incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <els...@apache.org>
Subject Re: [VOTE] Releasing Apache Metron 0.2.0BETA-RC3
Date Wed, 17 Aug 2016 16:39:17 GMT
Casey,

Thanks so much for the quick turn-around on JIRA issues. Great to see :)

Re: findbug's jsr305 jar, yup, that is precisely the confusion I have 
with it. I would encourage use of 
https://github.com/stephenc/findbugs-annotations/ just to avoid any 
potential issues. This person has done a few clean-room impls which are 
ASLv2 licensed which are super helpful. I know of two projects now which 
have successfully swapped these jars and have not faced any issues.

- Josh

Casey Stella wrote:
> Josh,
>
> You are of course correct on all points.
>
>     - We neglected to be careful about the implications of binary bundling
>     and transitive dependencies (JIRA
>     <https://issues.apache.org/jira/browse/METRON-374>).
>     - It's a good idea to use ephemeral ports on our integration test
>     components (JIRA<https://issues.apache.org/jira/browse/METRON-375>).
>     - We should correct the issues with the webpage (JIRA
>     <https://issues.apache.org/jira/browse/METRON-376>)
>
> Regarding Findbugs, if you open up the pom
> <http://central.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.pom>
> from com.google.code.findbugs:jsr305-1.3.9 the ASLv2 is referenced.  That
> being said, it's pretty clear that findbugs itself is lgpl, so I am also
> confused.  Regardless, a more careful inspection and handling of our
> transitive dependencies is obviously called for.  Thanks for the careful
> attention. :)
>
> Casey
>
> On Wed, Aug 17, 2016 at 1:27 AM, Josh Elser<elserj@apache.org>  wrote:
>
>> +1 with reservations (binding)
>>
>> * DISCLAIMER present
>> * LICENSE/NOTICE seem reasonable
>> * xsums/sigs OK
>> * Can build from source
>> * Unit tests pass (after I stopped my local hbase instance, maybe you
>> could use random ports from the ephemeral range for your test services
>> instead of the default service ports)
>> * Integration tests didn't (I stopped after a failure in
>> BulkLoadMapperIntegrationTest)
>> * Tag is deployed and matches VOTE
>> * Overly aggressive RAT exclusions, but it passes and seems ok. Would
>> strongly recommend you prune this list in the future to make sure you don't
>> start shipping files which do not have a license header. You presently have
>> many exclusions for files which don't even exist in the codebase.
>>
>> Reservations:
>>
>> It is important to make sure that not only is the source-release artifact
>> properly licensed, but the resulting artifacts that source-release creates
>> are also properly licensed (in other words: the jars your build creates).
>>
>> Your shaded jars are not correctly licensed. For example, you include
>> org.abego.treelayout:org.abego.treelayout.core:jar:1.0.1 in
>> metron-common-0.2.0BETA.jar which is 3-clause BSD licensed, yet the
>> contained META-INF/LICENSE file has no mention of this. I also see a number
>> of CDDL licensed jars being included.
>>
>> The most worrisome artifact I see included is
>> com.google.code.findbugs:jsr305-1.3.9 in multiple artifacts
>> (metron-pcap-backend-0.2.0BETA.jar for one). This artifact befuddles me
>> because it is completely unclear whether it is GPL'ed or ASLv2 (last I
>> checked, documentation was not clear at all). Ironically, you also have
>> com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1 included
>> which is a clearly ASLv2 licensed implementation of the same spec (we won't
>> get into me asking "why" both are included *winks*).
>>
>> I don't think you need to fix these for this release, but you should make
>> an effort to do this before your next release. Yes, it sucks. Yes, you're
>> not the only one who has done it/will do it again.
>>
>> Branding:
>>
>> Took a look at your website too.
>>
>> * Your required ASF navigation links are not present
>> http://www.apache.org/foundation/marks/pmcs.html#navigation
>> * Incubator disclaimer and logo are present (yay)
>> * Noticed "Ambari" and not "Apache Ambari" on
>> http://metron.incubator.apache.org/documentation/. Would be good to make
>> sure you're using proper names for ASF projects.
>>
>>
>>
>> James Sirota wrote:
>>
>>> This release is exactly the same as RC2, but the Mozilla licensed file
>>> was removed so it doesn’t cause problems for us on the incubator general
>>> boards. We no longer use it so we just removed it.
>>>
>>> This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating
>>>
>>> Full list of changes in this release:
>>>
>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>> 0BETA-RC3-incubating/CHANGES
>>>
>>> The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:
>>>
>>> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.
>>> git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>http
>>> s://git-wip-us.apache.org/repos/asf?p=incubator-metron.
>>> git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb
>>>
>>> The source archive being voted upon can be found here:
>>>
>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>> 0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz
>>>
>>> Other release files, signatures and digests can be found here:
>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>> 0BETA-RC3-incubating/
>>> <https://dist.apache.org/repos/dist/dev/incubator/metron/0.
>>> 2.0BETA-RC3-incubating/>
>>> The release artifacts are signed with the following key:
>>>
>>> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.
>>> git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18
>>> ;hb=75642001803396e8884385b0fc297a2312ead3eb>https://git-
>>> wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=
>>> KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=756420018
>>> 03396e8884385b0fc297a2312ead3eb
>>>
>>>
>>> Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3
>>> incubating
>>>
>>> When voting, please list the actions taken to verify the release.
>>> Recommended build validation and verification instructions are posted
>>> here:
>>> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
>>>
>>> This vote will be open for at least 72 hours.
>>>
>>> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
>>> [ ] 0 No opinion
>>> [ ] -1 Do not release this package because...
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message