That was exactly my point in previous RC: even if it's prov file, I would have asc and sha512 anyway because this file will end on dist (and so download.apache.org). It's what we did in 0.10.
So, I suggest to add asc and sha512 (in addition of prov file). It was my suggestion in RC3 but I was not probably clear enough. Regards JB On Fri, Jul 4, 2025 at 12:22 AM Yufei Gu <flyrain...@gmail.com> wrote: > > Hi Dongjoon, > > Thanks for the vote! > > "polaris-1.0.0-incubating.tgz" comes with the checksum and signature. They > are located in the file "polaris-1.0.0-incubating.tgz.prov". You can check > them with a command like `cat polaris-1.0.0-incubating.tgz.prov`. It is the > way Helm Chart delivers its binary package. And you can use a command like > `helm verify polaris-1.0.0-incubating.tgz` to verify its signature and > checksum. The .asc file and .sha512 duplicate what's inside *.prov, > however, I can see that people may find it convenient if they are not > familiar with the Helm tools. We can easily add them if that's something > we do care about. WDYT? > > Yufei > > > On Thu, Jul 3, 2025 at 2:33 PM Dongjoon Hyun <dongj...@apache.org> wrote: > > > +1 (non-binding) > > > > Thank you, Yufei. > > > > I also checked the checksum and signatures of artifacts, and built and > > tested from the source. Helm chart installation also works with "--set > > image.tag=latest". > > > > Just a question, is it okay `polaris-1.0.0-incubating.tgz` has no > > checksum/signiture? > > > > $ tree helm-chart > > helm-chart > > ├── 1.0.0-incubating > > │ ├── polaris-1.0.0-incubating.tgz > > │ └── polaris-1.0.0-incubating.tgz.prov > > └── index.yaml > > > > Since the artifacts will be distributed in ASF channel, can we add > > `polaris-1.0.0-incubating.tgz.asc` and > > `polaris-1.0.0-incubating.tgz.sha512` additionally like Apache Airflow > > project? > > > > https://dist.apache.org/repos/dist/release/airflow/helm-chart/1.17.0/ > > > > airflow-1.17.0.tgz > > airflow-1.17.0.tgz.asc > > airflow-1.17.0.tgz.prov > > airflow-1.17.0.tgz.sha512 > > > > Thanks, > > Dongjoon. > > > > On 2025/07/03 13:23:26 William Hyun wrote: > > > +1 (non-binding) > > > > > > I verified the following: > > > - Source tarball (shasum and GPG signature) > > > - Build and test > > > - Verified server binary distribution > > > > > > Bests, > > > William > > > > > > On Thu, Jul 3, 2025 at 4:13 AM Alex Dutra <alex.du...@dremio.com.invalid > > > > > > wrote: > > > > > > > +1 (non-binding) > > > > > > > > Checked: > > > > > > > > * Checksums & signatures > > > > * Source release builds, passes tests, and has no binary files > > > > * Binary release: server & admin tool both work > > > > * Helm chart: helm verify, lint, pull & install work (the Docker image > > must > > > > be manually built) > > > > > > > > Thanks, > > > > Alex > > > > > > > > On Thu, Jul 3, 2025 at 5:47 AM Jean-Baptiste Onofré <j...@nanthrax.net> > > > > wrote: > > > > > > > > > +1 (binding) > > > > > > > > > > I checked: > > > > > - Source distribution > > > > > -- incubating is in the version > > > > > -- signature and checksum are good > > > > > -- DISCLAIMER is present > > > > > -- LICENSE and NOTICE are good (personally, I think NOTICE should not > > > > > mention Nessie as it's just the copyright and already in the LICENSE, > > > > > but one IPMC asked that during 0.9.0 release vote) > > > > > -- No binary file found in the source distribution > > > > > -- Headers look correct (NB: the files without header are coming from > > > > > other projects as mentioned in the LICENSE file and the original file > > > > > doesn't contain a header, like Docsy or Mustache templates). Nit: the > > > > > svg file (from the project) could contain ASF header. > > > > > -- Build works from source distribution > > > > > - Binary distribution > > > > > -- incubating is in the version > > > > > -- signature and checksum are good > > > > > -- DISCLAIMER is present > > > > > -- LICENSE and NOTICE look good > > > > > -- Can start Polaris server from the binary distribution > > > > > - Helm Chart Package > > > > > -- incubating is in the version > > > > > -- DISCLAIMER is present > > > > > -- LICENSE and NOTICE are good > > > > > -- Signature and checksum are good in prov file > > > > > -- Header are ok as it's a helm chart "package" (not source > > distribution) > > > > > - Bundle jar files (Spark plugin) > > > > > -- incubating is in the name > > > > > -- signature and checksum are good on the staging Maven repository > > > > > -- LICENSE and NOTICE look good (documented all bundled artifacts in > > > > > the Spark plugin) > > > > > > > > > > Regards > > > > > JB > > > > > > > > > > On Wed, Jul 2, 2025 at 8:55 PM Yufei Gu <flyrain...@gmail.com> > > wrote: > > > > > > > > > > > > Hi everyone, > > > > > > > > > > > > I propose that we release the following RC as the official Apache > > > > Polaris > > > > > > 1.0.0-incubating release. > > > > > > > > > > > > This corresponds to the tag: apache-polaris-1.0.0-incubating-rc6 > > > > > > * > > > > > > > > > > > > > > > > > https://github.com/apache/polaris/commits/apache-polaris-1.0.0-incubating-rc6 > > > > > > * > > > > > > > > > > > > > > > > > https://github.com/apache/polaris/tree/a701f105c5d44565ac0ea86db45edbcebdbed718 > > > > > > NB: it's exactly the same as RC5 except for this commit: > > > > > > > > > > > > > > > > > https://github.com/apache/polaris/commit/a701f105c5d44565ac0ea86db45edbcebdbed718 > > > > > > > > > > > > The release tarball, signature, and checksums are here, including > > both > > > > > > source code and binary distributions: > > > > > > * > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-1.0.0-incubating/ > > > > > > > > > > > > > > > > > > A binary package for Helm chart: > > > > > > > > > > > > * > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/helm-chart/1.0.0-incubating/ > > > > > > NB: File > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/helm-chart/1.0.0-incubating/polaris-1.0.0-incubating.tgz.prov > > > > > > contains > > > > > > both signature and checksum for the package. Please verify it with > > the > > > > > > command `helm verify`. > > > > > > The docker images (polaris-server and polaris-admin) will be > > published > > > > on > > > > > > DockerHub once the release vote passes. > > > > > > > > > > > > You can find the KEYS file here: > > > > > > * https://downloads.apache.org/incubator/polaris/KEYS > > > > > > > > > > > > Convenience binary artifacts are staged on Nexus. The Maven > > repository > > > > > URL > > > > > > is: > > > > > > * > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachepolaris-1027/ > > > > > > > > > > > > Please download, verify, and test. > > > > > > > > > > > > Please vote in the next 72 hours. > > > > > > > > > > > > [ ] +1 Release this as Apache polaris 1.0.0-incubating > > > > > > [ ] +0 > > > > > > [ ] -1 Do not release this because... > > > > > > > > > > > > Only PPMC members and mentors have binding votes, but other > > community > > > > > > members are > > > > > > encouraged to cast non-binding votes. This vote will pass if there > > are > > > > 3 > > > > > > binding +1 votes and more binding +1 votes than -1 votes. > > > > > > > > > > > > NB: if this vote passes, a new vote has to be started on the > > Incubator > > > > > > general mailing list. > > > > > > > > > > > > Yufei > > > > > > > > > > > > > >
