netbeans-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <bdelacre...@apache.org>
Subject Re: [VOTE] Build #17 as HTML/Java API release 1.5
Date Wed, 11 Oct 2017 09:47:38 GMT
Hi,

I have reviewed SHA1(incubating-netbeans-html4j-1.5.zip)=
eaa3a5a784f56fd1a20674ef5b59eed2be99d2fe

I'm -1 on the release due to the missing DISCLAIMER which is easy to
fix, details below.

Once that's fixed, if others (including at least one other mentor)
agree I'd be ok to promote the fixed release to Incubator PMC vote
except for one thing: I suggest including in the Incubator PMC vote
message instructions for reviewing the license/copyright header
changes done since the code was imported from the Oracle donation, can
you provide those? Probably just a git diff command or URL. A
reference (git tag?) to tools used for these changes is also useful.

The digests are ok.

I cannot verify the signature as I haven't found your 7E654BAC public
key online, see the "PMC members please add your PGP keys to
https://id.apache.org" thread here.

On Wed, Oct 11, 2017 at 6:08 AM, Jaroslav Tulach
<jaroslav.tulach@gmail.com> wrote:
> ...The incubating-netbeans-html4j-1.5.zip.asc isn't present on the server (as I
> would need to upload my private key there),...

IIUC this is because the release is generated by Jenkins and you don't
want it to have your private key - sounds reasonable ;-)

In this case maybe it's more convenient to keep the .asc file in the
gi tools repository before the release happens?
This also allows others to add their own signature if desired.

zip archive review:

1) DISCLAIMER is missing, for a podling this is enough to reject the
release. See also DEPENDENCIES below, the same mechanism can be used
to generate both.

2) In the NOTICE, I find this confusing:

"The code is based on NetBeans HTML/Java API Copyright (c) 2013-2017
Oracle Corp, kindly donated"

as it can be misunderstood as Oracle still owning that copyright -
we're still in 2017.

I would prefer

"The initial code is based on NetBeans HTML/Java API modules kindly
donated by Oracle Corp to the Apache Software Foundation"

3) Having a DEPENDENCIES file would make it much easier to validate
third-party dependencies, see this recent thread:

https://lists.apache.org/thread.html/b82a116ec77639c49528d654a488ff354ca8edfb8f4f380865762275@%3Cdev.netbeans.apache.org%3E

Right now, " mvn dependency:tree" lists some unfamiliar dependencies,
having their license in DEPENDENCIES would help validate them.

4) A quick build with "mvn clean install -DskipTests" works including
apache-rat-plugin:0.12:check . The tests take a long time to run, I
haven't checked if there's a way to run just unit tests.

5) the apache-rat-plugin excludes look good to me:

[INFO] Exclude: **/target/**
[INFO] Exclude: .gitignore
[INFO] Exclude: **/.git/**
[INFO] Exclude: **/.repository/**
[INFO] Exclude: **/.maven/**
[INFO] Exclude: **/*.sigtest
[INFO] Exclude: README.md

6) The release includes source code only, apart from a few .png
(test?) images which are fine.

-Bertrand

Mime
View raw message