May also get some thoughts what you think about the approach for using the maven license plugin as documented in the JIRA here : https://issues.apache.org/jira/browse/APEXMALHAR-2461 <https://issues.apache.org/jira/browse/APEXMALHAR-2461>
The TL/DR; version is the build can be made to break if a certain license is coming in the build path. However there are other issues that need to be considered before the plugin can be considered as part of the PR. Since embracing the plugin is a huge manual check effort for the first time integration, I would like to get some thoughts before I spend too much time on this approach and realise later that all of us do not agree with the approach. Regards, Ananth > On 3 Nov 2017, at 5:57 am, Ananth G <ananthg.a...@gmail.com> wrote: > > The following changes pass the build and tests in my local environment: > > - Fixing the JSON schema validator with the apache version > - Fixing the JSON core with the apache version > - Marking mysql connector jars to be optional > > @Pramod: The plugin allows for custom overriding for use cases you mentioned. > Example some jars do not include the license and hence license is null ( apex > jar is also under this category ) . Some other dependencies do not seem to > have an aligned license name.Ex: "Apache License 2.0" vs "apache 2”. I am > currently exploring how far can I go to keep adding “excludes” as we > encounter such blocks. > > Regards, > Ananth > > >> On 2 Nov 2017, at 7:44 am, Vlad Rozov <vro...@apache.org> wrote: >> >> I would agree to consider demos/samples as optional components especially >> that they are not published to the Apache maven repository as Apex >> artifacts, but still would prefer that all libraries licensed under Category >> X are marked as optional in those modules. >> >> For all artifacts that are published to maven including sql and contrib, the >> dependencies must be removed, upgraded/replaced or marked (as a last resort) >> as optional. >> >> Thank you, >> >> Vlad >> >> On 11/1/17 13:06, Pramod Immaneni wrote: >>> If we go by the strict definition of [1], I guess everything can be >>> considered optional because each component in the library is pretty much >>> independent. But if we look at it another way, the project can >>> consider certain modules as important and main and others as optional. I >>> think the pom.xml profile distinction shows one such intent. Like I said, >>> the intent should be to fix the ones you identified but if it were not >>> possible, I think modules like examples, contrib and other in the >>> all-modules and not in the main profile could be considered optional for >>> the licensing purposes. >>> >>> 1.https://www.apache.org/legal/resolved.html#optional >>> >>> On Wed, Nov 1, 2017 at 12:57 PM, Vlad Rozov <vro...@apache.org> wrote: >>> >>>> IMO, it is only usage that may be optional, whether a module is included >>>> into a profile that is not enabled by default does not define it's usage. >>>> >>>> It is also possible to consider entire library as optional, somebody may >>>> use only one operator from the entire library. >>>> >>>> Thank you, >>>> >>>> Vlad >>>> >>>> >>>> On 11/1/17 12:49, Pramod Immaneni wrote: >>>> >>>>> I was thinking of it more in terms of optional that Justin mentioned >>>>> earlier. >>>>> >>>>> On Wed, Nov 1, 2017 at 12:10 PM, Vlad Rozov <vro...@apache.org> wrote: >>>>> >>>>> It does not matter whether sql (and demos) is part of the main profile or >>>>>> not. It is a source release, not a binary release and source includes all >>>>>> profiles. >>>>>> >>>>>> Thank you, >>>>>> >>>>>> Vlad >>>>>> >>>>>> >>>>>> On 11/1/17 11:50, Pramod Immaneni wrote: >>>>>> >>>>>> Vlad can you add this command to the release instructions and the >>>>>>> committer >>>>>>> guidelines. If we are unable to address this for this release, we can >>>>>>> consider moving examples to all-modules, sql is already not in the main >>>>>>> profile. >>>>>>> >>>>>>> On Mon, Oct 30, 2017 at 7:23 PM, Vlad Rozov <vro...