gearpump-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kam Kasravi <kamkasr...@gmail.com>
Subject Re: release about ready
Date Tue, 28 Jun 2016 03:06:57 GMT
Manu

Rebase from https://github.com/apache/incubator-gearpump/pull/47 so you
pick up the latest.

Thanks
Kam

On Mon, Jun 27, 2016 at 7:27 PM, Jiang Weihua <whjiang@outlook.com> wrote:

> +1 on this shading-on-fly solution.
>
> 在 16/6/28 上午9:25,“Manu Zhang”<owenzhang1990@gmail.com> 写入:
>
> >
> > What is
> >
> >
> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
> > ? I'm not sure this will be fatal to the release candidate but this is
> > something that needs to be fixed. At the least it should be hosted on
> > Apache infrastructure somewhere. Ideally, the shading and staging of
> > gs-collections can be made part of the build so no need for a custom
> > artifact of gs-collections just for gearpump. Same for
> > gearpump-shaded-akka-kyro and anything like this I may have missed.
>
>
> Previously sbt didn't have shade so we make another repo with those
> libraries shaded by maven.
> Since sbt has shade now, we can try make gs-collections and other shaded
> libraries part of the build.
>
> On Tue, Jun 28, 2016 at 8:43 AM, Andrew Purtell <apurtell@apache.org>
> wrote:
>
> > > You can run 'sbt dumpLicenseReport', which runs the equivalent of the
> RAT
> > tool.
> >
> > I don't think so. Apache RAT does more than just report on licenses, it
> > checks for Apache specific release policy compliance. Or did you mean
> that
> > sbt's dumpLicenseReport is actually set up in your project to run Apache
> > RAT?
> >
> > On Mon, Jun 27, 2016 at 5:23 PM, Kam Kasravi <kamkasravi@gmail.com>
> wrote:
> >
> > > Thanks Andy for going through RC0! Comments inline. I'll update and
> > upload
> > > back under RC0.
> > >
> > > > - I imported the KEYS file but then failed to find the signing key.
> > > >
> > > > gpg --verify gearpump-0.8.1-incubating-src.tgz.asc
> > > gearpump-0.8.1-incubating-src.tgz
> > > > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
> > > E7DE27E3
> > > > gpg: Can't check signature: public key not found
> > > >
> > > > - recv-key E7DE27E3 worked
> > > >
> > > > gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY) <
> > > kamkasravi@apache.org>" imported
> > > > gpg: Total number processed: 1
> > > > gpg:               imported: 1  (RSA: 1)
> > > >
> > > > - And now the signature check passes
> > > >
> > > > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
> > > E7DE27E3
> > > > gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) <
> > > kamkasravi@apache.org>"
> > > > gpg: WARNING: This key is not certified with a trusted signature!
> > > > gpg:          There is no indication that the signature belongs to
> the
> > > owner.
> > > > Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D  FBBB 5806 2555
> E7DE
> > > 27E3
> > > >
> > > > I encourage Kam and everyone to go to an ApacheCon or the meetups of
> > > other projects and get your keys signed by other Apache folks. Yes, I
> > > should take my own advice... my code signing key has the same issue.
> > > > > - MD5 and SHA1 checksum files match file sums
> > > >
> > >
> > > [Kam] I've updated KEYS to include the CODE SIGNING KEY. I also updated
> > > our release shell script so it can also verify the signed artifacts
> > > (dev-tools/create_apache_source_release.sh).
> > >
> > > > - Archive unpacks and layout looks good
> > > >
> > > > - LICENSE file looks ok, except maybe the text of the SIL Open Font
> > > License is missing?
> > >
> > > [Kam] I'll add this.
> > >
> > > >
> > > > - Is the NOTICE file complete? "If the dependency supplies a NOTICE
> > > file, its contents must be analyzed and the relevant portions bubbled
> up
> > > into the top-level NOTICE file." (
> > > http://www.apache.org/dev/licensing-howto.html) We don't want to add
> > > anything here not legally required, though. I'm assuming you went
> through
> > > all of your dependencies and checked if they have anything in a NOTICE
> > > file? If not let's do that.
> > >
> > > [Kam] For the source release I didn't - but best to do it now so
> > > subsequent binary artifacts are correctly handled.
> > >
> > > > > - I can't find build instructions on the website (eg.
> > > http://gearpump.incubator.apache.org/how-to-contribute.html). They are
> > in
> > > the README.md, however.  How does one invoke 'sbt' such that it will
> also
> > > run the Apache RAT tool?
> > >
> > > [Kam] You can run 'sbt dumpLicenseReport', which runs the equivalent of
> > > the RAT tool. The sbt plugin is here
> > > https://github.com/sbt/sbt-license-report. I've updated the README.md.
> > >
> > > > > - What is
> > >
> >
> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
> > > ? I'm not sure this will be fatal to the release candidate but this is
