gearpump-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kam Kasravi <kamkasr...@gmail.com>
Subject Re: release about ready
Date Thu, 30 Jun 2016 23:34:00 GMT
Got it. thx.

On Thu, Jun 30, 2016 at 3:38 PM, Andrew Purtell <apurtell@apache.org> wrote:

> What I see done customarily is tagging of release candidates as e.g.
> "0.8.1RC0" with subsequent push that tag.
>
> $ git tag -m"0.8.1RC0" 0.8.1RC0
> $ git push --tags
>
>
> Once a candidate is voted to become a release, then add another tag in the
> permanent rel/ namespace, e.g.
>
> $ git co 0.8.1RC0
> $ git tag -m"0.8.1" rel/0.8.1
> $ git push --tags
>
>
>
> On Thu, Jun 30, 2016 at 3:34 PM, Kam Kasravi <kamkasravi@gmail.com> wrote:
>
> > Andy
> >
> > Quick question based on mnemonic's VOTE (
> >
> >
> http://mail-archives.apache.org/mod_mbox/incubator-general/201605.mbox/%3C573CE75B.5030404%40apache.org%3E
> > )
> > It looks like both the commit hash and tag need to be committed in
> > git-wip-us.apache.org. IMO this seems to be a bit of the chicken vs egg
> > conundrum.
> > Committing a tag and hash before VOTE means these may need to be
> reapplied
> > if the VOTE fails.
> > I assume this is ok (someone not knowing a VOTE was in progress could
> > checkout by TAG which could change later if the VOTE fails).
> >
> > Kam
> >
> >
> > On Thu, Jun 30, 2016 at 2:47 PM, Andrew Purtell <apurtell@apache.org>
> > wrote:
> >
> > > Sounds like great progress. Let's start a candidate release vote!
> > >
> > > I'll give it a good looking over before casting my vote.
> > >
> > > We have a long holiday weekend coming up in the US. You might want to
> > > extend the vote beyond the customary 72 hours into next week.
> > >
> > >
> > > On Thu, Jun 30, 2016 at 2:44 PM, Kam Kasravi <kamkasravi@gmail.com>
> > wrote:
> > >
> > >> Hi Andy
> > >>
> > >> I've update KEYS and files in RC0 with updates as suggested (see
> > >> https://dist.apache.org/repos/dist/dev/incubator/gearpump/)
> > >> Updates include:
> > >>
> > >> KEYS file now includes code signing key
> > >>
> > >> LICENSE file now includes SIL Font license
> > >>
> > >> NOTICE file looks to be complete for source only release
> > >>
> > >> Rat tool is run as part of a bash script in dev-tools (assumes RAT has
> > >> been built in a peer directory). It has been run and noted files have
> > had
> > >> the apache 2.0 license added (mostly .js, .html files)
> > >>
> > >> Shaded libraries are now included as part of the build and not
> included
> > >> from elsewhere
> > >>
> > >> Repos providing commercial derivatives of apache projects (eg
> cloudera)
> > >> have been replaced with the apache repo:
> > >> https://repository.apache.org/content/repositories
> > >>
> > >> For later releases which include binary artifacts, it's clear that
> we'll
> > >> need separate LICENSE, NOTICE files for each artifact. For this source
> > >> release I think we're getting fairly close. If the updates checkout by
> > you
> > >> I can start a candidate release vote.
> > >>
> > >> Thanks
> > >> Kam
> > >>
> > >> On Tue, Jun 28, 2016 at 11:06 AM, Kam Kasravi <kamkasravi@gmail.com>
> > >> wrote:
> > >>
> > >>> We'll add the rat tool as part of prepping the release.
> > >>>
> > >>> On Mon, Jun 27, 2016 at 5:43 PM, Andrew Purtell <apurtell@apache.org
> >
> > >>> wrote:
> > >>>
> > >>>> > You can run 'sbt dumpLicenseReport', which runs the equivalent
of
> > >>>> the RAT tool.
> > >>>>
> > >>>> I don't think so. Apache RAT does more than just report on licenses,
> > it
> > >>>> checks for Apache specific release policy compliance. Or did you
> mean
> > that
> > >>>> sbt's dumpLicenseReport is actually set up in your project to run
> > Apache
> > >>>> RAT?
> > >>>>
> > >>>> On Mon, Jun 27, 2016 at 5:23 PM, Kam Kasravi <kamkasravi@gmail.com>
> > >>>> wrote:
> > >>>>
> > >>>>> Thanks Andy for going through RC0! Comments inline. I'll update
and
> > >>>>> upload back under RC0.
> > >>>>>
> > >>>>> > - I imported the KEYS file but then failed to find the
signing
> key.
