Hi Ate, Thank you for taking time to do the review. I will retract the vote and work on these blockers.
Can you help us how to verify these ourselves? How do you check them, manually or are there any tricks we can learn to validate before putting out the vote? Thanks, Suresh On Feb 6, 2012, at 9:28 PM, Ate Douma wrote: > Hi guys, > > While this candidate definitely is improved a lot on the NOTICE and LICENSE > requirements, I've again found quite a lot of missing NOTICEs and LICENSEs > which are required to be provided, leading me to again vote -1 on this > release. > > Looking at the binary distribution, I first with checking the bundled > artifacts under /lib and /standalone-server/lib and validate the provided > root /NOTICE and /LICENSE files against them. > > As a first example, the bundled axis2 jars each have their own (embedded) > NOTICE file with 3rd party notices which should have been merged in the > binary distribution's own (root) NOTICE file, e.g. like the following > fragments (from axis2-adb-1.5.1.jar): > > This product also includes WS-* schemas developed by International > Business Machines Corporation, Microsoft Corporation, BEA Systems, > TIBCO Software, SAP AG, Sonic Software, and VeriSign > > This product also includes a WSDL developed by salesforce.com > - Copyright 1999-2006 salesforce.com, inc. > > The bundled derby jars also come with an extensive embedded NOTICE file. Some > parts of that have been merged into the root NOTICE, but some not. > Maybe not everything in it is applicable, but I think there are at least some > required parts missing. As a reference I compared that with the bundled > jackrabbit-standalone-2.2.7.jar which itself also embeds Derby, and there > you'll see they at least have the following added section: > > The JDBC apis for small devices and JDBC3 (under java/stubs/jsr169 and > java/stubs/jdbc3) were produced by trimming sources supplied by the > Apache Harmony project. The following notice covers the Harmony sources: > > Portions of Harmony were originally developed by > Intel Corporation and are licensed to the Apache Software > Foundation under the "Software Grant and Corporate Contribution > License Agreement", informally known as the "Intel Harmony CLA". > > And that jackrabbit-standalone-2.2.7.jar brings in quite some other (missing) > NOTICEs as well, like: > > Based on source code originally developed by > Day Software (http://www.day.com/). > > This product includes software from the following contributions: > > Original BZip2 classes contributed by Keiron Liddle > <kei...@aftexsw.com>, Aftex Software to the Apache Ant project > > Original Tar classes from contributors of the Apache Ant project > > Original Zip classes from contributors of the Apache Ant project > > Original CPIO classes contributed by Markus Kuss and the jRPM project > (jrpm.sourceforge.net) > > Please remember: the ASL 2.0 license, section 4d) *legally* requires us to > retain (thus merge) *every* NOTICE of embedded 3rd party artifacts. > This is why keeping the NOTICE file as small as possible (but not smaller) > really is important for our downstream users. Which won't be easy with > Airavata because of its many, many 3rd party dependencies. > > And there also are issues with the LICENSE file: like for example the > jackrabbit-standalone-2.2.7.jar its /META-INF/LICENSE file has many licenses > which should be merged into the root LICENSE file of the Airavata > distribution but currently are missing. > > Without going through each and every bundled artifact, which might lead to a > very long list of issue, I can already conclude the requirements for the > NOTICE and LICENSE files still aren't met. > > Regrettably, I don't have the time right now to do a full and thorough scan > of all the possible missing pieces. > Airavata is quite a big project on its 3rd party usages (which is cool), but > that also comes at the price of quite extensive due diligence work concerning > the LICENSE and NOTICE requirements. I've been trough a similar exercise for > Apache Rave and Apache Shindig last week (which together are many times > smaller on their 3rd party dependencies) and that alone already gook me many > hours if not days to complete. > > I do think you're on the right track, but it just isn't completely done yet. > > Besides the above serious issues, I have a few additional suggestions for > improvements (not truly blockers) I'd like to point out: > > - Many/most NOTICE files shows to be concatenated: they contain many > duplications of sections like: "This product includes software developed at > The Apache Software Foundation (http://www.apache.org/).", many times over. > You might want to clean that up, it should only be needed as the initial > notice at the top. And there are other type of fragments duplicated as well. > > - NOTICE and LICENSE files under [...]/src/main/appended-resources are > intended to be *appended* to the default NOTICE and LICENSE files already > provided by the maven-remote-resources-plugin. Meaning: you shouldn't provide > the default (Airavata based) initial notice in the NOTICE file, nor should > you need to include the ASL 2.0 license in the LICENSE file. As it is now, > these now are all duplicated within the final artifacts. > > I'd like to suggest to really check the final embedded NOTICE and LICENSE > files in all build artifacts, the above to issues should be easy to spot. > > Kind regards, > > Ate > > > On 02/06/2012 05:35 AM, Suresh Marru wrote: >> Discussion thread for vote on airavata 0.2-incubating release candidate 3. >> >> If you have any questions or feedback or to post results of validating the >> release, please reply to this thread. Once you verify the release, please >> post >> your vote to the VOTE thread. >> >> For reference, the Apache release guide - >> http://www.apache.org/dev/release.html >> Incubator specific release guidelines - >> http://incubator.apache.org/guides/releasemanagement.html >> >> Some tips to validate the release before you vote: >> >> * Download the binary version and run the 5 minute or 10 minute tutorial as >> described in README and website. >> * Download the source files from compressed files and release tag and build >> (which includes tests). >> * Verify the distributon for the required LICENSE, NOTICE and DISCLAIMER >> files >> * Verify if all the staged files are signed and the signature is verifiable. >> * Verify if the signing key in the project's KEYS file is hosted on a public >> server >> >> Thanks for your time in validating the release and voting, >> Suresh >
signature.asc
Description: Message signed with OpenPGP using GPGMail
