On 02/13/2012 05:27 PM, Ate Douma wrote:
On 02/12/2012 03:55 PM, Suresh Marru wrote:
Hi Ate,
If you get a chance, can you please verify the L,N&D requirements? Your
validation will help a lot.
I don't really have enough time today, writing the preliminary feedback below
already took me a full hour. But as it turns out it might not make much sense to
review further until the next round...
I did download the binary distribution and took a quick look at the updated
NOTICE and LICENSE files.
Regrettably, I still find several things incorrect/incomplete after a very brief
review...
Concerning the updated NOTICE file, it seems to now 'embed' a full 3rd party
license (for DOM4J?), e.g. related to the 'MetaStuff' section.
Seems to me that should belong to the LICENSE file instead. But it isn't 100%
clear what this 'notice' section actually applies to, e.g. has no marker or
header before it to explain that.
I also see other unneeded/undesired notices for other ASF projects.
And in general it is unclear where one section ends and the next starts (and for
which 3rd party notice). Typically this is not so much a problem for smaller
projects with only a few 3rd party notices, but for Airavata this really should
be sectioned out.
As a nice and very clear and clean example how this could be done, take a look
at the NOTICE and LICENSE files for the Apache Wookie (Incubating) standalone
binary distribution:
https://svn.apache.org/repos/asf/incubator/wookie/trunk/etc/release/standalone/NOTICE
and
https://svn.apache.org/repos/asf/incubator/wookie/trunk/etc/release/standalone/LICENSE
To be honest, I think I like the clear and explicit section markers used there
even better than what we currently have for Apache Rave...
Concerning the LICENSE file, although more needed licenses are now covered, I'm
still missing many from *for example* the jackrabbit-standalone-2.2.7.jar. And
those I already pointed out before the last time too.
Please do properly check the jackrabbit-standalone-2.2.7.jar LICENSE file,
you'll see it contains extra licenses for:
- XPath Parser
- PDFBox libraries (pdfbox, jempbox, fontbox)
- Adobe Font Metrics (AFM) for PDF Core 14 Fonts
- CMaps for PDF Fonts
- Glyphlist
- ... (and several more)
Still none of these are included in the root /LICENSE file.
What might still be misunderstood from my earlier reviews is that I haven't
given a full, complete and exact set of issues to be fixed.
And neither was or is that my intend. IMO these are tasks and responsibilities
of the committers and future PMC members.
My responsibility as a Mentor is to help you learn to help yourself :)
So, the issues I've reported before were just *samples* of a far broader set of
same/similar issues. Surely just fixing the sample issues I reported isn't going
to be good enough...
Therefore I also tried to explain the concepts and rules for fixing these issue.
To be applied to the whole of the release, not just the example ones.
As a new example I now picked woden-impl-dom-1.0M8.jar, which also turns up to
have additional NOTICE (and LICENSE) requirements to attribute.
And I very likely can pick several others more.
And all these really should be properly checked and dealt with *before* another
VOTE is thrown up.
For some of these, this might require further discussion or questions on
legal-discuss@ first, like for the NOTICE within wstx-asl-3.2.4.jar, which is
unclear for me as well how to deal with:
"This product currently only contains code developed by authors
of specific components, as identified by the source code files."
At any rate, as this looks like the 4th release candidate going to fail, I
really want to suggest the next L&N validation should be completed, by me and
others, *before* initiating yet another VOTE for the next release candidate.
I really hadn't anticipated a new RC4 so soon while there clearly is so much
more to validate and fix.
On another note:
While all the L&N issues might seem like extremely annoying and complex, and
they *are*, Airavata IMO is starting off on an extremely high level for a first
Incubator release.
I don't think there are many other Apache project with this amount of embedded
3rd party dependencies...
For a first incubator release, that is kind of worrisome, at least it can be.
I'm not sure if this makes sense from Airavata development and usage POV, but
might it be possible to break the release down a bit?
Maybe try to build and release smaller and more independent 'components' at
first.
Or make 100% sure every included dependency is actually and really needed, or
otherwise might have more compatible (and/or recent) alternatives with
easier/lighter L&N requirements.
The latter actually could be the easiest way to solve some of these L&N
questions....
Regards,
Ate
Thanks,
Suresh
On Feb 10, 2012, at 9:45 AM, Suresh Marru wrote:
Discussion thread for vote on airavata 0.2-incubating release candidate 4.
If you have any questions or feedback or to post results of validating the
release, please reply to this thread. Once you verify the release, please post
your vote to the VOTE thread.
For reference, the Apache release guide - http://www.apache.org/dev/release.html
Incubator specific release guidelines -
http://incubator.apache.org/guides/releasemanagement.html
Some tips to validate the release before you vote:
* Download the binary version and run the 5 minute or 10 minute tutorial as
described in README and website.
* Download the source files from compressed files and release tag and build
(which includes tests).
* Verify the distributon for the required LICENSE, NOTICE and DISCLAIMER files
* Verify if all the staged files are signed and the signature is verifiable.
* Verify if the signing key in the project's KEYS file is hosted on a public
server
Thanks for your time in validating the release and voting,
Suresh
