gearpump-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <apurt...@apache.org>
Subject Re: release about ready
Date Tue, 28 Jun 2016 00:43:00 GMT
> You can run 'sbt dumpLicenseReport', which runs the equivalent of the RAT
tool.

I don't think so. Apache RAT does more than just report on licenses, it
checks for Apache specific release policy compliance. Or did you mean that
sbt's dumpLicenseReport is actually set up in your project to run Apache
RAT?

On Mon, Jun 27, 2016 at 5:23 PM, Kam Kasravi <kamkasravi@gmail.com> wrote:

> Thanks Andy for going through RC0! Comments inline. I'll update and upload
> back under RC0.
>
> > - I imported the KEYS file but then failed to find the signing key.
> >
> > gpg --verify gearpump-0.8.1-incubating-src.tgz.asc
> gearpump-0.8.1-incubating-src.tgz
> > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
> E7DE27E3
> > gpg: Can't check signature: public key not found
> >
> > - recv-key E7DE27E3 worked
> >
> > gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY) <
> kamkasravi@apache.org>" imported
> > gpg: Total number processed: 1
> > gpg:               imported: 1  (RSA: 1)
> >
> > - And now the signature check passes
> >
> > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
> E7DE27E3
> > gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) <
> kamkasravi@apache.org>"
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg:          There is no indication that the signature belongs to the
> owner.
> > Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D  FBBB 5806 2555 E7DE
> 27E3
> >
> > I encourage Kam and everyone to go to an ApacheCon or the meetups of
> other projects and get your keys signed by other Apache folks. Yes, I
> should take my own advice... my code signing key has the same issue.
> > > - MD5 and SHA1 checksum files match file sums
> >
>
> [Kam] I've updated KEYS to include the CODE SIGNING KEY. I also updated
> our release shell script so it can also verify the signed artifacts
> (dev-tools/create_apache_source_release.sh).
>
> > - Archive unpacks and layout looks good
> >
> > - LICENSE file looks ok, except maybe the text of the SIL Open Font
> License is missing?
>
> [Kam] I'll add this.
>
> >
> > - Is the NOTICE file complete? "If the dependency supplies a NOTICE
> file, its contents must be analyzed and the relevant portions bubbled up
> into the top-level NOTICE file." (
> http://www.apache.org/dev/licensing-howto.html) We don't want to add
> anything here not legally required, though. I'm assuming you went through
> all of your dependencies and checked if they have anything in a NOTICE
> file? If not let's do that.
>
> [Kam] For the source release I didn't - but best to do it now so
> subsequent binary artifacts are correctly handled.
>
> > > - I can't find build instructions on the website (eg.
> http://gearpump.incubator.apache.org/how-to-contribute.html). They are in
> the README.md, however.  How does one invoke 'sbt' such that it will also
> run the Apache RAT tool?
>
> [Kam] You can run 'sbt dumpLicenseReport', which runs the equivalent of
> the RAT tool. The sbt plugin is here
> https://github.com/sbt/sbt-license-report. I've updated the README.md.
>
> > > - What is
> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
> ? I'm not sure this will be fatal to the release candidate but this is
> something that needs to be fixed. At the least it should be hosted on
> Apache infrastructure somewhere. Ideally, the shading and staging of
> gs-collections can be made part of the build so no need for a custom
> artifact of gs-collections just for gearpump. Same for
> gearpump-shaded-akka-kyro and anything like this I may have missed.
>
> [Kam] Fink also includes shaded jars. I'll follow their example.
>
> > > - Some code builds against a downstream commercial derivative of an
> Apache project, hosted on a third party repository. You should not be doing
> this. If you depend on Hadoop, build against an Apache released version of
> Hadoop.
>
> [Kam] Got it. I'll update our Build.scala, rerun 'sbt dumpLicenseReport'
> and reverify.
>
> > > When ready to start a release candidate vote, Mnemonic recently ran a
> vote, you can use that as an example.
> >
> > Vote thread: https://s.apache.org/NqCu
> >
> > Result: https://s.apache.org/wERS
>
>
> On Mon, Jun 27, 2016 at 3:52 PM, Andrew Purtell <apurtell@apache.org>
> wrote:
>
>> Kam posted artifacts for 0.8.1 RC0 and asked me to take a look at them.
>> Here are my notes:
>>
>> - I imported the KEYS file but then failed to find the signing key.
>>
>> gpg --verify gearpump-0.8.1-incubating-src.tgz.asc
>> gearpump-0.8.1-incubating-src.tgz
>> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
>> E7DE27E3
>> gpg: Can't check signature: public key not found
>>
>>
>> - recv-key E7DE27E3 worked
>>
>> gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY) <
>> kamkasravi@apache.org>" imported
>> gpg: Total number processed: 1
>> gpg:               imported: 1  (RSA: 1)
>>
>>
>> - And now the signature check passes
>>
>> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
>> E7DE27E3
>> gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) <
>> kamkasravi@apache.org>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:          There is no indication that the signature belongs to the
>> owner.
>> Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D  FBBB 5806 2555 E7DE
>> 27E3
>>
>> I encourage Kam and everyone to go to an ApacheCon or the meetups of
>> other projects and get your keys signed by other Apache folks. Yes, I
>> should take my own advice... my code signing key has the same issue.
>>
>>
>> - MD5 and SHA1 checksum files match file sums
>>
>> - Archive unpacks and layout looks good
>>
>> - LICENSE file looks ok, except maybe the text of the SIL Open Font
>> License is missing?
>>
>> - Is the NOTICE file complete? "If the dependency supplies a NOTICE file,
>> its contents must be analyzed and the relevant portions bubbled up into the
>> top-level NOTICE file." (http://www.apache.org/dev/licensing-howto.html)
>> We don't want to add anything here not legally required, though. I'm
>> assuming you went through all of your dependencies and checked if they have
>> anything in a NOTICE file? If not let's do that.
>>
>> - I can't find build instructions on the website (eg.
>> http://gearpump.incubator.apache.org/how-to-contribute.html). They are
>> in the README.md, however.  How does one invoke 'sbt' such that it will
>> also run the Apache RAT tool?
>>
>> - What is
>> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
>> ? I'm not sure this will be fatal to the release candidate but this is
>> something that needs to be fixed. At the least it should be hosted on
>> Apache infrastructure somewhere. Ideally, the shading and staging of
>> gs-collections can be made part of the build so no need for a custom
>> artifact of gs-collections just for gearpump. Same for
>> gearpump-shaded-akka-kyro and anything like this I may have missed.
>>
>> - Some code builds against a downstream commercial derivative of an
>> Apache project, hosted on a third party repository. You should not be doing
>> this. If you depend on Hadoop, build against an Apache released version of
>> Hadoop.
>>
>> When ready to start a release candidate vote, Mnemonic recently ran a
>> vote, you can use that as an example.
>>
>> Vote thread: https://s.apache.org/NqCu
>>
>> Result: https://s.apache.org/wERS
>>
>>
>


-- 
Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message