Hi, The verification script was built with full "bit-by-bit" reproducibility in mind. The verification failure here is technically correct, Quarkus-generated bytecode is currently expected to cause a bit-by-bit verification failure.
What it's basically saying is: "I cannot verify that the artifacts fully match the result as expected from the source tree." It's annoying, but, in my very personal opinion, it's correct and should stay. Hence the paragraph about the Quarkus generated jars in the failure message. One may also interpret this as: "I should look, at least, into the zip/tar files and validate that only the Quarkus generated bytecode is causing the difference - and nothing else, for example, a dependency jar."" Robert On Tue, Mar 31, 2026 at 12:42 PM Adnan Hemani via dev < [email protected]> wrote: > Robert and/or Pierre, can one of you confirm this? If so, I can open a PR > tomorrow removing these checks from the script. We can add it back in the > future once Quarkus reproducible builds are in a version that Polaris runs > on. > > -Adnan > > On Tue, Mar 31, 2026 at 3:36 AM Jean-Baptiste Onofré <[email protected]> > wrote: > > > I agree. I think it was anticipated steps. > > > > Le mar. 31 mars 2026 à 12:27, Adnan Hemani via dev < > [email protected]> > > a écrit : > > > >> If all artifacts fail due to these reasons, then why did we ever insert > >> these checks into the script? IMO there is no point in creating all this > >> noise in the script output if we should not ever expect it to succeed. > >> > >> -Adnan > >> > >> On Tue, Mar 31, 2026 at 12:32 AM Jean-Baptiste Onofré <[email protected]> > >> wrote: > >> > >> > By the way, as tracking in issue #2204, it's expected the > >> > verify-release.sh script warns about differences between local build > and > >> > files on dist/maven staging repo. > >> > > >> > The reason is: > >> > - Quarkus-generated bytecode (generated-bytecode.jar, > >> > transformed-bytecode.jar, quarkus-application.jar) is > non-deterministic > >> > - Re-assembled jars (polaris-admin-*.jar, polaris-server-*.jar) > >> contain > >> > the above > >> > - Zips/tarballs containing any of the above inherit the > >> > non-reproducibility > >> > Until Quarkus fully supports reproducible builds, these differences > are > >> > expected and should be reviewed manually rather than treated as > release > >> > blockers. > >> > > >> > So, maybe we should have a "clear/emphasized" message on the > >> > verify-release.sh script about "reproducible build known issue". > >> > > >> > Regards > >> > JB > >> > > >> > > >> > On Tue, Mar 31, 2026 at 6:37 AM Jean-Baptiste Onofré <[email protected] > > > >> > wrote: > >> > > >> >> I created https://github.com/apache/polaris/pull/4092 to update the > >> >> verify-release.sh script, checking if LICENSE/NOTICE exists in either > >> root > >> >> or META-INF. > >> >> > >> >> Regards > >> >> JB > >> >> > >> >> On Tue, Mar 31, 2026 at 6:16 AM Yufei Gu <[email protected]> > wrote: > >> >> > >> >>> Thanks for the confirmation, JB, that aligns with my understanding. > >> >>> > >> >>> Let me briefly summarize the issue raised in the thread: > >> >>> https://lists.apache.org/thread/bv2bdv4d2yhslnmj9bthsthfsd35b0of > >> >>> > >> >>> Adnan noted that the verify-release script reports missing LICENSE > and > >> >>> NOTICE files under META-INF/ for the Spark connector JARs, which > were > >> >>> removed in PR 3912. > >> >>> > >> >>> My understanding is that these files are not required in META-INF/, > as > >> >>> the top-level LICENSE and NOTICE files should be sufficient. I also > >> >>> double-checked previous releases: versions 1.0.0, 1.0.1, 1.1.0, and > >> 1.2.0 > >> >>> do not include them under META-INF/, while only 1.3.0 does. > >> >>> > >> >>> Given this, I suggest either ignoring this warning from the > >> >>> verify-release script or updating the script accordingly. > >> >>> > >> >>> Yufei > >> >>> > >> >>> > >> >>> On Mon, Mar 30, 2026 at 8:59 PM Jean-Baptiste Onofré < > [email protected] > >> > > >> >>> wrote: > >> >>> > >> >>>> Hi > >> >>>> > >> >>>> An update about 1.4.0 release: > >> >>>> - LICENSE/NOTICE have been fixed on the Spark plugin > >> >>>> - We have a plan about the CLI for the 1.4.0 release > >> >>>> - I checked Spark plugin build and it looks compliant with > >> reproducible > >> >>>> build to me (since ShadowJar extends AbstractArchiveTask, the > >> >>>> createPolarisSparkJar bundle JAR also inherits these settings > >> >>>> automatically, meaning both the regular JAR and the shadow/bundle > JAR > >> >>>> should be reproducible). > >> >>>> > >> >>>> I think we are good to go with the release. > >> >>>> > >> >>>> Anything missing for the 1.4.0 release ? > >> >>>> > >> >>>> Regards > >> >>>> JB > >> >>>> > >> >>>> On Tue, Mar 17, 2026 at 8:02 AM Jean-Baptiste Onofré < > >> [email protected]> > >> >>>> wrote: > >> >>>> > >> >>>>> Hi Yufei, > >> >>>>> > >> >>>>> I agree; that is a good plan for the CLI. > >> >>>>> > >> >>>>> We will update the release script and process regarding the CLI > for > >> >>>>> the 1.5.0 release. > >> >>>>> > >> >>>>> Regards, > >> >>>>> JB > >> >>>>> > >> >>>>> On Mon, Mar 16, 2026 at 7:05 PM Yufei Gu <[email protected]> > >> wrote: > >> >>>>> > >> >>>>>> For CLI publishing, we set up this pypi repo last year: > >> >>>>>> https://pypi.org/manage/project/apache-polaris/releases/. > >> >>>>>> > >> >>>>>> We need to publish to this repo once the 1.4.0 vote passed. Users > >> can > >> >>>>>> pull it directly from PyPI after that. > >> >>>>>> > >> >>>>>> Yufei > >> >>>>>> > >> >>>>>> > >> >>>>>> On Sun, Mar 8, 2026 at 10:02 AM Jean-Baptiste Onofré < > >> [email protected]> > >> >>>>>> wrote: > >> >>>>>> > >> >>>>>>> Hi, > >> >>>>>>> > >> >>>>>>> I will work with Robert on #3909. I will do another pass to have > >> it > >> >>>>>>> merge > >> >>>>>>> asap. > >> >>>>>>> > >> >>>>>>> PR #3891 looks good to me and can be merged imho. > >> >>>>>>> > >> >>>>>>> Following PR #3881 (fixing LICENSE/NOTICE in both admin and > server > >> >>>>>>> distributions), we have to update the "main" distribution > >> (basically > >> >>>>>>> merging both admin and server distributions LICENSE/NOTICE). > >> >>>>>>> > >> >>>>>>> So, to summarize the blockers for 1.4.0: > >> >>>>>>> - PR #3891 is good and can be merged > >> >>>>>>> - PR #3909 needs another pass (I gonna do that) > >> >>>>>>> - LICENSE/NOTICE from the "main" distribution should be updated > >> >>>>>>> > >> >>>>>>> Regards > >> >>>>>>> JB > >> >>>>>>> > >> >>>>>>> On Wed, Mar 4, 2026 at 9:54 PM Jean-Baptiste Onofré < > >> [email protected]> > >> >>>>>>> wrote: > >> >>>>>>> > >> >>>>>>> > Hi > >> >>>>>>> > > >> >>>>>>> > I did the #3909 review and it's not "complete" (see > >> >>>>>>> > > >> >>>>>>> > >> > https://github.com/apache/polaris/pull/3909#pullrequestreview-3891720251 > >> >>>>>>> > for the one interested). > >> >>>>>>> > > >> >>>>>>> > I will work to fix that (either with Robert or creating a new > >> PR). > >> >>>>>>> > I will keep you posted :) > >> >>>>>>> > > >> >>>>>>> > Regards > >> >>>>>>> > JB > >> >>>>>>> > > >> >>>>>>> > On Wed, Mar 4, 2026 at 2:38 PM Jean-Baptiste Onofré < > >> >>>>>>> [email protected]> > >> >>>>>>> > wrote: > >> >>>>>>> > > >> >>>>>>> >> Hi > >> >>>>>>> >> > >> >>>>>>> >> I'm checking the LICENSE/NOTICE in the Spark plugin right now > >> >>>>>>> (#3909). > >> >>>>>>> >> I'm also doing a full pass to be sure we are good. > >> >>>>>>> >> > >> >>>>>>> >> I will keep you posted. > >> >>>>>>> >> > >> >>>>>>> >> Thanks ! > >> >>>>>>> >> > >> >>>>>>> >> Regards > >> >>>>>>> >> JB > >> >>>>>>> >> > >> >>>>>>> >> On Wed, Mar 4, 2026 at 2:23 PM Adnan Hemani via dev < > >> >>>>>>> >> [email protected]> wrote: > >> >>>>>>> >> > >> >>>>>>> >>> Hi Robert, > >> >>>>>>> >>> > >> >>>>>>> >>> This is a good point. JB, can you please take a look at > these > >> >>>>>>> and merge > >> >>>>>>> >>> if > >> >>>>>>> >>> you think the PRs are complete? > >> >>>>>>> >>> > >> >>>>>>> >>> Best, > >> >>>>>>> >>> Adnan Hemani > >> >>>>>>> >>> > >> >>>>>>> >>> On Tue, Mar 3, 2026 at 11:16 PM Robert Stupp < > [email protected]> > >> >>>>>>> wrote: > >> >>>>>>> >>> > >> >>>>>>> >>> > Hi all, > >> >>>>>>> >>> > > >> >>>>>>> >>> > Thanks for working with JB. > >> >>>>>>> >>> > > >> >>>>>>> >>> > The remaining legal issues on the 1.4.0 milestone [1] > should > >> >>>>>>> be sorted > >> >>>>>>> >>> out > >> >>>>>>> >>> > before cutting the branch to avoid additional work and > >> further > >> >>>>>>> delay > >> >>>>>>> >>> from > >> >>>>>>> >>> > duplicate PRs (against main and the release branch). > >> >>>>>>> >>> > Neither the LICENSE/NOTICE for the binary > server+admin-tool > >> >>>>>>> >>> distribution > >> >>>>>>> >>> > nor the LICENSE/NOTICE files for the plugin are good. PRs > to > >> >>>>>>> fix this > >> >>>>>>> >>> still > >> >>>>>>> >>> > need reviews. > >> >>>>>>> >>> > > >> >>>>>>> >>> > Robert > >> >>>>>>> >>> > > >> >>>>>>> >>> > [1] https://github.com/apache/polaris/milestone/6 > >> >>>>>>> >>> > > >> >>>>>>> >>> > > >> >>>>>>> >>> > On Wed, Mar 4, 2026 at 3:47 AM Adnan Hemani via dev < > >> >>>>>>> >>> > [email protected]> > >> >>>>>>> >>> > wrote: > >> >>>>>>> >>> > > >> >>>>>>> >>> > > Hi all, > >> >>>>>>> >>> > > > >> >>>>>>> >>> > > I've worked with JB to verify that we should be ready to > >> cut > >> >>>>>>> the > >> >>>>>>> >>> release > >> >>>>>>> >>> > > branch for 1.4.0. As we are well past the original > branch > >> >>>>>>> cut date, I > >> >>>>>>> >>> > will > >> >>>>>>> >>> > > cut the branch sometime tomorrow, March 4th, 2026 during > >> PST > >> >>>>>>> business > >> >>>>>>> >>> > > hours. If you have any last-minute changes that need to > go > >> >>>>>>> into the > >> >>>>>>> >>> 1.4.0 > >> >>>>>>> >>> > > release, please ensure they are merged tonight. > >> >>>>>>> >>> > > > >> >>>>>>> >>> > > Best, > >> >>>>>>> >>> > > Adnan Hemani > >> >>>>>>> >>> > > > >> >>>>>>> >>> > > On