Hi Yufei Apache Solr NOTICE doesn't need to be included in our NOTICE: it's already covered by "This product includes software developed at The Apache Software Foundation (http://www.apache.org/)." (that's why we don't include NOTICE from ASF projects by default).
The Jetty NOTICE is already included in our NOTICE: "This product bundles Jetty with the following in its NOTICE file:" So I don't see the problem here. For Joda time, it's good to include it, but regarding the NOTICE ( https://github.com/JodaOrg/joda-time/blob/main/NOTICE.txt), I don't think it's a blocker. Regards JB On Fri, May 15, 2026 at 12:02 AM Yufei Gu <[email protected]> wrote: > -1 > > The 1.5.0-rc0 introduces 19 newly-bundled third-party libraries in > polaris-bin/server/lib/main/ (per the LICENSE diff vs 1.4.0). Of these, > at least Apache Solr (solr-solrj 8.11.3, transitively via > ranger-audit-dest-solr), Eclipse Jetty (jetty-client / jetty-http 9.4.56), > and Joda-Time (2.10.6) contains substantive upstream NOTICE content that is > not propagated into polaris-bin/NOTICE, contrary to > https://www.apache.org/legal/release-policy.html#license-modules-incl. > Recommend (a) excluding ranger-audit-dest-solr if Solr-as-audit-destination > isn't a supported config, and (b) propagating the Jetty and Joda-Time > NOTICE blocks for what remains. > > More details for (a): The build already excludes ranger-audit-dest-hdfs > (line 29 in the extension's build file) but not ranger-audit-dest-solr. If > audit-to-Solr isn't a feature Polaris actually intends to ship, the easy > fix is to add a matching exclude: > > implementation(libs.ranger.authz.embedded) { > exclude("org.apache.ranger", "ranger-audit-dest-hdfs") > exclude("org.apache.ranger", "ranger-audit-dest-solr") // also drops > solr-solrj transitively > ... > } > > All other checks are good. Thanks JB for preparing it. > > Automated check (verify-release.sh) > - Exit 0, Automatic release check succeeded, empty failures log > - KEYS imported; GPG sigs + SHA512 valid for: source tarball, polaris-bin > (.tgz/.zip), Helm chart (+.prov), all 76 Maven module artifacts > - Local build (publishToMavenLocal sourceTarball assemble > -PjarWithGitInfo) succeeded > - LICENSE + NOTICE present in the source tree, all main/sources JARs > (META-INF/), polaris-bin tgz/zip, and Helm chart > > Manual checks > - Verified that no JDBC schema changes exist between versions 1.4.0 and > 1.5.0. If a user upgrades from 1.4.0 to 1.5.0, no JDBC schema migration is > required. > - Source tarball: no prohibited binaries (no .jar/.class/.so/.dll/.exe). > NOTICE correctly attributes ASF, Snowflake donation, and Nessie. > - Git log: 295 commits since apache-polaris-1.4.0; tag HEAD is the > expected [chore] Bump version to 1.5.0, preceded by normal feature/fix work > (no suspicious last-minute changes). > - Helm chart: helm lint clean, helm template renders > ConfigMap/Deployment/Service/ServiceAccount, Chart.yaml shows version: > 1.5.0, appVersion: 1.5.0. > - polaris-bin: contains both admin/ and server/ Quarkus apps with correct > 1.5.0 version on inner jars. > - Python wheel (ASF dist): GPG signature is good; SHA512 matches. > Compared to the Test PyPI wheel apache_polaris-1.5.0rc0-py3-none-any.whl: > source code byte-identical; only difference is METADATA Version: 1.5.0 > (ASF) vs 1.5.0rc0 (TestPyPI), which is expected per staging convention. > > > > Yufei > > > On Thu, May 14, 2026 at 1:12 PM Francois Papon < > [email protected]> > wrote: > > > +1 (binding) > > > > All checks passed. > > > > Just a side note, the doap.rdf file in the source is not up to date, the > > latest release mentioned is 1.3.0-incubating. > > > > regards, > > > > François > > [email protected] > > [email protected] > > > > Le 14/05/2026 à 09:15, Jean-Baptiste Onofré a écrit : > > > Hi everyone, > > > > > > I propose that we release the following RC as the official Apache > Polaris > > > 1.5.0 release. > > > > > > This corresponds to the tag: apache-polaris-1.5.0-rc0 > > > > > > * https://github.com/apache/polaris/commits/apache-polaris-1.5.0-rc0 > > > * > > > > > > https://github.com/apache/polaris/tree/da95233805815b1d6a8576c5b527143193e7d7e5 > > > > > > The release tarball, signature, and checksums are here: > > > > > > * https://dist.apache.org/repos/dist/dev/polaris/1.5.0 > > > > > > Helm charts are available on: > > > > > > * https://dist.apache.org/repos/dist/dev/polaris/helm-chart/1.5.0 > > > > > > NB: you have to build the Docker images locally in order to test Helm > > > charts. > > > > > > The Python CLI wheel is available on: > > > > > > * https://dist.apache.org/repos/dist/dev/polaris/python-client/1.5.0 > > > > > > The Python CLI is also available on Test PyPI: > > > > > > * https://test.pypi.org/project/apache-polaris/1.5.0rc0/ > > > > > > You can find the KEYS file here: > > > > > > * https://downloads.apache.org/polaris/KEYS > > > > > > Convenience binary artifacts are staged on Nexus. The Maven repository > > URL > > > is: > > > > > > * > > > https://repository.apache.org/content/repositories/orgapachepolaris-1067/ > > > > > > Please download, verify, and test according to the release verification > > > guide, which can be found at: > > > > > > * > > > > > > https://polaris.apache.org/community/release-guides/release-verification-guide/ > > > > > > Please vote in the next 72 hours. > > > > > > [ ] +1 Release this as Apache Polaris 1.5.0 > > > [ ] +0 > > > [ ] -1 Do not release this because... > > > > > > Only PMC members have binding votes, but other community members are > > > encouraged to cast non-binding votes. > > > This vote will pass if there are 3 binding +1 votes and more binding +1 > > > votes than -1 votes. > > > > > > Regards > > > JB > > > > > >
