-1 non-binding * checksums match * verified signatures with Tom's key from svn
I haven't gotten to finish going through everything, but I've already found several places where we aren't meeting the ASF policy on license notification[1]. HBase recently had to deal with a similar morass[2], so I have some familiarity in fixing these things, but I'm afraid I don't have bandwidth until late next week. 1) The following proposed distribution artifacts are completely missing LICENSE/NOTICE files at the top level: * avro-csharp * avro-doc * py * python3 * ruby gem 2) The Perl distribution artifact is missing the LICENSE file. It has a NOTICE file, but that file declares Copyright (C) 2010 Yann Kerherve rather than meeting the ASF policy. 3) The source distribution artifact is missing some LICENSE/NOTICE entries for bundled third party works. I haven't gotten to exhaustively check, but e.g. * avro-src-1.8.0/lang/c/jansson/install-sh * avro-src-1.8.0/lang/c/jansson/configure * avro-src-1.8.0/lang/c++/m4/m4_ax_boost_base.m4 * avro-src-1.8.0/lang/java/ipc/src/main/java/org/apache/avro/ipc/stats/static/jquery-1.4.2.min.js. 4) The c and c++ distribution artifacts have a single COPYING file containing the ASLv2 text rather than the ASF required LICENSE/NOTICE. additionally they are both missing needed LICENSE/NOTICE entries based on what's present. 5) The php distribution artifact has LICENSE/NOTICE files that include entries about the c and c# implementation, which are not actually bundled. 6) The avro-ipc-sources jar bundles jquery but does not mention it in the META-INF/LICENSE file 7) The avro-tool fat jar has several extraneous license files and the META-INF/LICENSE & META-INF/NOTICE do not properly reflect bundled works e.g. * the top of the jar has a LICENSE.txt/NOTICE.txt file from some dependency that should not be present * META-INF contains both LICENSE and LICENSE.txt, both are vanilla ASLv2. we should have just LICENSE and it should include needed additions for bundled works * META-INF/ASLv2 is another extraneous copy of the ASLv2 text * META-INF/NOTICE.txt appears to be from commons-compress * the majority of bundled works are not reflected at all (spot checking shows e.g. some MIT and BSD that require entries in LICENSE) nits: a) The c# distribution artifact untars directly into the working directory. [1]: http://www.apache.org/dev/licensing-howto.html [2]: https://issues.apache.org/jira/browse/HBASE-14085 On Fri, Aug 14, 2015 at 1:28 AM, Sean Busbey <[email protected]> wrote: > I'm working through verifying the release artifacts, but I can't verify > the signatures because the KEYS file only contains Doug and Jeff H. > > Tom is your key published on people.apache? or could you add yourself to > the avro dist KEYS file? > > On Tue, Aug 11, 2015 at 5:39 AM, Tom White <[email protected]> wrote: > >> I have created a candidate build for Avro release 1.8.0. This is the first >> release that has been built using Docker. >> >> The changes are listed at: >> http://s.apache.org/avro180 >> >> The release artifacts can be found here: >> http://people.apache.org/~tomwhite/avro-1.8.0-rc0/ >> >> The tag corresponding to this release candidate is >> http://svn.apache.org/repos/asf/avro/tags/release-1.8.0-rc0 >> >> You can find the KEYS file here: >> https://dist.apache.org/repos/dist/release/avro/KEYS >> >> The Maven staging repository is at: >> https://repository.apache.org/content/repositories/orgapacheavro-1002 >> >> Please download, verify, and test. Thanks in advance for voting! >> >> Cheers, >> Tom >> > > > > -- > Sean > -- Sean