> > >>>>> >
> > >>>>> > gpg --verify gearpump-0.8.1-incubating-src.tgz.asc
> > >>>>> gearpump-0.8.1-incubating-src.tgz
> > >>>>> > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using
RSA key
> > ID
> > >>>>> E7DE27E3
> > >>>>> > gpg: Can't check signature: public key not found
> > >>>>> >
> > >>>>> > - recv-key E7DE27E3 worked
> > >>>>> >
> > >>>>> > gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING
KEY) <
> > >>>>> kamkasravi@apache.org>" imported
> > >>>>> > gpg: Total number processed: 1
> > >>>>> > gpg:               imported: 1  (RSA: 1)
> > >>>>> >
> > >>>>> > - And now the signature check passes
> > >>>>> >
> > >>>>> > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using
RSA key
> > ID
> > >>>>> E7DE27E3
> > >>>>> > gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY)
<
> > >>>>> kamkasravi@apache.org>"
> > >>>>> > gpg: WARNING: This key is not certified with a trusted
signature!
> > >>>>> > gpg:          There is no indication that the signature
belongs
> to
> > >>>>> the owner.
> > >>>>> > Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D  FBBB
5806 2555
> > >>>>> E7DE 27E3
> > >>>>> >
> > >>>>> > I encourage Kam and everyone to go to an ApacheCon or
the meetups
> > of
> > >>>>> other projects and get your keys signed by other Apache folks.
> Yes, I
> > >>>>> should take my own advice... my code signing key has the same
> issue.
> > >>>>> > > - MD5 and SHA1 checksum files match file sums
> > >>>>> >
> > >>>>>
> > >>>>> [Kam] I've updated KEYS to include the CODE SIGNING KEY. I
also
> > >>>>> updated our release shell script so it can also verify the
signed
> > artifacts
> > >>>>> (dev-tools/create_apache_source_release.sh).
> > >>>>>
> > >>>>> > - Archive unpacks and layout looks good
> > >>>>> >
> > >>>>> > - LICENSE file looks ok, except maybe the text of the
SIL Open
> Font
> > >>>>> License is missing?
> > >>>>>
> > >>>>> [Kam] I'll add this.
> > >>>>>
> > >>>>> >
> > >>>>> > - Is the NOTICE file complete? "If the dependency supplies
a
> NOTICE
> > >>>>> file, its contents must be analyzed and the relevant portions
> > bubbled up
> > >>>>> into the top-level NOTICE file." (
> > >>>>> http://www.apache.org/dev/licensing-howto.html) We don't want
to
> add
> > >>>>> anything here not legally required, though. I'm assuming you
went
> > through
> > >>>>> all of your dependencies and checked if they have anything
in a
> > NOTICE
> > >>>>> file? If not let's do that.
> > >>>>>
> > >>>>> [Kam] For the source release I didn't - but best to do it now
so
> > >>>>> subsequent binary artifacts are correctly handled.
> > >>>>>
> > >>>>> > > - I can't find build instructions on the website
(eg.
> > >>>>> http://gearpump.incubator.apache.org/how-to-contribute.html).
They
> > >>>>> are in the README.md, however.  How does one invoke 'sbt' such
that
> > it will
> > >>>>> also run the Apache RAT tool?
> > >>>>>
> > >>>>> [Kam] You can run 'sbt dumpLicenseReport', which runs the
> equivalent
> > >>>>> of the RAT tool. The sbt plugin is here
> > >>>>> https://github.com/sbt/sbt-license-report. I've updated the
> > README.md.
> > >>>>>
> > >>>>> > > - What is
> > >>>>>
> >
> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
> > >>>>> ? I'm not sure this will be fatal to the release candidate
but this
> > is
> > >>>>> something that needs to be fixed. At the least it should be
hosted
> on
> > >>>>> Apache infrastructure somewhere. Ideally, the shading and staging
> of
> > >>>>> gs-collections can be made part of the build so no need for
a
> custom
> > >>>>> artifact of gs-collections just for gearpump. Same for
> > >>>>> gearpump-shaded-akka-kyro and anything like this I may have
missed.
> > >>>>>
> > >>>>> [Kam] Fink also includes shaded jars. I'll follow their example.
> > >>>>>
> > >>>>> > > - Some code builds against a downstream commercial
derivative
> of
> > >>>>> an Apache project, hosted on a third party repository. You
should
> > not be
> > >>>>> doing this. If you depend on Hadoop, build against an Apache
> released
> > >>>>> version of Hadoop.
> > >>>>>
> > >>>>> [Kam] Got it. I'll update our Build.scala, rerun
> > >>>>> 'sbt dumpLicenseReport' and reverify.
> > >>>>>
> > >>>>> > > When ready to start a release candidate vote, Mnemonic
recently
> > >>>>> ran a vote, you can use that as an example.
> > >>>>> >
> > >>>>> > Vote thread: https://s.apache.org/NqCu
> > >>>>> >
> > >>>>> > Result: https://s.apache.org/wERS
> > >>>>>
> > >>>>>
> > >>>>> On Mon, Jun 27, 2016 at 3:52 PM, Andrew Purtell <
> apurtell@apache.org
> > >
> > >>>>> wrote:
> > >>>>>
> > >>>>>> Kam posted artifacts for 0.8.1 RC0 and asked me to take
a look at
> > >>>>>> them. Here are my notes:
> > >>>>>>
> > >>>>>> - I imported the KEYS file but then failed to find the
signing
> key.
