tests (https://github.com/apache/iceberg/pull/16257). > > > > > > Kind regards, > > > Fokko > > > > > > On 2026/05/11 05:24:44 Gang Wu wrote: > > > > Cast my own vote > > > > > > > > +1 (binding) > > > > > > > > I'd encourage PMC members to vote as we still need 2 more binding > > votes. > > > > > > > > On Fri, May 8, 2026 at 8:19 PM Steve Loughran <[email protected]> > > > wrote: > > > > > > > > > > > > > > > > > > > +1, non binding > > > > > > > > > > Got claude to to most of the work, which was primarily security > > > validation > > > > > plus regression testing of parquet-cli on hadoop 3.5.0 against the > > > > > parquet-format reference files. > > > > > > > > > > I'm also experimenting with how good claude is at identifying > > security > > > > > fixes that an OSS project puts out with some nonchalant "improve > > > testing of > > > > > unzip" title hiding the key fix inside a larger diff. That used to > > > work: > > > > > not any more. Now OSS projects have to assume that as soon as a > > > security > > > > > fix is committed, it's announced. Apache httpd has hit this, and > this > > > week > > > > > so has the linux kernel. > > > > > > > > > > Claude's security analysis > > > > > > > > > > Only one security-relevant change: the Jackson upgrade. Net jump > in > > > this > > > > > release is jackson 2.19.2 → 2.21.3 across jackson-core, > > > jackson-databind, > > > > > jackson-annotations, jackson-datatype-jsr310. > > > > > > > > > > This transitively absorbs every Jackson CVE/GHSA fix published > > between > > > > > those releases (mid-2025 → early-2026). No specific CVE IDs are > > called > > > out > > > > > by the Parquet PR descriptions, but jackson-databind in particular > > > > > routinely ships polymorphic-deserialization advisories, so the bump > > > should > > > > > be treated as the de facto security content of 1.17.1. > > > > > > > > > > Not security: the proto Uint32Value fix (ef00c463) is a > > > data-correctness > > > > > bug — old code mapped protobuf UInt32Value to Parquet INT64 then > > > narrowed > > > > > with Math.toIntExact, which would throw ArithmeticException on > large > > > > > values. New code maps it to INT32 directly and adds an addInt > > handler. > > > No > > > > > exploit primitive; this is robustness, not a vulnerability fix. > > > > > No Parquet-specific CVE fixes in this release — no CVE- references > > in > > > > > commit messages, no security advisory linked from the GitHub > release > > > notes, > > > > > no entries in parquet-hadoop's encryption code path. > > > > > > > > > > The release is essentially: a patch-level security hygiene update > > > > > (Jackson) plus one protobuf correctness fix. Worth merging from a > > > security > > > > > standpoint — it pulls in upstream Jackson hardening — but it does > not > > > > > address any Parquet-specific advisory. > > > > > > > > > > ----- > > > > > > > > > > After that I got it do a jvm bytecode audit of nexus staged > artifacts > > > > > against locally generated artifacts. > > > > > > > > > > While cutting the hadoop 3.4.3 release I ended up pushing up the > JAR > > > files > > > > > built on an arm64 system, which I wanted to compare against the > x86s > > > ones. > > > > > I've also been considering how the manual release manager is > security > > > risk > > > > > to ASF projects. If I wanted to put malicious code out I'd do a > legit > > > RC > > > > > while putting the malicious code into the staging maven binaries. > I'd > > > get > > > > > the supply chain attack in while all reviews of the source and bin > > > tarballs > > > > > worked because they were consistent with the repository source. Who > > > > > compares staged .jar files with local stuff? > > > > > > > > > > Hence, a new claude-authored kotlin tool, auditor, diffs jar files > at > > > the > > > > > .class level, looking for differences in bytecodes, especially > > > suspicious > > > > > ones. > > > > > > > > > > https://github.com/steveloughran/auditor > > > > > > > > > > All good; only diff from my source build and the artifacts was the > > > > > auto-generated version info strings. > > > > > > > > > > (Once Russel Spitzer's automated release process is in there'll be > > less > > > > > need for this, but it's still some good due diligence and is > trivial > > > to run) > > > > > > > > > > steve > > > > > > > > > > On Fri, 8 May 2026 at 03:17, Gang Wu <[email protected]> wrote: > > > > > > > > > >> Hi everyone, > > > > >> > > > > >> I propose the following RC to be released as the official Apache > > > > >> Parquet-Java 1.17.1 release. > > > > >> > > > > >> The commit ID is 78a8d3230eb4769db93de5f2f2e18363c04cae81 > > > > >> * This corresponds to the tag: apache-parquet-1.17.1-rc0 > > > > >> * > > > > >> > > > > >> > > > > > > https://github.com/apache/parquet-java/tree/78a8d3230eb4769db93de5f2f2e18363c04cae81 > > > > >> > > > > >> The release tarball, signature, and checksums are here: > > > > >> * > > > > >> > > > > https://dist.apache.org/repos/dist/dev/parquet/apache-parquet-1.17.1-rc0 > > > > >> > > > > >> You can find the KEYS file here: > > > > >> * https://downloads.apache.org/parquet/KEYS > > > > >> > > > > >> You can find the changelog here: > > > > >> * > > > > >> > > > > >> > > > > > > https://github.com/apache/parquet-java/releases/tag/apache-parquet-1.17.1-rc0 > > > > >> > > > > >> Binary artifacts are staged in Nexus here: > > > > >> * > > > > >> > > > > > > https://repository.apache.org/content/repositories/orgapacheparquet-1078/ > > > > >> > > > > >> Please download, verify, and test. > > > > >> > > > > >> Please vote in the next 72 hours. > > > > >> > > > > >> [ ] +1 Release this as Apache Parquet 1.17.1 > > > > >> [ ] +0 > > > > >> [ ] -1 Do not release this because... > > > > >> > > > > >> Kind regards, > > > > >> Gang > > > > >> > > > > > > > > > > > > > > > -- Xinli Shang
