gearpump-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kam Kasravi <kamkasr...@gmail.com>
Subject Re: release about ready
Date Tue, 28 Jun 2016 18:06:17 GMT
We'll add the rat tool as part of prepping the release.

On Mon, Jun 27, 2016 at 5:43 PM, Andrew Purtell <apurtell@apache.org> wrote:

> > You can run 'sbt dumpLicenseReport', which runs the equivalent of the
> RAT tool.
>
> I don't think so. Apache RAT does more than just report on licenses, it
> checks for Apache specific release policy compliance. Or did you mean that
> sbt's dumpLicenseReport is actually set up in your project to run Apache
> RAT?
>
> On Mon, Jun 27, 2016 at 5:23 PM, Kam Kasravi <kamkasravi@gmail.com> wrote:
>
>> Thanks Andy for going through RC0! Comments inline. I'll update and
>> upload back under RC0.
>>
>> > - I imported the KEYS file but then failed to find the signing key.
>> >
>> > gpg --verify gearpump-0.8.1-incubating-src.tgz.asc
>> gearpump-0.8.1-incubating-src.tgz
>> > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
>> E7DE27E3
>> > gpg: Can't check signature: public key not found
>> >
>> > - recv-key E7DE27E3 worked
>> >
>> > gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY) <
>> kamkasravi@apache.org>" imported
>> > gpg: Total number processed: 1
>> > gpg:               imported: 1  (RSA: 1)
>> >
>> > - And now the signature check passes
>> >
>> > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
>> E7DE27E3
>> > gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) <
>> kamkasravi@apache.org>"
>> > gpg: WARNING: This key is not certified with a trusted signature!
>> > gpg:          There is no indication that the signature belongs to the
>> owner.
>> > Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D  FBBB 5806 2555 E7DE
>> 27E3
>> >
>> > I encourage Kam and everyone to go to an ApacheCon or the meetups of
>> other projects and get your keys signed by other Apache folks. Yes, I
>> should take my own advice... my code signing key has the same issue.
>> > > - MD5 and SHA1 checksum files match file sums
>> >
>>
>> [Kam] I've updated KEYS to include the CODE SIGNING KEY. I also updated
>> our release shell script so it can also verify the signed artifacts
>> (dev-tools/create_apache_source_release.sh).
>>
>> > - Archive unpacks and layout looks good
>> >
>> > - LICENSE file looks ok, except maybe the text of the SIL Open Font
>> License is missing?
>>
>> [Kam] I'll add this.
>>
>> >
>> > - Is the NOTICE file complete? "If the dependency supplies a NOTICE
>> file, its contents must be analyzed and the relevant portions bubbled up
>> into the top-level NOTICE file." (
>> http://www.apache.org/dev/licensing-howto.html) We don't want to add
>> anything here not legally required, though. I'm assuming you went through
>> all of your dependencies and checked if they have anything in a NOTICE
>> file? If not let's do that.
>>
>> [Kam] For the source release I didn't - but best to do it now so
>> subsequent binary artifacts are correctly handled.
>>
>> > > - I can't find build instructions on the website (eg.
>> http://gearpump.incubator.apache.org/how-to-contribute.html). They are
>> in the README.md, however.  How does one invoke 'sbt' such that it will
>> also run the Apache RAT tool?
>>
>> [Kam] You can run 'sbt dumpLicenseReport', which runs the equivalent of
>> the RAT tool. The sbt plugin is here
>> https://github.com/sbt/sbt-license-report. I've updated the README.md.
>>
>> > > - What is
>> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
>> ? I'm not sure this will be fatal to the release candidate but this is
>> something that needs to be fixed. At the least it should be hosted on
>> Apache infrastructure somewhere. Ideally, the shading and staging of
>> gs-collections can be made part of the build so no need for a custom
>> artifact of gs-collections just for gearpump. Same for
>> gearpump-shaded-akka-kyro and anything like this I may have missed.
