Dylan Hutchison wrote:
+1 with notes below~
* NOTICE and LICENSE look good to my inexperienced eyes.
* Source-compiled binary tar.gz matches the binary tar.gz artifact, except
for META-INF entries.
* Unit tests pass.
* Good checksums and sigs. Fingerprint matches Mike's key.
* Graphulo tests pass.
Yay, API compatibility :)
* Sunny integration tests pass on a single-node standalone deployment.
Tested on Zookeeper 3.4.6 and both Hadoop 2.4.1 and 2.7.2.
Notes / Questions:
1. On the ITs: for some reason I can't figure out, the "stop Accumulo
processes" part of ReadWriteIT#sunnyDay gives me trouble when I run it
alongside the others, but it passes when I run it alone. Similar story for
ExamplesIT#testBulkIngest.
Interesting. Are you setting forkMode > 1? Or running multiple
invocations of the build at the same time? I wouldn't be surprised if
some of the logic we have to 'test' is actually wrong when we have
concurrent processes running, but I'm not sure why these two in
particular would have troubles.
2. On diffing the source-built binary with the binary artifact: it seems
the source-built binary has more license information in
the META-INF/DEPENDENCIES than the binary artifact, in addition to a few of
the entries being permuted. This holds true for all the jars except
accumulo-fate.jar. Here is a pastebin for the source-built binary deps
<http://pastebin.com/HJZB2See>, and a pastebin for the binary artifact
deps<http://pastebin.com/nKfxWd2c> for accumulo-core.jar. Here is
a pastebin
of their diff<http://pastebin.com/jYtggRLK>. I don't know how
significant the difference is; maybe Sean or Christopher could comment.
This is probably due to the difference in the release-process creation
of the binary tarball and what gets built when you just do a `mvn
package` on your computer (e.g. activating the 'apache-release' Maven
profile). I also see findbugs in the list, so that's likely unintended.
Overall, for the purposes of the ASF licensing, the DEPENDENCIES file is
a "nice to have" (LICENSE and NOTICE are the ones we really need to get
right).
Also, with your commit bit, you can also use paste.apache.org if you
want to avoid the ads on pastebin :)
3. Is it good practice to use a code-signing key with no expiration date?
As I understand it, it's not bad like a non-expiring password, but it's
good to have an expiration date. If you do lose/compromise your key, at
least everyone knows that there is a certain date the key is no longer
valid. It's also easy to extend the validity of your key, IIRC.
On Fri, Jun 17, 2016 at 9:31 PM, Mike Drob<[email protected]> wrote:
Accumulo Developers,
Please consider the following candidate for Accumulo 1.7.2.
All content generated via
assemble/build.sh --create-release-candidate -P '!thrift'
Changes from 1.7.2-rc1
ACCUMULO-4346 correct LICENSE file for source to include text of reference
ACCUMULO-4347 Crypto notification should be in README files instead of
NOTICE
Git Commit:
a01e67741d101c3d87f1d6e16d54ff7a96951ad0
Branch:
1.7.2-rc2
If this vote passes, a gpg-signed tag will be created using:
git tag -f -m 'Apache Accumulo 1.7.2' -s rel/1.7.2
a01e67741d101c3d87f1d6e16d54ff7a96951ad0
Staging repo:
https://repository.apache.org/content/repositories/orgapacheaccumulo-1052
Source (official release artifact):
https://repository.apache.org/content/repositories/orgapacheaccumulo-1052/org/apache/accumulo/accumulo/1.7.2/accumulo-1.7.2-src.tar.gz
Binary:
https://repository.apache.org/content/repositories/orgapacheaccumulo-1052/org/apache/accumulo/accumulo/1.7.2/accumulo-1.7.2-bin.tar.gz
(Append ".sha1", ".md5", or ".asc" to download the signature/hash for a
given artifact.)
All artifacts were built and staged with:
mvn release:prepare&& mvn release:perform
Signing keys are available at https://www.apache.org/dist/accumulo/KEYS
(Expected fingerprint: 86EDB9C33B8517228E88A8F93E48C0C6EF362B9E)
Release notes (in progress) can be found at:
https://accumulo.apache.org/release_notes/1.7.2
Please vote one of:
[ ] +1 - I have verified and accept...
[ ] +0 - I have reservations, but not strong enough to vote against...
[ ] -1 - Because..., I do not accept...
... these artifacts as the 1.7.2 release of Apache Accumulo.
This vote will end on Tue Jun 21 05:00:00 UTC 2016
(Tue Jun 21 01:00:00 EDT 2016 / Mon Jun 20 22:00:00 PDT 2016)
Thanks!
P.S. Hint: download the whole staging repo with
wget -erobots=off -r -l inf -np -nH \
https://repository.apache.org/content/repositories/orgapacheaccumulo-1052/
# note the trailing slash is needed
