gearpump-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jiang Weihua <whji...@outlook.com>
Subject Re: release about ready
Date Tue, 28 Jun 2016 02:27:28 GMT
+1 on this shading-on-fly solution.

在 16/6/28 上午9:25,“Manu Zhang”<owenzhang1990@gmail.com> 写入:

>
> What is
>
> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
> ? I'm not sure this will be fatal to the release candidate but this is
> something that needs to be fixed. At the least it should be hosted on
> Apache infrastructure somewhere. Ideally, the shading and staging of
> gs-collections can be made part of the build so no need for a custom
> artifact of gs-collections just for gearpump. Same for
> gearpump-shaded-akka-kyro and anything like this I may have missed.


Previously sbt didn't have shade so we make another repo with those
libraries shaded by maven.
Since sbt has shade now, we can try make gs-collections and other shaded
libraries part of the build.

On Tue, Jun 28, 2016 at 8:43 AM, Andrew Purtell <apurtell@apache.org> wrote:

> > You can run 'sbt dumpLicenseReport', which runs the equivalent of the RAT
> tool.
>
> I don't think so. Apache RAT does more than just report on licenses, it
> checks for Apache specific release policy compliance. Or did you mean that
> sbt's dumpLicenseReport is actually set up in your project to run Apache
> RAT?
>
> On Mon, Jun 27, 2016 at 5:23 PM, Kam Kasravi <kamkasravi@gmail.com> wrote:
>
> > Thanks Andy for going through RC0! Comments inline. I'll update and
> upload
> > back under RC0.
> >
> > > - I imported the KEYS file but then failed to find the signing key.
> > >
> > > gpg --verify gearpump-0.8.1-incubating-src.tgz.asc
> > gearpump-0.8.1-incubating-src.tgz
> > > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
> > E7DE27E3
> > > gpg: Can't check signature: public key not found
> > >
> > > - recv-key E7DE27E3 worked
> > >
> > > gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY) <
> > kamkasravi@apache.org>" imported
> > > gpg: Total number processed: 1
> > > gpg:               imported: 1  (RSA: 1)
> > >
> > > - And now the signature check passes
> > >
> > > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
> > E7DE27E3
> > > gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) <
> > kamkasravi@apache.org>"
> > > gpg: WARNING: This key is not certified with a trusted signature!
> > > gpg:          There is no indication that the signature belongs to the
> > owner.
> > > Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D  FBBB 5806 2555 E7DE
> > 27E3
> > >
> > > I encourage Kam and everyone to go to an ApacheCon or the meetups of
> > other projects and get your keys signed by other Apache folks. Yes, I
> > should take my own advice... my code signing key has the same issue.
> > > > - MD5 and SHA1 checksum files match file sums
> > >
> >
> > [Kam] I've updated KEYS to include the CODE SIGNING KEY. I also updated
> > our release shell script so it can also verify the signed artifacts
> > (dev-tools/create_apache_source_release.sh).
> >
> > > - Archive unpacks and layout looks good
> > >
> > > - LICENSE file looks ok, except maybe the text of the SIL Open Font
> > License is missing?
> >
> > [Kam] I'll add this.
> >
> > >
> > > - Is the NOTICE file complete? "If the dependency supplies a NOTICE
> > file, its contents must be analyzed and the relevant portions bubbled up
> > into the top-level NOTICE file." (
> > http://www.apache.org/dev/licensing-howto.html) We don't want to add
> > anything here not legally required, though. I'm assuming you went through
> > all of your dependencies and checked if they have anything in a NOTICE
> > file? If not let's do that.
> >
> > [Kam] For the source release I didn't - but best to do it now so
> > subsequent binary artifacts are correctly handled.
> >
> > > > - I can't find build instructions on the website (eg.
> > http://gearpump.incubator.apache.org/how-to-contribute.html). They are
> in
> > the README.md, however.  How does one invoke 'sbt' such that it will also
> > run the Apache RAT tool?
> >
> > [Kam] You can run 'sbt dumpLicenseReport', which runs the equivalent of
> > the RAT tool. The sbt plugin is here
> > https://github.com/sbt/sbt-license-report. I've updated the README.md.
> >
> > > > - What is
> >
> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
> > ? I'm not sure this will be fatal to the release candidate but this is
> > something that needs to be fixed. At the least it should be hosted on
