Thanks for the clarification, JB. Sorry for misunderstanding the Apache Solr notice issue. And I agree the Jetty case is covered. I still think propagating the Joda NOTICE would be cleaner for downstream redistribution hygiene, though I understand the argument that this likely does not rise to a release blocking issue. I revise my vote from -1 to 0.
Yufei On Thu, May 14, 2026 at 10:31 PM Jean-Baptiste Onofré <[email protected]> wrote: > Hi Yufei > > Apache Solr NOTICE doesn't need to be included in our NOTICE: it's already > covered by "This product includes software developed at > The Apache Software Foundation (http://www.apache.org/)." (that's why we > don't include NOTICE from ASF projects by default). > > The Jetty NOTICE is already included in our NOTICE: "This product bundles > Jetty with the following in its NOTICE file:" > > So I don't see the problem here. > > For Joda time, it's good to include it, but regarding the NOTICE ( > https://github.com/JodaOrg/joda-time/blob/main/NOTICE.txt), I don't think > it's a blocker. > > Regards > JB > > On Fri, May 15, 2026 at 12:02 AM Yufei Gu <[email protected]> wrote: > > > -1 > > > > The 1.5.0-rc0 introduces 19 newly-bundled third-party libraries in > > polaris-bin/server/lib/main/ (per the LICENSE diff vs 1.4.0). Of these, > > at least Apache Solr (solr-solrj 8.11.3, transitively via > > ranger-audit-dest-solr), Eclipse Jetty (jetty-client / jetty-http > 9.4.56), > > and Joda-Time (2.10.6) contains substantive upstream NOTICE content that > is > > not propagated into polaris-bin/NOTICE, contrary to > > https://www.apache.org/legal/release-policy.html#license-modules-incl. > > Recommend (a) excluding ranger-audit-dest-solr if > Solr-as-audit-destination > > isn't a supported config, and (b) propagating the Jetty and Joda-Time > > NOTICE blocks for what remains. > > > > More details for (a): The build already excludes ranger-audit-dest-hdfs > > (line 29 in the extension's build file) but not ranger-audit-dest-solr. > If > > audit-to-Solr isn't a feature Polaris actually intends to ship, the easy > > fix is to add a matching exclude: > > > > implementation(libs.ranger.authz.embedded) { > > exclude("org.apache.ranger", "ranger-audit-dest-hdfs") > > exclude("org.apache.ranger", "ranger-audit-dest-solr") // also drops > > solr-solrj transitively > > ... > > } > > > > All other checks are good. Thanks JB for preparing it. > > > > Automated check (verify-release.sh) > > - Exit 0, Automatic release check succeeded, empty failures log > > - KEYS imported; GPG sigs + SHA512 valid for: source tarball, > polaris-bin > > (.tgz/.zip), Helm chart (+.prov), all 76 Maven module artifacts > > - Local build (publishToMavenLocal sourceTarball assemble > > -PjarWithGitInfo) succeeded > > - LICENSE + NOTICE present in the source tree, all main/sources JARs > > (META-INF/), polaris-bin tgz/zip, and Helm chart > > > > Manual checks > > - Verified that no JDBC schema changes exist between versions 1.4.0 and > > 1.5.0. If a user upgrades from 1.4.0 to 1.5.0, no JDBC schema migration > is > > required. > > - Source tarball: no prohibited binaries (no > .jar/.class/.so/.dll/.exe). > > NOTICE correctly attributes ASF, Snowflake donation, and Nessie. > > - Git log: 295 commits since apache-polaris-1.4.0; tag HEAD is the > > expected [chore] Bump version to 1.5.0, preceded by normal feature/fix > work > > (no suspicious last-minute changes). > > - Helm chart: helm lint clean, helm template renders > > ConfigMap/Deployment/Service/ServiceAccount, Chart.yaml shows version: > > 1.5.0, appVersion: 1.5.0. > > - polaris-bin: contains both admin/ and server/ Quarkus apps with > correct > > 1.5.0 version on inner jars. > > - Python wheel (ASF dist): GPG signature is good; SHA512 matches. > > Compared to the Test PyPI wheel apache_polaris-1.5.0rc0-py3-none-any.whl: > > source code byte-identical; only difference is METADATA Version: 1.5.0 > > (ASF) vs 1.5.0rc0 (TestPyPI), which is expected per staging convention. > > > > > > > > Yufei > > > > > > On Thu, May 14, 2026 at 1:12 PM Francois Papon < > > [email protected]> > > wrote: > > > > > +1 (binding) > > > > > > All checks passed. > > > > > > Just a side note, the doap.rdf file in the source is not up to date, > the > > > latest release mentioned is 1.3.0-incubating. > > > > > > regards, > > > > > > François > > > [email protected] > > > [email protected] > > > > > > Le 14/05/2026 à 09:15, Jean-Baptiste Onofré a écrit : > > > > Hi everyone, > > > > > > > > I propose that we release the following RC as the official Apache > > Polaris > > > > 1.5.0 release. > > > > > > > > This corresponds to the tag: apache-polaris-1.5.0-rc0 > > > > > > > > * https://github.com/apache/polaris/commits/apache-polaris-1.5.0-rc0 > > > > * > > > > > > > > > > https://github.com/apache/polaris/tree/da95233805815b1d6a8576c5b527143193e7d7e5 > > > > > > > > The release tarball, signature, and checksums are here: > > > > > > > > * https://dist.apache.org/repos/dist/dev/polaris/1.5.0 > > > > > > > > Helm charts are available on: > > > > > > > > * https://dist.apache.org/repos/dist/dev/polaris/helm-chart/1.5.0 > > > > > > > > NB: you have to build the Docker images locally in order to test Helm > > > > charts. > > > > > > > > The Python CLI wheel is available on: > > > > > > > > * https://dist.apache.org/repos/dist/dev/polaris/python-client/1.5.0 > > > > > > > > The Python CLI is also available on Test PyPI: > > > > > > > > * https://test.pypi.org/project/apache-polaris/1.5.0rc0/ > > > > > > > > You can find the KEYS file here: > > > > > > > > * https://downloads.apache.org/polaris/KEYS > > > > > > > > Convenience binary artifacts are staged on Nexus. The Maven > repository > > > URL > > > > is: > > > > > > > > * > > > > > > https://repository.apache.org/content/repositories/orgapachepolaris-1067/ > > > > > > > > Please download, verify, and test according to the release > verification > > > > guide, which can be found at: > > > > > > > > * > > > > > > > > > > https://polaris.apache.org/community/release-guides/release-verification-guide/ > > > > > > > > Please vote in the next 72 hours. > > > > > > > > [ ] +1 Release this as Apache Polaris 1.5.0 > > > > [ ] +0 > > > > [ ] -1 Do not release this because... > > > > > > > > Only PMC members have binding votes, but other community members are > > > > encouraged to cast non-binding votes. > > > > This vote will pass if there are 3 binding +1 votes and more binding > +1 > > > > votes than -1 votes. > > > > > > > > Regards > > > > JB > > > > > > > > > >
