Terrific feedbacks Andy, please read my inline replies!!! best, -Simo
http://people.apache.org/~simonetripodi/ http://simonetripodi.livejournal.com/ http://twitter.com/simonetripodi http://www.99soft.org/ > > I have an IPMC binding vote so we can get enough here but I still think that > external review, however "robust" it might be, is a good thing. > +1! :) > == Major 1 (DERI) > > The original code is from DERI and the few original files I checked did not > have a copyright statement but the Googlecode has: > > [[ > Copyright 2008-2011 Digital Enterprise Research Institute (DERI) > ]] > > I think this should be in NOTICE everywhere including jars. > > (I hope any contributions at Googlecode have been tracked.) > Good point, this is honestly the first time I hear about mentioning the original contributor. > == Major 2 (server-embedded and server) > > LICENSE and NOTICE for server(-embedded) are minimal Apache. They should > include the information about the packaged and shipped binaries. > ACK, my *terrible* fault :( > == Major 3 (recursive NOTICE) > > Where binaries are shipped, don't we need to ship the recursive > NOTICE/LICENSE from the shipped binaries? > ACK, my fault once again, just realized they are missing in `service` binaries :S > == Major 4 (WAR files) > > NOTICE/LICENSE files in the WAR files don't cover the included binaries. > (and the N&L in the associated directories aren't always complete). > ACK, all points you have raised are enough to cancel the current VOTE. > >> SVN source tag (r1356297): >> >> https://svn.apache.org/repos/asf/incubator/any23/tags/any23-0.7.0-incubating/ >> >> Staging repo: >> https://repository.apache.org/content/repositories/orgapacheany23-005/ >> Binaries & Source release, checksums and signatures are available at >> the same location > > > == dist/ > > What is the plan for the /dist/incubator/any23 area? > I reported in the <http://incubator.apache.org/any23/0.7.0-incubating/release-howto.html> page the operation to copy there the tgz/zip archives (with checksums/gpg signatures), anyway I agree with what follows below. > It would be good to have a proposed dist area as part of the vote. I know > many maven-releasing projects skip this (then forget to put dist up!) but it > is better to have a mocked up dist on people.apache.org:~user. > agreed, makes sense. I propose to use the builds/incubator/any23/(source|binaries)/$version on p.a.o. rather than personal ~user spaces > We seem to be aiming for a flat directory of files, no split of binaries/ > and source/. > we are currently distribute both sources >> Staging site: >> http://incubator.apache.org/any23/0.7.0-incubating > > > == Site > > I see links directly into this from the web site but what about the source > release? it is the first package enlisted :) "Apache Any23 Sources" > Also, this should be to mirror scripts, not direct links to links > on to w.a.o/dist/ (although frankly the load put on by small projects is > probably trivial). > links can be easily adjusted - if you are already aware of the modifications needed, I can take care of updating the download page. > >> PGP release keys (signed using 19FEA27D): >> http://www.apache.org/dist/incubator/any23/KEYS > > > == checking > > I get a warning but otherwise this is OK: > > gpg --verify any23-sources-dist-0.7.0-incubating-src.zip.asc > gpg: Signature made Mon Jul 2 16:23:39 2012 BST using DSA key ID 19FEA27D > gpg: Good signature from "Simone Tripodi (simonetripodi) > <[email protected]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > yup, never requested a certification - IIUC someone of at ASF could do it, but I currently don't know who to contact... > - - - - - - - - - - - - - - - - - - - - - - - - - > ==== any23-sources-dist-0.7.0-incubating-src > > checking done: > > 1/ Downloaded any23-sources-dist-0.7.0-incubating-src > > 2/ Checked .asc > > 3/ Unpacked and poked around. > > This unpacks into a directory of a different name : > apache-any23-0.7.0-incubating/ > > But this is also used when I unpack core. Different would be better IMHO - > some files like LICENSE and NOTICE overwrite. > apologize, I maybe didn't understand: did you mean that the artifact name should reflect the extracted dir? > == LICENSE & NOTICE: > > Q1/ What about the original codebase? Even if software granted, isn't it > (c) the original creator? It would be safer to include in NOTICE a line to > this affect as if the copyright notice had been moved (I know the DERI > contribution did not have copyrights on all the files but they are still > copyright'ed). > +1 > Q2/ How much "based on" Sesame is the NQuads parser? > no idea, maybe Michele/Giovanni can provide more info... > A bit of random poking around: > > core/src/test/resources/html/rdfa/base-handling.html: > (c) DERI > ACK > Lots of the microformats file have copyrights on them which are not > mentioned in NOTICE > ACK > e.g. > core/src/test/resources/microformats/hlisting/kelkoo-full.html > ==> Copyright Yahoo > > core/src/test/resources/microformats/hcard/infinite-loop.html > ==> Copyright Adobe > they are test resources that are redistributed in the source module only, I would create a dedicated file for it. WDYT? > apache-any23-0.7.0-incubating/service/src/main/webapp/resources/simplePopup/jquery-1.4.2.js > ==> JQuery : copyright John Resig and also Dojo foundation. > ACK > And this could do with at least the one line ASF header > > apache-any23-0.7.0-incubating/core/src/test/resources/application/nquads/test1.nq > > and this is quite large: > > apache-any23-0.7.0-incubating/core/src/test/resources/application/nquads/test2.nq > > and would not be harmed by the full license header. > when putting the license header on that files, the mimetype detector stops working, that is why I excluded them from the RAT checking :( So, we have two options * fix the mime detector before yet another RC or * release anyway and be blocked by the IPMC vote > 4/ mvn clean test > Works - quite a lot of output. > > - - - - - - - - - - - - - - - - - - - - - - - - - > ==== any23-core-0.7.0-incubating-bin.zip > > Comments about DERI copyright apply. > > 1/ > > [[ LICENSE.txt > The Apache Any23 distribution packages include a number of dependencies with > separate copyright notices and license terms. Your use of the source code > for the these dependencies is subject to the terms and > conditions of the following licenses. > ]] > > "source code" - we're shipping binaries. > > 2/ > > NOTICE: > > As we're shipping binaries, any of the Apache items may need recursively > inclusions: > > example: > ---------- > Apache Xerces Java > Copyright 1999-2011, 2012 The Apache Software Foundation > > This product includes software developed at > The Apache Software Foundation (http://www.apache.org/). > > Portions of this software were originally based on the following: > - software copyright (c) 1999, IBM Corporation., http://www.ibm.com. > - software copyright (c) 1999, Sun Microsystems., http://www.sun.com. > - voluntary contributions made by Paul Eng on behalf of the > Apache Software Foundation that were originally developed at > iClick, Inc., software copyright (c) 1999. > ---------- this is already included in the core LICENSE/NOTICE, I need to double check anyway all the included dependencies... > 3/ (Minor) > > README says: > > [[ > Add M2 environment variable to your path, e.g. export PATH=$ANY23:$PATH > ]] > > Is M2 a typo for ANY23? > that's a side effect of copy'n paste :P:P:P > - - - - - - - - - - - - - - - - - - - - - - - - - > ==== apache-any23-service-0.7.0-incubating-server-embedded/ > > LICENSE and NOTICE look incomplete: no mention of any shipped binaries > > They look right in apache-any23-service-0.7.0-incubating though. > > For example: Jetty is not mentioned and includes other stuff: > > --------- > Jetty Web Container > Copyright 1995-2012 Mort Bay Consulting Pty Ltd. > > under the Apache 2.0 License. > > The Jetty Web Container includes: > > UnixCrypt.java > Copyright 1996 Aki Yoshida, > modified April 2001 by Iris Van den Broeke, Daniel Deville. > --------- > SCK > Minor: > > README.txt: > > The maven timestamp bug bites again? > ----- > Apache Any23 Service (tags/any23-0.7.0-incubating/service@r1356282; > ${maven.build.timestamp}) > ----- > > (you have to assign it to a property to get it to work IIRC - or the file > was not filtered). > yup, ACK > - - - - - - - - - - - - - - - - - - - - - - - - - > == apache-any23-service-0.7.0-incubating-server > > As embbeded : minimal LICENSE and NOTICE but no mention of included > binaries. > ACK > - - - - - - - - - - - - - - - - - - - - - - - - - > == apache-any23-service-0.7.0-incubating-without-deps > > NOTICE/LICENSE files don't cover WAR file contents. This may apply > elsewhere. > didn't understand, apologize - the `without-deps` module doesn't ship any 3rd party binary and it is just pure Any23 code... why they don't cover that module? > == WAR files. > > The war file contains jquery. > Simple Popup needs some kind of license. > > NOTICE/LICENSE files in the WAR files don't cover the included binaries. > ACK Thanks once again for the huge legal feedback! -Simo
