openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ying Chun Guo" <>
Subject Using Apache Creadur to audit in the release process
Date Thu, 25 Jan 2018 14:03:51 GMT
Hi, all

As we are setting up the release process, I'm investigating how Apache Creadur[1] - the auditing
tools - can help us in the release process. This email describes what I found and what I propose.
We can discuss together.

First of all, we need to understand audit is very important in a Apache release process. "every
ASF release MUST comply with ASF licensing policy. This requirement is of utmost importance
and an audit SHOULD be performed before any full release is created.", described by Apache
Release Policy[2]. Apache Creadur is such audit tooling to help us.

Apache Creadur includes three projects:
- Apache Rat audits license headers. It will check if files have Apache License or not, and
generate a report.
- Apache Tentacles helps to audit in bulk components uploaded to a staging repository. It
will check if there is a LICENSE and NOTICE files under each archived source package and compiled
package. A HTML report will be generated.
- Apache Whisker will generate a correct legal documentation if a package bundles code under
several licenses. 

I propose to use:
- Apache Rat to check license headers during the release of the source package. We can develop
a program to auto 'read' the report generated by Rat. If the report doesn't find any issues,
the release can be continued. Or else, it will be stopped and errors will be returned.
- Apache Tentacles to check if every archived package has a LICENSE and a NOTICE file. The
check need to be done both in the release of the source package and the release of the compiled
package after the artifacts are uploading to a staging repository. Similar as Rat report,
we will develop program to auto "read" the report and decide whether there are issues.

Apache Whisker is not relevant to us up to now, because we don't have codes under none Apache
licenses. ( Correct me if I'm wrong ). In the future, we may need it.

Let me know if you have any comments and suggestions to the audit process and tooling.

Best regards
Daisy Guo


View raw message