> Quarkus-generated bytecode is currently expected to cause a bit-by-bit verification failure.
Given this, the full "bit-by-bit" reproducibility verification isn't practical. Can we exclude the Quarkus generated bytecode in the script? Yufei On Tue, Mar 31, 2026 at 7:12 AM Jean-Baptiste Onofré <[email protected]> wrote: > I think it's fair to keep it but to clearly state to the user that it's > "expected" (I don't say normal :)). > > I think Adnan was confused when he saw the warnings. > > Regards > JB > > On Tue, Mar 31, 2026 at 2:47 PM Robert Stupp <[email protected]> wrote: > > > Hi, > > > > The verification script was built with full "bit-by-bit" reproducibility > in > > mind. > > The verification failure here is technically correct, Quarkus-generated > > bytecode is currently expected to cause a bit-by-bit verification > failure. > > > > What it's basically saying is: "I cannot verify that the artifacts fully > > match the result as expected from the source tree." > > It's annoying, but, in my very personal opinion, it's correct and should > > stay. Hence the paragraph about the Quarkus generated jars in the failure > > message. > > One may also interpret this as: "I should look, at least, into the > zip/tar > > files and validate that only the Quarkus generated bytecode is causing > the > > difference - and nothing else, for example, a dependency jar."" > > > > Robert > > > > > > On Tue, Mar 31, 2026 at 12:42 PM Adnan Hemani via dev < > > [email protected]> wrote: > > > > > Robert and/or Pierre, can one of you confirm this? If so, I can open a > PR > > > tomorrow removing these checks from the script. We can add it back in > the > > > future once Quarkus reproducible builds are in a version that Polaris > > runs > > > on. > > > > > > -Adnan > > > > > > On Tue, Mar 31, 2026 at 3:36 AM Jean-Baptiste Onofré <[email protected]> > > > wrote: > > > > > > > I agree. I think it was anticipated steps. > > > > > > > > Le mar. 31 mars 2026 à 12:27, Adnan Hemani via dev < > > > [email protected]> > > > > a écrit : > > > > > > > >> If all artifacts fail due to these reasons, then why did we ever > > insert > > > >> these checks into the script? IMO there is no point in creating all > > this > > > >> noise in the script output if we should not ever expect it to > succeed. > > > >> > > > >> -Adnan > > > >> > > > >> On Tue, Mar 31, 2026 at 12:32 AM Jean-Baptiste Onofré < > > [email protected]> > > > >> wrote: > > > >> > > > >> > By the way, as tracking in issue #2204, it's expected the > > > >> > verify-release.sh script warns about differences between local > build > > > and > > > >> > files on dist/maven staging repo. > > > >> > > > > >> > The reason is: > > > >> > - Quarkus-generated bytecode (generated-bytecode.jar, > > > >> > transformed-bytecode.jar, quarkus-application.jar) is > > > non-deterministic > > > >> > - Re-assembled jars (polaris-admin-*.jar, polaris-server-*.jar) > > > >> contain > > > >> > the above > > > >> > - Zips/tarballs containing any of the above inherit the > > > >> > non-reproducibility > > > >> > Until Quarkus fully supports reproducible builds, these > differences > > > are > > > >> > expected and should be reviewed manually rather than treated as > > > release > > > >> > blockers. > > > >> > > > > >> > So, maybe we should have a "clear/emphasized" message on the > > > >> > verify-release.sh script about "reproducible build known issue". > > > >> > > > > >> > Regards > > > >> > JB > > > >> > > > > >> > > > > >> > On Tue, Mar 31, 2026 at 6:37 AM Jean-Baptiste Onofré < > > [email protected] > > > > > > > >> > wrote: > > > >> > > > > >> >> I created https://github.com/apache/polaris/pull/4092 to update > > the > > > >> >> verify-release.sh script, checking if LICENSE/NOTICE exists in > > either > > > >> root > > > >> >> or META-INF. > > > >> >> > > > >> >> Regards > > > >> >> JB > > > >> >> > > > >> >> On Tue, Mar 31, 2026 at 6:16 AM Yufei Gu <[email protected]> > > > wrote: > > > >> >> > > > >> >>> Thanks for the confirmation, JB, that aligns with my > > understanding. > > > >> >>> > > > >> >>> Let me briefly summarize the issue raised in the thread: > > > >> >>> > https://lists.apache.org/thread/bv2bdv4d2yhslnmj9bthsthfsd35b0of > > > >> >>> > > > >> >>> Adnan noted that the verify-release script reports missing > LICENSE > > > and > > > >> >>> NOTICE files under META-INF/ for the Spark connector JARs, which > > > were > > > >> >>> removed in PR 3912. > > > >> >>> > > > >> >>> My understanding is that these files are not required in > > META-INF/, > > > as > > > >> >>> the top-level LICENSE and NOTICE files should be sufficient. I > > also > > > >> >>> double-checked previous releases: versions 1.0.0, 1.0.1, 1.1.0, > > and > > > >> 1.2.0 > > > >> >>> do not include them under META-INF/, while only 1.3.0 does. > > > >> >>> > > > >> >>> Given this, I suggest either ignoring this warning from the > > > >> >>> verify-release script or updating the script accordingly. > > > >> >>> > > > >> >>> Yufei > > > >> >>> > > > >> >>> > > > >> >>> On Mon, Mar 30, 2026 at 8:59 PM Jean-Baptiste Onofré < > > > [email protected] > > > >> > > > > >> >>> wrote: > > > >> >>> > > > >> >>>> Hi > > > >> >>>> > > > >> >>>> An update about 1.4.0 release: > > > >> >>>> - LICENSE/NOTICE have been fixed on the Spark plugin > > > >> >>>> - We have a plan about the CLI for the 1.4.0 release > > > >> >>>> - I checked Spark plugin build and it looks compliant with > > > >> reproducible > > > >> >>>> build to me (since ShadowJar extends AbstractArchiveTask, the > > > >> >>>> createPolarisSparkJar bundle JAR also inherits these settings > > > >> >>>> automatically, meaning both the regular JAR and the > shadow/bundle > > > JAR > > > >> >>>> should be reproducible). > > > >> >>>> > > > >> >>>> I think we are good to go with the release. > > > >> >>>> > > > >> >>>> Anything missing for the 1.4.0 release ? > > > >> >>>> > > > >> >>>> Regards > > > >> >>>> JB > > > >> >>>> > > > >> >>>> On Tue, Mar 17, 2026 at 8:02 AM Jean-Baptiste Onofré < > > > >> [email protected]> > > > >> >>>> wrote: > > > >> >>>> > > > >> >>>>> Hi Yufei, > > > >> >>>>> > > > >> >>>>> I agree; that is a good plan for the CLI. > > > >> >>>>> > > > >> >>>>> We will update the release script and process regarding the > CLI > > > for > > > >> >>>>> the 1.5.0 release. > > > >> >>>>> > > > >> >>>>> Regards, > > > >> >>>>> JB > > > >> >>>>> > > > >> >>>>> On Mon, Mar 16, 2026 at 7:05 PM Yufei Gu < > [email protected]> > > > >> wrote: > > > >> >>>>> > > > >> >>>>>> For CLI publishing, we set up this pypi repo last year: > > > >> >>>>>> https://pypi.org/manage/project/apache-polaris/releases/. > > > >> >>>>>> > > > >> >>>>>> We need to publish to this repo once the 1.4.0 vote passed. > > Users > > > >> can > > > >> >>>>>> pull it directly from PyPI after that. > > > >> >>>>>> > > > >> >>>>>> Yufei > > > >> >>>>>> > > > >> >>>>>> > > > >> >>>>>> On Sun, Mar 8, 2026 at 10:02 AM Jean-Baptiste Onofré < > > > >> [email protected]> > > > >> >>>>>> wrote: > > > >> >>>>>> > > > >> >>>>>>> Hi, > > > >> >>>>>>> > > > >> >>>>>>> I will work with Robert on #3909. I will do another pass to > > have > > > >> it > > > >> >>>>>>> merge > > > >> >>>>>>> asap. > > > >> >>>>>>> > > > >> >>>>>>> PR #3891 looks good to me and can be merged imho. > > > >> >>>>>>> > > > >> >>>>>>> Following PR #3881 (fixing LICENSE/NOTICE in both admin and > > > server > > > >> >>>>>>> distributions), we have to update the "main" distribution > > > >> (basically > > > >> >>>>>>> merging both admin and server distributions LICENSE/NOTICE). > > > >> >>>>>>> > > > >> >>>>>>> So, to summarize the blockers for 1.4.0: > > > >> >>>>>>> - PR #3891 is good and can be merged > > > >> >>>>>>> - PR #3909 needs another pass (I gonna do that) > > > >> >>>>>>> - LICENSE/NOTICE from the "main" distribution should be > > updated > > > >> >>>>>>> > > > >> >>>>>>> Regards > > > >> >>>>>>> JB > > > >> >>>>>>> > > > >> >>>>>>> On Wed, Mar 4, 2026 at 9:54 PM Jean-Baptiste Onofré < > > > >> [email protected]> > > > >> >>>>>>> wrote: > > > >> >>>>>>> > > > >> >>>>>>> > Hi > > > >> >>>>>>> > > > > >> >>>>>>> > I did the #3909 review and it's not "complete" (see > > > >> >>>>>>> > > > > >> >>>>>>> > > > >> > > > > https://github.com/apache/polaris/pull/3909#pullrequestreview-3891720251 > > > >> >>>>>>> > for the one interested). > > > >> >>>>>>> > > > > >> >>>>>>> > I will work to fix that (either with Robert or creating a > > new > > > >> PR). > > > >> >>>>>>> > I will keep you posted :) > > > >> >>>>>>> > > > > >> >>>>>>> > Regards > > > >> >>>>>>> > JB > > > >> >>>>>>> > > > > >> >>>>>>> > On Wed, Mar 4, 2026 at 2:38 PM Jean-Baptiste Onofré < > > > >> >>>>>>> [email protected]> > > > >> >>>>>>> > wrote: > > > >> >>>>>>> > > > > >> >>>>>>> >> Hi > > > >> >>>>>>> >> > > > >> >>>>>>> >> I'm checking the LICENSE/NOTICE in the Spark plugin right > > now > > > >> >>>>>>> (#3909). > > > >> >>>>>>> >> I'm also doing a full pass to be sure we are good. > > > >> >>>>>>> >> > > > >> >>>>>>> >> I will keep you posted. > > > >> >>>>>>> >> > > > >> >>>>>>> >> Thanks ! > > > >> >>>>>>> >> > > > >> >>>>>>> >> Regards > > > >> >>>>>>> >> JB > > > >> >>>>>>> >> > > > >> >>>>>>> >> On Wed, Mar 4, 2026 at 2:23 PM Adnan Hemani via dev < > > > >> >>>>>>> >> [email protected]> wrote: > > > >> >>>>>>> >> > > > >> >>>>>>> >>> Hi Robert, > > > >> >>>>>>> >>> > > > >> >>>>>>> >>> This is a good point. JB, can you please take a look at > > > these > > > >> >>>>>>> and merge > > > >> >>>>>>> >>> if > > > >> >>>>>>> >>> you think the PRs are complete? > > > >> >>>>>>> >>> > > > >> >>>>>>> >>> Best, > > > >> >>>>>>> >>> Adnan Hemani > > > >> >>>>>>> >>> > > > >> >>>>>>> >>> On Tue, Mar 3, 2026 at 11:16 PM Robert Stupp < > > > [email protected]> > > > >> >>>>>>> wrote: > > > >> >>>>>>> >>> > > > >> >>>>>>> >>> > Hi all, > > > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > Thanks for working with JB. > > > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > The remaining legal issues on the 1.4.0 milestone [1] > > > should > > > >> >>>>>>> be sorted > > > >> >>>>>>> >>> out > > > >> >>>>>>> >>> > before cutting the branch to avoid additional work and > > > >> further > > > >> >>>>>>> delay > > > >> >>>>>>> >>> from > > > >> >>>>>>> >>> > duplicate PRs (against main and the release branch). > > > >> >>>>>>> >>> > Neither the LICENSE/NOTICE for the binary > > > server+admin-tool > > > >> >>>>>>> >>> distribution > > > >> >>>>>>> >>> > nor the LICENSE/NOTICE files for the plugin are good. > > PRs > > > to > > > >> >>>>>>> fix this > > > >> >>>>>>> >>> still > > > >> >>>>>>> >>> > need reviews. > > > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > Robert > > > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > [1] https://github.com/apache/polaris/milestone/6 > > > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > On Wed, Mar 4, 2026 at 3:47 AM Adnan Hemani via dev < > > > >> >>>>>>> >>> > [email protected]> > > > >> >>>>>>> >>> > wrote: > > > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > > Hi all, > > > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > I've worked with JB to verify that we should be > ready > > to > > > >> cut > > > >> >>>>>>> the > > > >> >>>>>>> >>> release > > > >> >>>>>>> >>> > > branch for 1.4.0. As we are well past the original > > > branch > > > >> >>>>>>> cut date, I > > > >> >>>>>>> >>> > will > > > >> >>>>>>> >>> > > cut the branch sometime tomorrow, March 4th, 2026 > > during > > > >> PST > > > >> >>>>>>> business > > > >> >>>>>>> >>> > > hours. If