> > > something that needs to be fixed. At the least it should be hosted on
> > > Apache infrastructure somewhere. Ideally, the shading and staging of
> > > gs-collections can be made part of the build so no need for a custom
> > > artifact of gs-collections just for gearpump. Same for
> > > gearpump-shaded-akka-kyro and anything like this I may have missed.
> > >
> > > [Kam] Fink also includes shaded jars. I'll follow their example.
> > >
> > > > > - Some code builds against a downstream commercial derivative of
an
> > > Apache project, hosted on a third party repository. You should not be
> > doing
> > > this. If you depend on Hadoop, build against an Apache released version
> > of
> > > Hadoop.
> > >
> > > [Kam] Got it. I'll update our Build.scala, rerun 'sbt
> dumpLicenseReport'
> > > and reverify.
> > >
> > > > > When ready to start a release candidate vote, Mnemonic recently
> ran a
> > > vote, you can use that as an example.
> > > >
> > > > Vote thread: https://s.apache.org/NqCu
> > > >
> > > > Result: https://s.apache.org/wERS
> > >
> > >
> > > On Mon, Jun 27, 2016 at 3:52 PM, Andrew Purtell <apurtell@apache.org>
> > > wrote:
> > >
> > >> Kam posted artifacts for 0.8.1 RC0 and asked me to take a look at
> them.
> > >> Here are my notes:
> > >>
> > >> - I imported the KEYS file but then failed to find the signing key.
> > >>
> > >> gpg --verify gearpump-0.8.1-incubating-src.tgz.asc
> > >> gearpump-0.8.1-incubating-src.tgz
> > >> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
> > >> E7DE27E3
> > >> gpg: Can't check signature: public key not found
> > >>
> > >>
> > >> - recv-key E7DE27E3 worked
> > >>
> > >> gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY) <
> > >> kamkasravi@apache.org>" imported
> > >> gpg: Total number processed: 1
> > >> gpg:               imported: 1  (RSA: 1)
> > >>
> > >>
> > >> - And now the signature check passes
> > >>
> > >> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
> > >> E7DE27E3
> > >> gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) <
> > >> kamkasravi@apache.org>"
> > >> gpg: WARNING: This key is not certified with a trusted signature!
> > >> gpg:          There is no indication that the signature belongs to the
> > >> owner.
> > >> Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D  FBBB 5806 2555 E7DE
> > >> 27E3
> > >>
> > >> I encourage Kam and everyone to go to an ApacheCon or the meetups of
> > >> other projects and get your keys signed by other Apache folks. Yes, I
> > >> should take my own advice... my code signing key has the same issue.
> > >>
> > >>
> > >> - MD5 and SHA1 checksum files match file sums
> > >>
> > >> - Archive unpacks and layout looks good
> > >>
> > >> - LICENSE file looks ok, except maybe the text of the SIL Open Font
> > >> License is missing?
> > >>
> > >> - Is the NOTICE file complete? "If the dependency supplies a NOTICE
> > file,
> > >> its contents must be analyzed and the relevant portions bubbled up
> into
> > the
> > >> top-level NOTICE file." (
> http://www.apache.org/dev/licensing-howto.html
> > )
> > >> We don't want to add anything here not legally required, though. I'm
> > >> assuming you went through all of your dependencies and checked if they
> > have
> > >> anything in a NOTICE file? If not let's do that.
> > >>
> > >> - I can't find build instructions on the website (eg.
> > >> http://gearpump.incubator.apache.org/how-to-contribute.html). They
> are
> > >> in the README.md, however.  How does one invoke 'sbt' such that it
> will
> > >> also run the Apache RAT tool?
> > >>
> > >> - What is
> > >>
> >
> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
> > >> ? I'm not sure this will be fatal to the release candidate but this is
> > >> something that needs to be fixed. At the least it should be hosted on
> > >> Apache infrastructure somewhere. Ideally, the shading and staging of
> > >> gs-collections can be made part of the build so no need for a custom
> > >> artifact of gs-collections just for gearpump. Same for
> > >> gearpump-shaded-akka-kyro and anything like this I may have missed.
> > >>
> > >> - Some code builds against a downstream commercial derivative of an
> > >> Apache project, hosted on a third party repository. You should not be
> > doing
> > >> this. If you depend on Hadoop, build against an Apache released
> version
> > of
> > >> Hadoop.
> > >>
> > >> When ready to start a release candidate vote, Mnemonic recently ran a
> > >> vote, you can use that as an example.
> > >>
> > >> Vote thread: https://s.apache.org/NqCu
> > >>
> > >> Result: https://s.apache.org/wERS
> > >>
> > >>
> > >
> >
> >
> > --
> > Best regards,
> >
> >    - Andy
> >
> > Problems worthy of attack prove their worth by hitting back. - Piet Hein
> > (via Tom White)
> >
>
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message