>>
>> [Kam] Fink also includes shaded jars. I'll follow their example.
>>
>> > > - Some code builds against a downstream commercial derivative of an
>> Apache project, hosted on a third party repository. You should not be doing
>> this. If you depend on Hadoop, build against an Apache released version of
>> Hadoop.
>>
>> [Kam] Got it. I'll update our Build.scala, rerun 'sbt dumpLicenseReport'
>> and reverify.
>>
>> > > When ready to start a release candidate vote, Mnemonic recently ran a
>> vote, you can use that as an example.
>> >
>> > Vote thread: https://s.apache.org/NqCu
>> >
>> > Result: https://s.apache.org/wERS
>>
>>
>> On Mon, Jun 27, 2016 at 3:52 PM, Andrew Purtell <apurtell@apache.org>
>> wrote:
>>
>>> Kam posted artifacts for 0.8.1 RC0 and asked me to take a look at them.
>>> Here are my notes:
>>>
>>> - I imported the KEYS file but then failed to find the signing key.
>>>
>>> gpg --verify gearpump-0.8.1-incubating-src.tgz.asc
>>> gearpump-0.8.1-incubating-src.tgz
>>> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
>>> E7DE27E3
>>> gpg: Can't check signature: public key not found
>>>
>>>
>>> - recv-key E7DE27E3 worked
>>>
>>> gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY) <
>>> kamkasravi@apache.org>" imported
>>> gpg: Total number processed: 1
>>> gpg:               imported: 1  (RSA: 1)
>>>
>>>
>>> - And now the signature check passes
>>>
>>> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
>>> E7DE27E3
>>> gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) <
>>> kamkasravi@apache.org>"
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg:          There is no indication that the signature belongs to the
>>> owner.
>>> Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D  FBBB 5806 2555 E7DE
>>> 27E3
>>>
>>> I encourage Kam and everyone to go to an ApacheCon or the meetups of
>>> other projects and get your keys signed by other Apache folks. Yes, I
>>> should take my own advice... my code signing key has the same issue.
>>>
>>>
>>> - MD5 and SHA1 checksum files match file sums
>>>
>>> - Archive unpacks and layout looks good
>>>
>>> - LICENSE file looks ok, except maybe the text of the SIL Open Font
>>> License is missing?
>>>
>>> - Is the NOTICE file complete? "If the dependency supplies a NOTICE
>>> file, its contents must be analyzed and the relevant portions bubbled up
>>> into the top-level NOTICE file." (
>>> http://www.apache.org/dev/licensing-howto.html) We don't want to add
>>> anything here not legally required, though. I'm assuming you went through
>>> all of your dependencies and checked if they have anything in a NOTICE
>>> file? If not let's do that.
>>>
>>> - I can't find build instructions on the website (eg.
>>> http://gearpump.incubator.apache.org/how-to-contribute.html). They are
>>> in the README.md, however.  How does one invoke 'sbt' such that it will
>>> also run the Apache RAT tool?
>>>
>>> - What is
>>> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
>>> ? I'm not sure this will be fatal to the release candidate but this is
>>> something that needs to be fixed. At the least it should be hosted on
>>> Apache infrastructure somewhere. Ideally, the shading and staging of
>>> gs-collections can be made part of the build so no need for a custom
>>> artifact of gs-collections just for gearpump. Same for
>>> gearpump-shaded-akka-kyro and anything like this I may have missed.
>>>
>>> - Some code builds against a downstream commercial derivative of an
>>> Apache project, hosted on a third party repository. You should not be doing
>>> this. If you depend on Hadoop, build against an Apache released version of
>>> Hadoop.
>>>
>>> When ready to start a release candidate vote, Mnemonic recently ran a
>>> vote, you can use that as an example.
>>>
>>> Vote thread: https://s.apache.org/NqCu
>>>
>>> Result: https://s.apache.org/wERS
>>>
>>>
>>
>
>
> --
> Best regards,
>
>    - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein
> (via Tom White)
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message