you have any last-minute changes that need > > to > > > go > > > >> >>>>>>> into the > > > >> >>>>>>> >>> 1.4.0 > > > >> >>>>>>> >>> > > release, please ensure they are merged tonight. > > > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > Best, > > > >> >>>>>>> >>> > > Adnan Hemani > > > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > On Mon, Feb 23, 2026 at 6:04 AM Jean-Baptiste > Onofré < > > > >> >>>>>>> >>> [email protected]> > > > >> >>>>>>> >>> > > wrote: > > > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > > Hi > > > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > During the weekend, I reviewed the 1.4.0 release > > > prep. I > > > >> >>>>>>> also found > > > >> >>>>>>> >>> > that > > > >> >>>>>>> >>> > > > LICENSE and NOTICE are not up to date: > > > >> >>>>>>> >>> > > > - the versions are not up to date (I created a PR > to > > > >> >>>>>>> remove the > > > >> >>>>>>> >>> > versions > > > >> >>>>>>> >>> > > ( > > > >> >>>>>>> >>> > > > https://github.com/apache/polaris/pull/3861 that > > has > > > >> been > > > >> >>>>>>> reused > > > >> >>>>>>> >>> by > > > >> >>>>>>> >>> > > Robert > > > >> >>>>>>> >>> > > > in the "generation" PR). > > > >> >>>>>>> >>> > > > - the runtime distributions dependencies changed, > > but > > > >> >>>>>>> >>> LICENSE/NOTICE > > > >> >>>>>>> >>> > have > > > >> >>>>>>> >>> > > > not been updated (I was about to create another PR > > > about > > > >> >>>>>>> that). > > > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > I mentioned that last week during the Polaris > > > Community > > > >> >>>>>>> Meeting: > > > >> >>>>>>> >>> this > > > >> >>>>>>> >>> > is > > > >> >>>>>>> >>> > > a > > > >> >>>>>>> >>> > > > blocker for the 1.4.0 release. > > > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > Thanks Robert for the PR, I will review it and > > double > > > >> >>>>>>> check if we > > > >> >>>>>>> >>> are > > > >> >>>>>>> >>> > > good > > > >> >>>>>>> >>> > > > (from a legal standpoint). > > > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > Regards > > > >> >>>>>>> >>> > > > JB > > > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > On Mon, Feb 23, 2026 at 2:44 PM Robert Stupp < > > > >> >>>>>>> [email protected]> > > > >> >>>>>>> >>> wrote: > > > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > > Hi all, > > > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > I reviewed the licenses for the binary > > distribution, > > > >> >>>>>>> which is > > > >> >>>>>>> >>> part of > > > >> >>>>>>> >>> > > > > the release management. > > > >> >>>>>>> >>> > > > > Several changes must be made to the LICENSE > files > > > and > > > >> >>>>>>> block the > > > >> >>>>>>> >>> > > release. > > > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > Looking into those, it became apparent that > other > > > >> >>>>>>> dependency > > > >> >>>>>>> >>> changes > > > >> >>>>>>> >>> > > are > > > >> >>>>>>> >>> > > > > required for version 1.4.0 release. > > > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > I have created the relevant PRs and added them > to > > > the > > > >> >>>>>>> milestone > > > >> >>>>>>> >>> for > > > >> >>>>>>> >>> > the > > > >> >>>>>>> >>> > > > > 1.4.0 release. > > > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > Robert > > > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > On Tue, Feb 17, 2026 at 2:02 AM Adnan Hemani via > > > dev < > > > >> >>>>>>> >>> > > > > [email protected]> > > > >> >>>>>>> >>> > > > > wrote: > > > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > > Hi, > > > >> >>>>>>> >>> > > > > > > > > >> >>>>>>> >>> > > > > > Thanks for this update - I had it on my > calendar > > > >> today > > > >> >>>>>>> to send > > > >> >>>>>>> >>> out > > > >> >>>>>>> >>> > an > > > >> >>>>>>> >>> > > > > email > > > >> >>>>>>> >>> > > > > > today to get this started and