> > Apache infrastructure somewhere. Ideally, the shading and staging of
> > gs-collections can be made part of the build so no need for a custom
> > artifact of gs-collections just for gearpump. Same for
> > gearpump-shaded-akka-kyro and anything like this I may have missed.
> >
> > [Kam] Fink also includes shaded jars. I'll follow their example.
> >
> > > > - Some code builds against a downstream commercial derivative of an
> > Apache project, hosted on a third party repository. You should not be
> doing
> > this. If you depend on Hadoop, build against an Apache released version
> of
> > Hadoop.
> >
> > [Kam] Got it. I'll update our Build.scala, rerun 'sbt dumpLicenseReport'
> > and reverify.
> >
> > > > When ready to start a release candidate vote, Mnemonic recently ran a
> > vote, you can use that as an example.
> > >
> > > Vote thread: https://s.apache.org/NqCu
> > >
> > > Result: https://s.apache.org/wERS
> >
> >
> > On Mon, Jun 27, 2016 at 3:52 PM, Andrew Purtell <apurtell@apache.org>
> > wrote:
> >
> >> Kam posted artifacts for 0.8.1 RC0 and asked me to take a look at them.
> >> Here are my notes:
> >>
> >> - I imported the KEYS file but then failed to find the signing key.
> >>
> >> gpg --verify gearpump-0.8.1-incubating-src.tgz.asc
> >> gearpump-0.8.1-incubating-src.tgz
> >> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
> >> E7DE27E3
> >> gpg: Can't check signature: public key not found
> >>
> >>
> >> - recv-key E7DE27E3 worked
> >>
> >> gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY) <
> >> kamkasravi@apache.org>" imported
> >> gpg: Total number processed: 1
> >> gpg:               imported: 1  (RSA: 1)
> >>
> >>
> >> - And now the signature check passes
> >>
> >> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID
> >> E7DE27E3
> >> gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) <
> >> kamkasravi@apache.org>"
> >> gpg: WARNING: This key is not certified with a trusted signature!
> >> gpg:          There is no indication that the signature belongs to the
> >> owner.
> >> Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D  FBBB 5806 2555 E7DE
> >> 27E3
> >>
> >> I encourage Kam and everyone to go to an ApacheCon or the meetups of
> >> other projects and get your keys signed by other Apache folks. Yes, I
> >> should take my own advice... my code signing key has the same issue.
> >>
> >>
> >> - MD5 and SHA1 checksum files match file sums
> >>
> >> - Archive unpacks and layout looks good
> >>
> >> - LICENSE file looks ok, except maybe the text of the SIL Open Font
> >> License is missing?
> >>
> >> - Is the NOTICE file complete? "If the dependency supplies a NOTICE
> file,
> >> its contents must be analyzed and the relevant portions bubbled up into
> the
> >> top-level NOTICE file." (http://www.apache.org/dev/licensing-howto.html
> )
> >> We don't want to add anything here not legally required, though. I'm
> >> assuming you went through all of your dependencies and checked if they
> have
> >> anything in a NOTICE file? If not let's do that.
> >>
> >> - I can't find build instructions on the website (eg.
> >> http://gearpump.incubator.apache.org/how-to-contribute.html). They are
> >> in the README.md, however.  How does one invoke 'sbt' such that it will
> >> also run the Apache RAT tool?
> >>
> >> - What is
> >>
> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
> >> ? I'm not sure this will be fatal to the release candidate but this is
> >> something that needs to be fixed. At the least it should be hosted on
> >> Apache infrastructure somewhere. Ideally, the shading and staging of
> >> gs-collections can be made part of the build so no need for a custom
> >> artifact of gs-collections just for gearpump. Same for
> >> gearpump-shaded-akka-kyro and anything like this I may have missed.
> >>
> >> - Some code builds against a downstream commercial derivative of an
> >> Apache project, hosted on a third party repository. You should not be
> doing
> >> this. If you depend on Hadoop, build against an Apache released version
> of
> >> Hadoop.
> >>
> >> When ready to start a release candidate vote, Mnemonic recently ran a
> >> vote, you can use that as an example.
> >>
> >> Vote thread: https://s.apache.org/NqCu
> >>
> >> Result: https://s.apache.org/wERS
> >>
> >>
> >
>
>
> --
> Best regards,
>
>    - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein
> (via Tom White)
>



Mime
View raw message