Mon, Feb 23, 2026 at 6:04 AM Jean-Baptiste Onofré < > >> >>>>>>> >>> [email protected]> > >> >>>>>>> >>> > > wrote: > >> >>>>>>> >>> > > > >> >>>>>>> >>> > > > Hi > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > > > During the weekend, I reviewed the 1.4.0 release > prep. I > >> >>>>>>> also found > >> >>>>>>> >>> > that > >> >>>>>>> >>> > > > LICENSE and NOTICE are not up to date: > >> >>>>>>> >>> > > > - the versions are not up to date (I created a PR to > >> >>>>>>> remove the > >> >>>>>>> >>> > versions > >> >>>>>>> >>> > > ( > >> >>>>>>> >>> > > > https://github.com/apache/polaris/pull/3861 that has > >> been > >> >>>>>>> reused > >> >>>>>>> >>> by > >> >>>>>>> >>> > > Robert > >> >>>>>>> >>> > > > in the "generation" PR). > >> >>>>>>> >>> > > > - the runtime distributions dependencies changed, but > >> >>>>>>> >>> LICENSE/NOTICE > >> >>>>>>> >>> > have > >> >>>>>>> >>> > > > not been updated (I was about to create another PR > about > >> >>>>>>> that). > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > > > I mentioned that last week during the Polaris > Community > >> >>>>>>> Meeting: > >> >>>>>>> >>> this > >> >>>>>>> >>> > is > >> >>>>>>> >>> > > a > >> >>>>>>> >>> > > > blocker for the 1.4.0 release. > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > > > Thanks Robert for the PR, I will review it and double > >> >>>>>>> check if we > >> >>>>>>> >>> are > >> >>>>>>> >>> > > good > >> >>>>>>> >>> > > > (from a legal standpoint). > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > > > Regards > >> >>>>>>> >>> > > > JB > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > > > On Mon, Feb 23, 2026 at 2:44 PM Robert Stupp < > >> >>>>>>> [email protected]> > >> >>>>>>> >>> wrote: > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > > > > Hi all, > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > > > I reviewed the licenses for the binary distribution, > >> >>>>>>> which is > >> >>>>>>> >>> part of > >> >>>>>>> >>> > > > > the release management. > >> >>>>>>> >>> > > > > Several changes must be made to the LICENSE files > and > >> >>>>>>> block the > >> >>>>>>> >>> > > release. > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > > > Looking into those, it became apparent that other > >> >>>>>>> dependency > >> >>>>>>> >>> changes > >> >>>>>>> >>> > > are > >> >>>>>>> >>> > > > > required for version 1.4.0 release. > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > > > I have created the relevant PRs and added them to > the > >> >>>>>>> milestone > >> >>>>>>> >>> for > >> >>>>>>> >>> > the > >> >>>>>>> >>> > > > > 1.4.0 release. > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > > > Robert > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > > > On Tue, Feb 17, 2026 at 2:02 AM Adnan Hemani via > dev < > >> >>>>>>> >>> > > > > [email protected]> > >> >>>>>>> >>> > > > > wrote: > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > > > > Hi, > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > > > Thanks for this update - I had it on my calendar > >> today > >> >>>>>>> to send > >> >>>>>>> >>> out > >> >>>>>>> >>> > an > >> >>>>>>> >>> > > > > email > >> >>>>>>> >>> > > > > > today to get this started and completely missed > this > >> >>>>>>> thread in > >> >>>>>>> >>> my > >> >>>>>>> >>> > > inbox > >> >>>>>>> >>> > > > > for > >> >>>>>>> >>> > > > > > some reason. > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > > > Let me start the thread with my initial thoughts > on > >> >>>>>>> all the > >> >>>>>>> >>> > remaining > >> >>>>>>> >>> > > > > open > >> >>>>>>> >>> > > > > > issues and PRs later today and we can go from > there. > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > > > Best, > >> >>>>>>> >>> > > > > > Adnan Hemani > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > > > On Thu, Feb 12, 2026 at 6:58 AM Jean-Baptiste > >> Onofré < > >> >>>>>>> >>> > > [email protected]> > >> >>>>>>> >>> > > > > > wrote: > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > > > > Hi folks, > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > > > I believe we are approaching the scheduled time > >> for > >> >>>>>>> the next > >> >>>>>>> >>> > > release, > >> >>>>>>> >>> > > > > > > following our monthly cadence. > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > > > I just reviewed the GitHub milestone ( > >> >>>>>>> >>> > > > > > > https://github.com/apache/polaris/milestone/6) > >> and > >> >>>>>>> noticed > >> >>>>>>> >>> there > >> >>>>>>> >>> > > are > >> >>>>>>> >>> > > > > > still > >> >>>>>>> >>> > > > > > > 14 open issues. While some appear close to > >> >>>>>>> completion, > >> >>>>>>> >>> others may > >> >>>>>>> >>> > > > > require > >> >>>>>>> >>> > > > > > > further discussion. > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > > > Could we perform a triage to determine if these > >> >>>>>>> issues should > >> >>>>>>> >>> > > remain > >> >>>>>>> >>> > > > in > >> >>>>>>> >>> > > > > > the > >> >>>>>>> >>> > > > > > > 1.4.0 milestone or be bumped to a later one? > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > > > Adnan, as the release manager, would you mind > >> taking > >> >>>>>>> the > >> >>>>>>> >>> lead on > >> >>>>>>> >>> > > the > >> >>>>>>> >>> > > > > > > 1.4.0-incubating release preparation? > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > > > Thanks! > >> >>>>>>> >>> > > > > > > Regards, > >> >>>>>>> >>> > > > > > > JB > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > > > On Fri, Jan 30, 2026 at 8:42 PM Jean-Baptiste > >> Onofré > >> >>>>>>> < > >> >>>>>>> >>> > > > [email protected]> > >> >>>>>>> >>> > > > > > > wrote: > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > > > > Hi folks > >> >>>>>>> >>> > > > > > > > > >> >>>>>>> >>> > > > > > > > I would like to start a discussion to prepare > >> >>>>>>> >>> 1.4.0-incubating. > >> >>>>>>> >>> > > > > > > > > >> >>>>>>> >>> > > > > > > > Who would like to be release manager on this > >> one ? > >> >>>>>>> >>> > > > > > > > > >> >>>>>>> >>> > > > > > > > I will check the milestone on GH. Please > assign > >> >>>>>>> the 1.4.0 > >> >>>>>>> >>> > > milestone > >> >>>>>>> >>> > > > > to > >> >>>>>>> >>> > > > > > > > issues/PRs you want to include in this > release. > >> >>>>>>> >>> > > > > > > > > >> >>>>>>> >>> > > > > > > > Thanks ! > >> >>>>>>> >>> > > > > > > > > >> >>>>>>> >>> > > > > > > > Regards > >> >>>>>>> >>> > > > > > > > JB > >> >>>>>>> >>> > > > > > > > > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > > > >> >>>>>>> >>> > > >> >>>>>>> >>> > >> >>>>>>> >> > >> >>>>>>> > >> >>>>>> > >> > > >