completely > missed > > > this > > > >> >>>>>>> thread in > > > >> >>>>>>> >>> my > > > >> >>>>>>> >>> > > inbox > > > >> >>>>>>> >>> > > > > for > > > >> >>>>>>> >>> > > > > > some reason. > > > >> >>>>>>> >>> > > > > > > > > >> >>>>>>> >>> > > > > > Let me start the thread with my initial > thoughts > > > on > > > >> >>>>>>> all the > > > >> >>>>>>> >>> > remaining > > > >> >>>>>>> >>> > > > > open > > > >> >>>>>>> >>> > > > > > issues and PRs later today and we can go from > > > there. > > > >> >>>>>>> >>> > > > > > > > > >> >>>>>>> >>> > > > > > Best, > > > >> >>>>>>> >>> > > > > > Adnan Hemani > > > >> >>>>>>> >>> > > > > > > > > >> >>>>>>> >>> > > > > > On Thu, Feb 12, 2026 at 6:58 AM Jean-Baptiste > > > >> Onofré < > > > >> >>>>>>> >>> > > [email protected]> > > > >> >>>>>>> >>> > > > > > wrote: > > > >> >>>>>>> >>> > > > > > > > > >> >>>>>>> >>> > > > > > > Hi folks, > > > >> >>>>>>> >>> > > > > > > > > > >> >>>>>>> >>> > > > > > > I believe we are approaching the scheduled > > time > > > >> for > > > >> >>>>>>> the next > > > >> >>>>>>> >>> > > release, > > > >> >>>>>>> >>> > > > > > > following our monthly cadence. > > > >> >>>>>>> >>> > > > > > > > > > >> >>>>>>> >>> > > > > > > I just reviewed the GitHub milestone ( > > > >> >>>>>>> >>> > > > > > > > https://github.com/apache/polaris/milestone/6 > > ) > > > >> and > > > >> >>>>>>> noticed > > > >> >>>>>>> >>> there > > > >> >>>>>>> >>> > > are > > > >> >>>>>>> >>> > > > > > still > > > >> >>>>>>> >>> > > > > > > 14 open issues. While some appear close to > > > >> >>>>>>> completion, > > > >> >>>>>>> >>> others may > > > >> >>>>>>> >>> > > > > require > > > >> >>>>>>> >>> > > > > > > further discussion. > > > >> >>>>>>> >>> > > > > > > > > > >> >>>>>>> >>> > > > > > > Could we perform a triage to determine if > > these > > > >> >>>>>>> issues should > > > >> >>>>>>> >>> > > remain > > > >> >>>>>>> >>> > > > in > > > >> >>>>>>> >>> > > > > > the > > > >> >>>>>>> >>> > > > > > > 1.4.0 milestone or be bumped to a later one? > > > >> >>>>>>> >>> > > > > > > > > > >> >>>>>>> >>> > > > > > > Adnan, as the release manager, would you > mind > > > >> taking > > > >> >>>>>>> the > > > >> >>>>>>> >>> lead on > > > >> >>>>>>> >>> > > the > > > >> >>>>>>> >>> > > > > > > 1.4.0-incubating release preparation? > > > >> >>>>>>> >>> > > > > > > > > > >> >>>>>>> >>> > > > > > > Thanks! > > > >> >>>>>>> >>> > > > > > > Regards, > > > >> >>>>>>> >>> > > > > > > JB > > > >> >>>>>>> >>> > > > > > > > > > >> >>>>>>> >>> > > > > > > On Fri, Jan 30, 2026 at 8:42 PM > Jean-Baptiste > > > >> Onofré > > > >> >>>>>>> < > > > >> >>>>>>> >>> > > > [email protected]> > > > >> >>>>>>> >>> > > > > > > wrote: > > > >> >>>>>>> >>> > > > > > > > > > >> >>>>>>> >>> > > > > > > > Hi folks > > > >> >>>>>>> >>> > > > > > > > > > > >> >>>>>>> >>> > > > > > > > I would like to start a discussion to > > prepare > > > >> >>>>>>> >>> 1.4.0-incubating. > > > >> >>>>>>> >>> > > > > > > > > > > >> >>>>>>> >>> > > > > > > > Who would like to be release manager on > this > > > >> one ? > > > >> >>>>>>> >>> > > > > > > > > > > >> >>>>>>> >>> > > > > > > > I will check the milestone on GH. Please > > > assign > > > >> >>>>>>> the 1.4.0 > > > >> >>>>>>> >>> > > milestone > > > >> >>>>>>> >>> > > > > to > > > >> >>>>>>> >>> > > > > > > > issues/PRs you want to include in this > > > release. > > > >> >>>>>>> >>> > > > > > > > > > > >> >>>>>>> >>> > > > > > > > Thanks ! > > > >> >>>>>>> >>> > > > > > > > > > > >> >>>>>>> >>> > > > > > > > Regards > > > >> >>>>>>> >>> > > > > > > > JB > > > >> >>>>>>> >>> > > > > > > > > > > >> >>>>>>> >>> > > > > > > > > > >> >>>>>>> >>> > > > > > > > > >> >>>>>>> >>> > > > > > > > >> >>>>>>> >>> > > > > > > >> >>>>>>> >>> > > > > > >> >>>>>>> >>> > > > > >> >>>>>>> >>> > > > >> >>>>>>> >> > > > >> >>>>>>> > > > >> >>>>>> > > > >> > > > > > > > > > >
