Hi Ed, I can see why you voted -1. One topic that I'd like to query is the requirement to have incubating in the name of jars. I have never seen that. I would struggle to remember seeing any jar names in any release that had incubating in the name. The source release tarball must have incubating in the name but that's about the only thing that I check for. I'm happy to be corrected but if I'm wrong about jar names then I've seen a lot of non-compliant Incubator podling releases.
Thanks, PJ On Fri, 21 Nov 2025 at 11:28, Ed Espino <[email protected]> wrote: > > -1 (binding) > > I cannot recommend releasing this package due to four critical Apache > policy violations that must be corrected before approval. > > ===================================== > Summary > ===================================== > > [PASS] Cryptographic signatures (GPG + SHA-512): VERIFIED > [PASS] Source compliance (LICENSE, NOTICE, DISCLAIMER): PASSED > [PARTIAL] License headers (Apache RAT): PASSED for main repo only (1,901 > files, 0 unknown) > [FAIL] RC designation in release URL: MISSING > [FAIL] Release structure (single repository per vote): VIOLATION (4 repos > bundled) > [FAIL] JAR naming compliance (incubating): FAILED (59/60 artifacts > non-compliant, 98.3%) > [FAIL] Release process (premature tagging): VIOLATION > > Release Candidate: > https://dist.apache.org/repos/dist/dev/incubator/hugegraph/1.7.0 > > KEYS: > https://downloads.apache.org/incubator/hugegraph/KEYS > > Artifacts (4 repositories bundled): > - apache-hugegraph-incubating-1.7.0-src.tar.gz (2.2M) > - apache-hugegraph-incubating-1.7.0.tar.gz (892M, binary) > - apache-hugegraph-ai-incubating-1.7.0-src.tar.gz (208K) > - apache-hugegraph-computer-incubating-1.7.0-src.tar.gz (810K) > - apache-hugegraph-toolchain-incubating-1.7.0-src.tar.gz (1.4M) > - apache-hugegraph-toolchain-incubating-1.7.0.tar.gz (580M, binary) > > ===================================== > Detailed Verification Report > ===================================== > > Environment: > - Java: OpenJDK 11.0.25 (Red Hat 11.0.25+9-LTS) > - Python: 3.9.21 > - Go: 1.25.2 > - Maven: 3.x > - OS: Rocky Linux 9.6 (Blue Onyx) > - Kernel: 5.14.0-570.17.1.el9_6.x86_64 > > [PASS] Cryptographic Verification > - GPG signature verification: PASSED (all 6 artifacts) > - SHA-512 checksum verification: PASSED (all 6 artifacts) > > [PASS] Source Compliance > - LICENSE files: VALID (Apache License 2.0, all 4 sources) > - NOTICE files: VALID (correct attribution, 2025 copyright, all 4 > sources) > - DISCLAIMER files: VALID (incubation status, all 4 sources) > - Tarball naming: CORRECT (all contain "incubating") > - KEYS URL: CORRECT (downloads.apache.org, not dist/dev) > > [PASS] License Header Validation (Apache RAT) > - apache-hugegraph-incubating: 1,901 files scanned, 0 unknown > - Other repositories (ai, computer, toolchain): NOT FULLY VALIDATED > > Note: Only the main hugegraph repository received full RAT analysis. > The other three repositories require separate RAT scans for complete > validation. > > [FAIL] RC Designation in Release URL > Current URL: > https://dist.apache.org/repos/dist/dev/incubator/hugegraph/1.7.0 > > Expected URL: > https://dist.apache.org/repos/dist/dev/incubator/hugegraph/1.7.0-rc1 > > Problem: > - No RC designation (rc1, rc2, etc.) in URL or artifact names > - Apache releases require numbered release candidates for voting > - Prevents proper iteration if issues are found > > Policy: https://www.apache.org/legal/release-policy.html > > [FAIL] Release Structure (Repository Independence) > Found 4 source tarballs from 4 separate Git repositories: > > 1. apache-hugegraph-incubating-1.7.0-src.tar.gz > Repository: apache/incubator-hugegraph (core/server) > > 2. apache-hugegraph-ai-incubating-1.7.0-src.tar.gz > Repository: apache/incubator-hugegraph-ai (AI components) > > 3. apache-hugegraph-computer-incubating-1.7.0-src.tar.gz > Repository: apache/incubator-hugegraph-computer (compute engine) > > 4. apache-hugegraph-toolchain-incubating-1.7.0-src.tar.gz > Repository: apache/incubator-hugegraph-toolchain (tools/utilities) > > Problem: > - Apache policy requires separate release votes per repository > - Each repository represents distinct codebase with independent history > - Bundling prevents independent verification and release cycles > > Policy: https://www.apache.org/legal/release-policy.html > ("What Must Every ASF Release Contain") > > [PASS] Source Builds > Maven/Java builds (Java 11): > - apache-hugegraph-incubating: SUCCESS (39 JARs produced) > - apache-hugegraph-toolchain: SUCCESS (10 JARs produced) > - apache-hugegraph-computer/computer: SUCCESS (9 JARs produced) > > Python build (Python 3.9): > - apache-hugegraph-ai: SUCCESS (1 wheel + 1 sdist) > > Go build (Go 1.25.2): > - apache-hugegraph-computer/vermeer: SUCCESS (1 binary, 62MB) > > [FAIL] JAR Naming Compliance (Incubator Branding) > Total artifacts checked: 60 > - JAR files: 58 (Maven builds) > - Python wheels: 1 > - Python source distributions: 1 > > Results: > - Compliant: 1 (1.7%) > - Non-compliant: 59 (98.3%) > > Maven/Java violations (57 out of 58 JARs): > > apache-hugegraph-incubating (38/39 violations): > * hugegraph-core-1.7.0.jar (missing "incubating") > * hugegraph-api-1.7.0.jar (missing "incubating") > * hg-pd-client-1.7.0.jar (missing "incubating") > * hugegraph-cassandra-1.7.0.jar (missing "incubating") > * hugegraph-rocksdb-1.7.0.jar (missing "incubating") > * hugegraph-mysql-1.7.0.jar (missing "incubating") > ... (32 more violations) > > apache-hugegraph-toolchain (10/10 violations): > * hugegraph-loader-1.7.0.jar (missing "incubating") > * hugegraph-tools-1.7.0.jar (missing "incubating") > * hugegraph-hubble-1.7.0.jar (missing "incubating") > * hugegraph-client-1.7.0.jar (missing "incubating") > ... (6 more violations) > > apache-hugegraph-computer/computer (9/9 violations): > * computer-core-1.7.0.jar (missing "incubating") > * computer-api-1.7.0.jar (missing "incubating") > * computer-algorithm-1.7.0.jar (missing "incubating") > ... (6 more violations) > > Python violations (2/2 artifacts): > * hugegraph_ai-1.7.0-py3-none-any.whl (missing "incubating") > * hugegraph_ai-1.7.0.tar.gz (missing "incubating") > > Only ONE compliant artifact: > * apache-hugegraph-loader-incubating-1.7.0-shaded.jar > > Problem: > - Apache Incubator policy REQUIRES all distributed artifacts to > include "incubating" in their names > - Affects JARs, Python wheels, and all built artifacts > - Demonstrates systematic version configuration issue across all > projects > > Root cause: Maven POM files and Python pyproject.toml use version > "1.7.0" instead of "1.7.0-incubating" > > Policy: https://incubator.apache.org/policy/incubation.html > > [FAIL] Release Process (Premature Tagging) > Problem: > - Git release tags appear to have been created with "1.7.0" labels > before the vote has completed and passed > - Apache releases are determined by community vote, not by committers > applying tags > - Release tags should only be applied AFTER successful PPMC and IPMC > votes > > Impact: > - Violates principle that releases are determined by vote > - Creates confusion about official release status > - If vote fails, tags must be deleted and artifacts regenerated > > ===================================== > Notes > ===================================== > > This is my first vote for HugeGraph. I'm not familiar with the project's > typical release process, so I'm focusing on identifying policy violations > rather than prescribing specific solutions. The PPMC and release manager > will be better positioned to determine the appropriate corrective approach. > > What was verified: > - All cryptographic verification passes (GPG signatures and SHA-512 > checksums) > - LICENSE, NOTICE, and DISCLAIMER files present in all 4 source tarballs > - License headers validated for apache-hugegraph-incubating only (1,901 > files) > - All 4 repositories build successfully (Java, Python, Go) > > Detailed analysis available at: > /home/cbadmin/assembly-bom/stations/core/hugegraph/reports/ > > ===================================== > Conclusion > ===================================== > > There are four fundamental Apache policy violations that must be corrected > before this release can be approved: > > 1. Missing RC designation in release URL > 2. Multiple repositories bundled in single vote (requires separate votes) > 3. Built artifacts missing "incubating" suffix (98.3% non-compliant) > 4. Premature release tagging before vote completion > > These are not minor issues - they are fundamental process requirements that > must be addressed. > > -1 (binding) > > -- > Ed Espino > Apache Cloudberry (Incubating) & MADlib > > > On Thu, Nov 20, 2025 at 3:05 AM Junzhi Peng <[email protected]> > wrote: > > > Hello Incubator Community, > > > > This is a call for a vote to release Apache HugeGraph (Incubating) version > > 1.7.0 > > > > The Apache HugeGraph community has voted on and approved a proposal to > > release Apache HugeGraph(Incubating) version 1.7.0 > > > > We now kindly request the Incubator PMC members review and vote on > > this incubator release. > > > > HugeGraph community vote thread: > > • https://lists.apache.org/thread/zyy4v8ky3w5tb0ypgjyhzxs05fv2l2gy > > > > Vote result thread: > > • https://lists.apache.org/thread/w1oz6y6orr75l1nqkbwsn1tb7s6chzhs > > > > The release candidate: > > • https://dist.apache.org/repos/dist/dev/incubator/hugegraph/1.7.0 > > > > Git tag & Commit hash for the release: > > • https://github.com/apache/incubator-hugegraph/tree/1.7.0 (b12425c) > > • https://github.com/apache/incubator-hugegraph-toolchain/tree/1.7.0 > > (1643f2b) > > • https://github.com/apache/incubator-hugegraph-computer/tree/1.7.0 > > (6dae7d2) > > • https://github.com/apache/incubator-hugegraph-ai/tree/1.7.0 (101f10f) > > > > Keys to verify the Release Candidate: > > • https://downloads.apache.org/incubator/hugegraph/KEYS > > > > The release GPG user ID: pengjunzhi <[email protected]> > > > > The vote will be open for at least 72 hours or until the necessary > > number of votes are reached. > > > > Please vote accordingly: > > [ ] +1 approve > > [ ] +0 no opinion > > [ ] -1 disapprove with the reason > > > > More detail checklist please refer: > > • > > https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist > > > > Steps to validate the release,Please refer to: > > • > > https://hugegraph.apache.org/docs/contribution-guidelines/validate-release/ > > (EN) > > • > > https://hugegraph.apache.org/cn/docs/contribution-guidelines/validate-release/ > > (CN) > > > > > > Thanks, > > On behalf of Apache HugeGraph (Incubating) community > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
