asterixdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ate Douma <...@douma.nu>
Subject Re: [VOTE] Release Apache AsterixDB 0.8.7-incubating (RC3)
Date Wed, 07 Oct 2015 22:24:58 GMT
Hi team,

I either can +1 or -1 this release candidate, depending on if the staged maven 
repository provided artifacts are also intended to be distributed...

For just the source release (like for the Hyracks release), I think it is good 
to go, so +1 for that.

But for the binary artifacts in the Maven repo, it is definitely a -1.

So either you'll drop/skip releasing to the Maven repo for this time, and then 
you might be good (pending possible feedback from others), or this vote better 
be cancelled and prepare for a lot of work to get this fixed first...

As I already mentioned on the Hyracks release candidate: LICENSE, NOTICE and 
DISCLAIMER requirements apply to all released/distributed artifacts.
As such, all the build artifacts in the Maven repository also have to contain 
and provide these...
Please check again the requirements for binary (re)distributions here:

   http://www.apache.org/dev/licensing-howto.html#bundled-vs-non-bundled
   http://www.apache.org/dev/licensing-howto.html#deps-of-deps
   http://www.apache.org/dev/licensing-howto.html#binary

And in general everything on whole page.

Some of the Maven repo jars already do have the 'verbatim' Apache LICENSE and 
NOTICE files, but none provide the Incubator DISCLAIMER, which in addition to 
the above rules also is required for every distribution from the Incubator.

And some others jars don't even bundle a LICENSE and NOTICE file like 
asterix-common-0.8.7-incubating.jar (there are possibly more, I didn't check 
each and every one).

And besides this, aggregating distributions like all .zip|.tar etc. files 
contain none of these files. Including module -source-release.zip files like 
asterix-events-0.8.7-incubating-source-release.zip and the -demo.zip files.

All of these artifacts when released/distributed have to comply to the above rules.
Which most definitely isn't a trivial task to comply with and typically takes 
several iterations to get right... Painful yes, but necessary.
Once setup and configured properly though, thereafter it usually doesn't require 
a lot of work to keep it up to date.

But getting it right the first time will.
Just saying so that you'll all be aware this isn't something likely fixable in a 
few minutes or even hours...

Two important things to keep in mind:
- LICENSE and NOTICE files must be tailored specifically to the distribution 
containing them, providing attribution to what the distribution contains, but 
nothing more.
   For example 3rd party embedded sources like JQuery require license 
attribution, but NOT in artifacts NOT embedding them.
   So the asterix-app should indeed mention this in the LICENSE file in its jar 
AND -binary-assembly.zip, but for example the asterix-algebra jar should NOT.
- Distributions bundling other distributions must aggregate possible LICENSE and 
NOTICE attributions of those other distributions within their main LICENSE and 
NOTICE file.
   So for example, the LICENSE and NOTICE files in the asterix-app 
binary-assembly.zip must aggregate those from the bundled/embedded asterix-app 
*jar*.
   And further more, as the binary-assembly.zip bundles many other, including 
3rd party, jars, their LICENSE and/or NOTICE attributions needs to be aggregated 
as well (when needed, which depends on the particular LICENSE and/or NOTICE). 
Including possible other licenses applicable to those bundled jars (or whatever 
bundled bits).
   And for aggregates of aggregates, like the asterix-installer 
binary-assembly.zip, this has to be done 'transitively'. Yeah, a lot of work indeed.

I also like to refer back to the [DISCUSS] mail I send earlier on the Hyracks 
release candidate, where I already indicated this to become critical when 
releasing binary artifacts.
And to a few suggestions I gave then like configuring the 
apache-incubator-disclaimer-resource-bundle to ensure the DISCLAIMER file will 
automatically added to all generated jars (but not in assembled artifacts).
And to leverage automatic *appending* specific LICENSE/NOTICE file fragments for 
specific modules which embed 3rd party resources, via 
src/main/appended-resources/META-INF/LICENSE and/or ./NOTICE files.

I'm happy to try help out if this raises questions (and I expect it will), but 
that'll be more practical to do case by case.
Trying to write down such 'guidelines' generically typically just leads to more 
confusion :)

Kind regards,
Ate

On 2015-10-05 22:16, Ian Maxon wrote:
> Hi everyone,
>
> Please verify and vote on the first full Apache AsterixDB release!
> This candidate addresses some of the differences that were noticed
> between the tagged commit in git and the source packaging.
>
> The tag to be voted on is
>
> asterix-0.8.7-incubating
> commit : d2e1e89cfdf39e2b772dff2600913bb79644a380
> link: https://git-wip-us.apache.org/repos/asf?p=incubator-asterixdb.git;a=tag;h=refs/tags/asterix-0.8.7-incubating
>
> The artifacts, md5s, and signatures are at:
>
> https://dist.apache.org/repos/dist/dev/incubator/asterixdb/asterix-0.8.7-incubating-source-release.zip
> https://dist.apache.org/repos/dist/dev/incubator/asterixdb/asterix-0.8.7-incubating-source-release.zip.asc
> https://dist.apache.org/repos/dist/dev/incubator/asterixdb/asterix-0.8.7-incubating-source-release.zip.md5
> https://dist.apache.org/repos/dist/dev/incubator/asterixdb/asterix-0.8.7-incubating-source-release.zip.sha1
>
> MD5: 7330e6d6c2dd691ae3ab6a641e4d5344
> SHA1: bf0b4a2ceaa26bcf1fcda33fee1ba227e31a88ba
>
> Additionally, a staged maven repository is available at:
> https://repository.apache.org/content/repositories/orgapacheasterix-1014/
>
> The KEYS file containing the PGP keys used to sign the release can be found at
>
> https://dist.apache.org/repos/dist/release/incubator/asterixdb/KEYS
>
> RAT was executed as part of Maven via the RAT maven plugin, as well as
> manually, but it
> excludes the following paths:
>
> .*\.adm
> .*\.aql
> .*\.cleaned
> .*\.csv
> .*\.csv.cr
> .*\.csv.crlf
> .*\.csv.lf
> .*\.ddl
> .*\.dot
> .*\.hcli
> .*\.iml
> .*\.json
> .*\.out
> .*\.plan
> .*\.ps
> .*\.scm
> .*\.tbl
> .*\.tbl\.big
> .*\.tsv
> .*\.txt
> .*large_text
> .*part-00000
> .*part-00001
>
> .*\.goutputstream-YQMB2V
> .*02-fuzzy-select
> .*LockRequestFile
> .*hosts
> .*id_rsa
> .*known_hosts
>
> .*bottle.py
> .*geostats.js
> .*jquery.autosize-min.js
> .*jquery.min.js
> .*rainbowvis.js
> .*smoothie.js
>
>
> These files either are either data for tests, procedurally generated,
> or source files which come without a header mentioning their license,
> but have an explicit reference in the LICENSE file.
>
> The complete RAT report is available at:
> https://gist.githubusercontent.com/westmann/b6ed4b25bea44adcd526/raw/be93ff0c1d13c2ce7c88a2b713ace130b5e7ef5f/gistfile1.txt
>
> The vote is open for 72 hours, or until the necessary number of votes
> (3 +1) has been reached.
>
> Please vote
> [ ] +1 release this package as Apache AsterixDB 0.8.7-incubating
> [ ] 0 No strong feeling either way
> [ ] -1 do not release this package because ...
>
> Thanks!
> -Ian
>


Mime
View raw message