@apache.org> wrote: >>>>>>> >>>>>>> The following command may help to identify dependencies: >>>>>>> >>>>>>>> find . -name DEPENDENCIES -print | xargs grep -n License: | grep -vE >>>>>>>> "Apache|CDDL|MIT|BSD|ASF|Public Domain|Eclipse Public License|Mozilla >>>>>>>> Public|Common Public|apache.org" >>>>>>>> >>>>>>>> Thank you, >>>>>>>> >>>>>>>> Vlad >>>>>>>> >>>>>>>> On 10/28/17 20:19, Ananth G wrote: >>>>>>>> >>>>>>>> Before we proceed with the release, could I please get some thoughts on >>>>>>>> >>>>>>>>> the following JIRAs that need resolution. If we can move some of these >>>>>>>>> out >>>>>>>>> of 3.8.0 to the next release , then I can proceed with the release >>>>>>>>> instructions. >>>>>>>>> >>>>>>>>> There are two JIRAs that are marked 3.8.0 and not yet resolved: >>>>>>>>> >>>>>>>>> - https://issues.apache.org/jira/browse/APEXMALHAR-2461 < >>>>>>>>> https://issues.apache.org/jira/browse/APEXMALHAR-2461> (This is the >>>>>>>>> one >>>>>>>>> that Vlad raised below about Category X dependencies ) >>>>>>>>> - https://issues.apache.org/jira/browse/APEXMALHAR-2498 < >>>>>>>>> https://issues.apache.org/jira/browse/APEXMALHAR-2498> (Kafka Tests >>>>>>>>> being flaky ) >>>>>>>>> >>>>>>>>> The following is marked as “In progress” >>>>>>>>> - https://issues.apache.org/jira/browse/APEXMALHAR-2462 < >>>>>>>>> https://issues.apache.org/jira/browse/APEXMALHAR-2462> : This I >>>>>>>>> believe >>>>>>>>> was kept in progress by Thomas for some follow up tasks and hence I >>>>>>>>> believe >>>>>>>>> we can move it to post 3.8.0 release ? >>>>>>>>> >>>>>>>>> >>>>>>>>> @Vlad: Regarding APEXMALHAR-2461, How are you generating the license >>>>>>>>> reports ? I have tried using license-maven-plugin ( from codehaus ) >>>>>>>>> and >>>>>>>>> it >>>>>>>>> does generate a report but there is nothing which provides a report >>>>>>>>> based >>>>>>>>> on the violations ( and hence being forced to open each project under >>>>>>>>> examples and comparing it with the licenses list from the allowed >>>>>>>>> licenses >>>>>>>>> link that you provided in the mailing list a few days back). Is there >>>>>>>>> a >>>>>>>>> more optimal way to see the current list of violations in a concise >>>>>>>>> way >>>>>>>>> ? >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Ananth >>>>>>>>> >>>>>>>>> On 27 Oct 2017, at 5:53 am, Tushar Gosavi <tus...@datatorrent.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Hi Vlad, >>>>>>>>>> As far as I remember, I had access to staging maven area while doing >>>>>>>>>> previous apex release. You will need to update .m2/settings.xml with >>>>>>>>>> apache >>>>>>>>>> credential to access the maven repository. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> -Tushar. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Thu, Oct 26, 2017 at 11:02 PM, Vlad Rozov <vro...@apache.org> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Please send your PGP public key to one of PMC members to be added to >>>>>>>>>> >>>>>>>>>> KEYS. >>>>>>>>>>> I don't remember if only PMC have access to staging Apache maven, it >>>>>>>>>>> may be >>>>>>>>>>> the case. Tushar, did you have write access to the staging Apache >>>>>>>>>>> maven >>>>>>>>>>> when you did the release? >>>>>>>>>>> >>>>>>>>>>> What do we do with https://issues.apache.org/jira >>>>>>>>>>> /browse/APEXMALHAR-2461? >>>>>>>>>>> >>>>>>>>>>> Thank you, >>>>>>>>>>> >>>>>>>>>>> Vlad >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 10/25/17 15:28, Ananth G wrote: >>>>>>>>>>> >>>>>>>>>>> I would like to volunteer to be the release manager for this. Given >>>>>>>>>>> I >>>>>>>>>>> >>>>>>>>>>> have not done this before I might have a few questions along the way >>>>>>>>>>>> in the >>>>>>>>>>>> mailing list. >>>>>>>>>>>> >>>>>>>>>>>> A couple of questions regarding the release process: >>>>>>>>>>>> >>>>>>>>>>>> - In the link https://apex.apache.org/release.html , in the >>>>>>>>>>>> section >>>>>>>>>>>> titled “Build and deploy release candidate” there is a mention of >>>>>>>>>>>> adding >>>>>>>>>>>> GPG keys. >>>>>>>>>>>> - Is it mandatory for the release manager gpg public key >>>>>>>>>>>> to be >>>>>>>>>>>> present in the list >>>>>>>>>>>> - If it is how do I get my key added to that list >>>>>>>>>>>> - In the same section of the above link there is a mention of >>>>>>>>>>>> configuring >>>>>>>>>>>> the server apache.staging.https in the maven settings file. >>>>>>>>>>>> - I am not able to reach this server ? Is this expected? >>>>>>>>>>>> - The userid and password to be configured are our >>>>>>>>>>>> committer >>>>>>>>>>>> ids >>>>>>>>>>>> ? >>>>>>>>>>>> >>>>>>>>>>>> Regards >>>>>>>>>>>> Ananth >>>>>>>>>>>> >>>>>>>>>>>> On 26 Oct 2017, at 4:04 am, Ananth G <ananthg.a...