-1
The 1.5.0-rc0 introduces 19 newly-bundled third-party libraries in
polaris-bin/server/lib/main/ (per the LICENSE diff vs 1.4.0). Of these,
at least Apache Solr (solr-solrj 8.11.3, transitively via
ranger-audit-dest-solr), Eclipse Jetty (jetty-client / jetty-http 9.4.56),
and Joda-Time (2.10.6) contains substantive upstream NOTICE content that is
not propagated into polaris-bin/NOTICE, contrary to
https://www.apache.org/legal/release-policy.html#license-modules-incl.
Recommend (a) excluding ranger-audit-dest-solr if Solr-as-audit-destination
isn't a supported config, and (b) propagating the Jetty and Joda-Time
NOTICE blocks for what remains.
More details for (a): The build already excludes ranger-audit-dest-hdfs
(line 29 in the extension's build file) but not ranger-audit-dest-solr. If
audit-to-Solr isn't a feature Polaris actually intends to ship, the easy
fix is to add a matching exclude:
implementation(libs.ranger.authz.embedded) {
exclude("org.apache.ranger", "ranger-audit-dest-hdfs")
exclude("org.apache.ranger", "ranger-audit-dest-solr") // also drops
solr-solrj transitively
...
}
All other checks are good. Thanks JB for preparing it.
Automated check (verify-release.sh)
- Exit 0, Automatic release check succeeded, empty failures log
- KEYS imported; GPG sigs + SHA512 valid for: source tarball, polaris-bin
(.tgz/.zip), Helm chart (+.prov), all 76 Maven module artifacts
- Local build (publishToMavenLocal sourceTarball assemble
-PjarWithGitInfo) succeeded
- LICENSE + NOTICE present in the source tree, all main/sources JARs
(META-INF/), polaris-bin tgz/zip, and Helm chart
Manual checks
- Verified that no JDBC schema changes exist between versions 1.4.0 and
1.5.0. If a user upgrades from 1.4.0 to 1.5.0, no JDBC schema migration is
required.
- Source tarball: no prohibited binaries (no .jar/.class/.so/.dll/.exe).
NOTICE correctly attributes ASF, Snowflake donation, and Nessie.
- Git log: 295 commits since apache-polaris-1.4.0; tag HEAD is the
expected [chore] Bump version to 1.5.0, preceded by normal feature/fix work
(no suspicious last-minute changes).
- Helm chart: helm lint clean, helm template renders
ConfigMap/Deployment/Service/ServiceAccount, Chart.yaml shows version:
1.5.0, appVersion: 1.5.0.
- polaris-bin: contains both admin/ and server/ Quarkus apps with correct
1.5.0 version on inner jars.
- Python wheel (ASF dist): GPG signature is good; SHA512 matches.
Compared to the Test PyPI wheel apache_polaris-1.5.0rc0-py3-none-any.whl:
source code byte-identical; only difference is METADATA Version: 1.5.0
(ASF) vs 1.5.0rc0 (TestPyPI), which is expected per staging convention.
Yufei
On Thu, May 14, 2026 at 1:12 PM Francois Papon <[email protected]>
wrote:
> +1 (binding)
>
> All checks passed.
>
> Just a side note, the doap.rdf file in the source is not up to date, the
> latest release mentioned is 1.3.0-incubating.
>
> regards,
>
> François
> [email protected]
> [email protected]
>
> Le 14/05/2026 à 09:15, Jean-Baptiste Onofré a écrit :
> > Hi everyone,
> >
> > I propose that we release the following RC as the official Apache Polaris
> > 1.5.0 release.
> >
> > This corresponds to the tag: apache-polaris-1.5.0-rc0
> >
> > * https://github.com/apache/polaris/commits/apache-polaris-1.5.0-rc0
> > *
> >
> https://github.com/apache/polaris/tree/da95233805815b1d6a8576c5b527143193e7d7e5
> >
> > The release tarball, signature, and checksums are here:
> >
> > * https://dist.apache.org/repos/dist/dev/polaris/1.5.0
> >
> > Helm charts are available on:
> >
> > * https://dist.apache.org/repos/dist/dev/polaris/helm-chart/1.5.0
> >
> > NB: you have to build the Docker images locally in order to test Helm
> > charts.
> >
> > The Python CLI wheel is available on:
> >
> > * https://dist.apache.org/repos/dist/dev/polaris/python-client/1.5.0
> >
> > The Python CLI is also available on Test PyPI:
> >
> > * https://test.pypi.org/project/apache-polaris/1.5.0rc0/
> >
> > You can find the KEYS file here:
> >
> > * https://downloads.apache.org/polaris/KEYS
> >
> > Convenience binary artifacts are staged on Nexus. The Maven repository
> URL
> > is:
> >
> > *
> https://repository.apache.org/content/repositories/orgapachepolaris-1067/
> >
> > Please download, verify, and test according to the release verification
> > guide, which can be found at:
> >
> > *
> >
> https://polaris.apache.org/community/release-guides/release-verification-guide/
> >
> > Please vote in the next 72 hours.
> >
> > [ ] +1 Release this as Apache Polaris 1.5.0
> > [ ] +0
> > [ ] -1 Do not release this because...
> >
> > Only PMC members have binding votes, but other community members are
> > encouraged to cast non-binding votes.
> > This vote will pass if there are 3 binding +1 votes and more binding +1
> > votes than -1 votes.
> >
> > Regards
> > JB
> >
>
