Please make sure you're downloading from a nearby mirror site, not directly from www.apache.org.
The changes in this release are detailed in the release notes.
Thank you for using Apache Lucene.
All official source and binary releases are digitally signed using GnuPG. You are encouraged to verify that your download is the official one by verifying the digital signature. To do this you need, in addition to the downloaded file:
Always download the KEYS and .asc files directly from the Apache site at <https://www.apache.org/dist/lucene/java/>, and always over HTTPS. Never trust KEYS from a mirror site. Read more
Always test available signatures, e.g., $ pgpk -a KEYS $ pgpk lucene-x.y.z.tar.gz.asc or, $ pgp -ka KEYS $ pgp lucene-x.y.z.tar.gz.asc or, $ gpg --import KEYS $ gpg --verify lucene-x.y.z.tar.gz.asc
Alongside the release artifacts in the official Apache dist site you will also find other files providing checksum hashes for each file, with suffix .sha1, .sha512. or .md5. E.g. for lucene-x.y.z.tgz the lucene-x.y.z.tgz.sha1 file provides the SHA-1 checksum. These are useful to verify that your download was complete and valid, but will not prove that your download was digitally signed by an actual Apache committer. For that you must check the .asc signature.
Calculate the checksum of your download and compare to the contents of the checksum files $ shasum [-a 512] lucene-x.y.z.tgz $ md5 lucene-x.y.z.tgz
Older versions of Lucene Java can be found on archive.apache.org.