@gmail.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> +1 for malhar release. >>>>>>>>>>>> >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> Ananth >>>>>>>>>>>>> >>>>>>>>>>>>> On 26 Oct 2017, at 3:20 am, Bhupesh Chawda < >>>>>>>>>>>>> bhup...@datatorrent.com >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> +1 for malhar release >>>>>>>>>>>>>> >>>>>>>>>>>>>> ~ Bhupesh >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________________ >>>>>>>>>>>>>> >>>>>>>>>>>>>> Bhupesh Chawda >>>>>>>>>>>>>> >>>>>>>>>>>>>> E: bhup...@datatorrent.com | Twitter: @bhupeshsc >>>>>>>>>>>>>> >>>>>>>>>>>>>> www.datatorrent.com | apex.apache.org >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 9:37 PM, Chinmay Kolhatkar < >>>>>>>>>>>>>> chin...@datatorrent.com> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> +1. >>>>>>>>>>>>>> >>>>>>>>>>>>>> - Chinmay. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 25 Oct 2017 9:20 pm, "Chaitanya Chebolu" < >>>>>>>>>>>>>>> chaita...@datatorrent.com >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> +1 on new release. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 9:09 PM, Vlad Rozov <vro...@apache.org >>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> +1. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thank you, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Vlad >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 10/25/17 08:21, Amol Kekre wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> +1 on a new malhar release. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Thks, >>>>>>>>>>>>>>>>>> Amol >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> E:a...@datatorrent.com | M: 510-449-2606 | Twitter: >>>>>>>>>>>>>>>>>> @*amolhkekre* >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> www.datatorrent.com >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Tue, Oct 24, 2017 at 9:12 PM, Tushar Gosavi < >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> tus...@datatorrent.com> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> +1 on creating a new malhar release. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> - Tushar. >>>>>>>>>>>>>>>>>> On Wed, Oct 25, 2017 at 4:39 AM, Pramod Immaneni < >>>>>>>>>>>>>>>>>>> pra...@datatorrent.com >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>> +1 on creating a new release. I, unfortunately, do not have >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> time >>>>>>>>>>>>>>>>>>> currently to participate in the release activities. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 7:15 PM, Thomas Weise < >>>>>>>>>>>>>>>>>>>> t...@apache.org> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> The last release was back in March, there are quite a few >>>>>>>>>>>>>>>>>> JIRAs >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>> have >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> been completed since and should be released. >>>>>>>>>>>>>>>>>>> https://issues.apache.org/jira/issues/?jql=fixVersion% >>>>>>>>>>>>>>>>>>>> 20%3D%203.8.0%20AND%20project%20%3D%20APEXMALHAR%20ORDER% >>>>>>>>>>>>>>>>>>>>> 20BY%20status%20ASC >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> From looking at the list there is nothing that should >>>>>>>>>>>>>>>>>>>>> stand >>>>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> way >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> of a >>>>>>>>>>>>>>>>>>> release? >>>>>>>>>>>>>>>>>> Also, once the release is out it would be a good opportunity >>>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>>> effect >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>> major version change. >>>>>>>>>>>>>>>>>> Anyone interested to be the release manager? >>>>>>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>>>>>>> Thomas >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> *Chaitanya* >>>>>>>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>>>> E: chaita...@datatorrent.com | Twitter: @chaithu1403 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> www.datatorrent.com | apex.apache.org >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >> >