> > >>>>>>
> > >>>>>> gpg --verify gearpump-0.8.1-incubating-src.tgz.asc
> > >>>>>> gearpump-0.8.1-incubating-src.tgz
> > >>>>>> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using
RSA key
> ID
> > >>>>>> E7DE27E3
> > >>>>>> gpg: Can't check signature: public key not found
> > >>>>>>
> > >>>>>>
> > >>>>>> - recv-key E7DE27E3 worked
> > >>>>>>
> > >>>>>> gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING
KEY) <
> > >>>>>> kamkasravi@apache.org>" imported
> > >>>>>> gpg: Total number processed: 1
> > >>>>>> gpg:               imported: 1  (RSA: 1)
> > >>>>>>
> > >>>>>>
> > >>>>>> - And now the signature check passes
> > >>>>>>
> > >>>>>> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using
RSA key
> ID
> > >>>>>> E7DE27E3
> > >>>>>> gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY)
<
> > >>>>>> kamkasravi@apache.org>"
> > >>>>>> gpg: WARNING: This key is not certified with a trusted
signature!
> > >>>>>> gpg:          There is no indication that the signature
belongs to
> > >>>>>> the owner.
> > >>>>>> Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D  FBBB
5806 2555
> > >>>>>> E7DE 27E3
> > >>>>>>
> > >>>>>> I encourage Kam and everyone to go to an ApacheCon or the
meetups
> of
> > >>>>>> other projects and get your keys signed by other Apache
folks.
> Yes,
> > I
> > >>>>>> should take my own advice... my code signing key has the
same
> issue.
> > >>>>>>
> > >>>>>>
> > >>>>>> - MD5 and SHA1 checksum files match file sums
> > >>>>>>
> > >>>>>> - Archive unpacks and layout looks good
> > >>>>>>
> > >>>>>> - LICENSE file looks ok, except maybe the text of the SIL
Open
> Font
> > >>>>>> License is missing?
> > >>>>>>
> > >>>>>> - Is the NOTICE file complete? "If the dependency supplies
a
> NOTICE
> > >>>>>> file, its contents must be analyzed and the relevant portions
> > bubbled up
> > >>>>>> into the top-level NOTICE file." (
> > >>>>>> http://www.apache.org/dev/licensing-howto.html) We don't
want to
> > add
> > >>>>>> anything here not legally required, though. I'm assuming
you went
> > through
> > >>>>>> all of your dependencies and checked if they have anything
in a
> > NOTICE
> > >>>>>> file? If not let's do that.
> > >>>>>>
> > >>>>>> - I can't find build instructions on the website (eg.
> > >>>>>> http://gearpump.incubator.apache.org/how-to-contribute.html).
> They
> > >>>>>> are in the README.md, however.  How does one invoke 'sbt'
such
> that
> > it will
> > >>>>>> also run the Apache RAT tool?
> > >>>>>>
> > >>>>>> - What is
> > >>>>>>
> >
> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
> > >>>>>> ? I'm not sure this will be fatal to the release candidate
but
> this
> > is
> > >>>>>> something that needs to be fixed. At the least it should
be hosted
> > on
> > >>>>>> Apache infrastructure somewhere. Ideally, the shading and
staging
> of
> > >>>>>> gs-collections can be made part of the build so no need
for a
> custom
> > >>>>>> artifact of gs-collections just for gearpump. Same for
> > >>>>>> gearpump-shaded-akka-kyro and anything like this I may
have
> missed.
> > >>>>>>
> > >>>>>> - Some code builds against a downstream commercial derivative
of
> an
> > >>>>>> Apache project, hosted on a third party repository. You
should not
> > be doing
> > >>>>>> this. If you depend on Hadoop, build against an Apache
released
> > version of
> > >>>>>> Hadoop.
> > >>>>>>
> > >>>>>> When ready to start a release candidate vote, Mnemonic
recently
> ran
> > a
> > >>>>>> vote, you can use that as an example.
> > >>>>>>
> > >>>>>> Vote thread: https://s.apache.org/NqCu
> > >>>>>>
> > >>>>>> Result: https://s.apache.org/wERS
> > >>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>>
> > >>>> --
> > >>>> Best regards,
> > >>>>
> > >>>>    - Andy
> > >>>>
> > >>>> Problems worthy of attack prove their worth by hitting back. -
Piet
> > >>>> Hein (via Tom White)
> > >>>>
> > >>>
> > >>>
> > >>
> > >
> > >
> > > --
> > > Best regards,
> > >
> > >    - Andy
> > >
> > > Problems worthy of attack prove their worth by hitting back. - Piet
> Hein
> > > (via Tom White)
> > >
> >
>
>
>
> --
> Best regards,
>
>    - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein
> (via Tom White)
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message