j...@joshfischer.io wrote: > Rat check showed 1441 unapproved licenses.
How did you execute the check? Since we configured apache-rat to produce one report for all submodules, it requires a "clean" project's folder to give relevant results with current configuration. ./mvnw clean && ./mvnw apache-rat:check If you executed examples in the same repository a git cleaning might be required as well: git clean -fdx At the moment it gives: " Apache Licensed: 588 76 Unknown Licenses " The remaining cases are being worked on to either exclude or add the license header: https://github.com/apache/incubator-baremaps/pull/732 ------- Original Message ------- On Wednesday, August 30th, 2023 at 13:15, Bertil Chapuis <bchap...@gmail.com> wrote: > Hello Calvin, > Hello Julian, > > Thank you for your reviews and for taking the time to list these points. You > will find my comments below. > > > 1. The binary version needs to include the license of all components > > required for compilation. If it is a standard AL2, it can be ignored. > > You can refer to [1] > > 2. The binary version of NOTICE needs to include the licenses of all > > dependent third-party components (AFAIK, this is only required when > > the license of the dependencies is AL2), you can refer to [2] > > > We do have a THIRD-PARTY file at the root of the binary distribution that > lists the licenses of the components required for compilation and at runtime. > We don’t ignore AL2 licences in order to be exhaustive and to keep the build > process simple. We released version 0.7.1 believing this was sufficient to > comply with this requirement. What do you think? > > > 3. The LICENSE file of the binary version needs to declare which > > version of the source code your binary version is based on. You can > > refer to [3] > > > Ok, we shall address this. > > > Source package: > > 1. For the LICENSE file in the source code package, I don't know which > > specific codes are dependent on the source code, so I can't check > > whether it is correct or not. I suggest that we list the specific > > modifications in the license. > > > I’m worried that this listing won’t survive a refactoring. The current > approach is to include a clear reference to the original project in the > javadoc. Here is an exemple: > > https://github.com/apache/incubator-baremaps/blob/a62a1a38f809134e3bf4c69fd192523877babd7e/baremaps-core/src/main/java/org/apache/baremaps/stream/BufferedSpliterator.java#L28 > > As a result searching for the names listed in the LICENSE file in the > codebase quickly returns the adapted files. For instance, searching for > OSMPBF will return the osmformat.proto file. > > > 2. The license of logo.svg is Font Awesome Free License. I see that > > Font Awesome Free is free, open source, and GPL friendly. You can use > > it for commercial projects, open source projects, or really almost > > whatever you want. > > This is not allowed to be added to ASF projects. > > > Good catch, we need to address this and find a replacement for this icon. > > > [1] https://github.com/apache/hadoop/tree/trunk/licenses-binary > > [2] https://github.com/apache/hadoop/blob/trunk/NOTICE-binary > > [3] https://github.com/apache/hadoop/blob/trunk/LICENSE-binary > > > > On Wed, Aug 30, 2023 at 4:10 AM Julian Hyde jhyde.apa...@gmail.com wrote: > > > > > -1 (binding) > > > > > > Downloaded, checked src-tar contents against git tag [1], checked > > > LICENSE/NOTICE/README/DISCLAIMER [2], checked signatures/hashes[3], > > > checked for binaries in src-tar, compiled using OpenJDK 17 and Maven > > > 3.8.1, ran rat. > > > > > > Everything that I checked looks good. But I’m voting -1 because of the > > > binary licensing issues that Calvin reported. Let’s get those issues > > > fixed and do another RC. > > > > > > By the way. I think we should keep the voting period to 3 days (or 4 days > > > over a weekend). Even though votes may sometimes take a long time, the > > > voters SHOULD try to vote promptly. If there is a serious issue, we would > > > like to discover it quickly and move to the next RC in a tempo of days > > > rather than weeks. > > > Thank you for clarifying this point. > > > > Julian > > > > > > [1] Git and src-tar mostly match: > > > > > > $ diff -r . /tmp/apache-baremaps-0.7.2-incubating-src/ > > > Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-cli/src: test > > > Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-ogcapi: target > > > Only in ./baremaps-renderer: assets > > > Only in ./baremaps-renderer: declaration.d.ts > > > Only in ./baremaps-renderer: .gitignore > > > Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-renderer: > > > node_modules > > > Only in ./baremaps-renderer: package.json > > > Only in ./baremaps-renderer: package-lock.json > > > Only in ./baremaps-renderer: .prettierignore > > > Only in ./baremaps-renderer: .prettierrc.json > > > Only in ./baremaps-renderer: README.md > > > Only in ./baremaps-renderer: tsconfig.json > > > Only in > > > /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-server/src/main/resources: > > > maputnik > > > Only in .: basemap > > > Only in .: examples > > > Only in .: .git > > > Only in .: .github > > > Only in .: .gitignore > > > Only in .: .min > > > Only in .: mvnw > > > Only in .: mvnw.cmd > > > diff -r ./README /tmp/apache-baremaps-0.7.2-incubating-src/README > > > 1c1 > > > < # Apache Baremaps (incubating) ${project.version} > > > --- > > > > > > > # Apache Baremaps (incubating) 0.7.2 > > > > diff -r ./scripts/generate-artifacts.sh > > > > /tmp/apache-baremaps-0.7.2-incubating-src/scripts/generate-artifacts.sh > > > > 22c22 > > > > < version=$(./mvnw -q -Dexec.executable=echo > > > > -Dexec.args='${project.version}' --non-recursive exec:exec) > > > > --- > > > > version=$(./mvnw -q -Dexec.executable=echo -Dexec.args='0.7.2' > > > > --non-recursive exec:exec) > > > > 35c35 > > > > < for artifact in ./baremaps-$version-incubating-; do > > > > --- > > > > for artifact in ./apache-baremaps-$version-incubating-; do > > > > > > Any reason not to include .github/, .gitignore, examples, basemap, and > > > the various files in baremaps-renderer ? > > > We use the baremaps-renderer solely to perform integration tests on the > basemap before making significant changes to the style. I’m not sure if it > makes sense to include it in the release. > > > > [2] In LICENSE, you should remove the "APPENDIX: How to apply the Apache > > > License to your work” section. > > > Sorry for that, I believe you already mentioned this point in a previous > review. > > > > [3] I received the same error as Calvin did: > > > > > > gpg: Good signature from "Bertil Chapuis bchap...@gmail.com" [unknown]. > > > gpg: WARNING: This key is not certified with a trusted signature! > > > gpg: There is no indication that the signature belongs to the owner. > > > > > > This error can be fixed by Bertil getting his key signed by someone in > > > our web of trust. This can be done after release, but let’s get it done. > > > It would be great if someone could guide me in this process. I believe > Bertrand could help as we meet in person from time to time. > > Best regards, > > Bertil > > > > > On Aug 29, 2023, at 12:02 PM, Bertil Chapuis bchap...@gmail.com wrote: > > > > > > > > Hello Calvin, > > > > > > > > It would be great if you can list a few actionable items regarding > > > > licensing. > > > > > > > > https://github.com/apache/incubator-baremaps/issues/492 > > > > > > > > I did a pass on almost everything before joining the incubator, and had > > > > to rewrite or find alternatives to all the problematic GPL > > > > dependencies. A second pass made after joining the incubator revealed a > > > > few additional issues, but I think we are close from being compliant. > > > > In my opinion, the main issue is related to datasets (e.g. > > > > openstreetmap files) used in the tests. We added the DISCLAIMER-WIP to > > > > acknowledge these issues in the src and binary distributions without > > > > blocking the release process. > > > > > > > > Best regards, > > > > > > > > Bertil > > > > > > > > > On 29 Aug 2023, at 18:12, Josh Fischer j...@joshfischer.io wrote: > > > > > > > > > > Calvin, > > > > > > > > > > You made me think of a license question. With Heron, we kept a > > > > > separate copy of all the licenses that were not ALV2 [1]. Is this > > > > > something that needs to be done for Baremaps? > > > > > > > > > > 1. https://github.com/apache/incubator-heron/tree/master/licenses > > > > > > > > > > - Josh > > > > > > > > > > > On Aug 29, 2023, at 11:04 AM, Calvin Kirs k...@apache.org wrote: > > > > > > > > > > > > I'll find time tomorrow to list specific checks. > > > > > > BTW, we cannot fully rely on rat to indicate whether the license is > > > > > > compliant. > > > > > > In addition, regarding the modification of source code dependencies, > > > > > > we'd better list the specific files in the LICENSE file, otherwise > > > > > > it > > > > > > is difficult for us to judge whether this part is compliant. > > > > > > > > > > > > On Tue, Aug 29, 2023 at 11:31 PM Calvin Kirs <k...@apache.org > > > > > > mailto:k...@apache.org> wrote: > > > > > > > > > > > > > On Tue, Aug 29, 2023 at 10:39 PM Josh Fischer j...@joshfischer.io > > > > > > > wrote: > > > > > > > > > > > > > > > Right now I’m 0. > > > > > > > > > > > > > > > > I’ve not run across this before, I’m not sure if it’s an issue > > > > > > > > for the release. See gpg output below about the key not being > > > > > > > > certified. This is the reason my vote is 0 at the moment. > > > > > > > > gpg --verify $FILE.asc $FILE > > > > > > > > gpg: Signature made Thu Aug 24 07:11:17 2023 CDT > > > > > > > > gpg: using RSA key 16D7A0B27D5ADD52BD57932971751399FB39CB84 > > > > > > > > gpg: Good signature from "Bertil Chapuis bchap...@gmail.com" > > > > > > > > [unknown] > > > > > > > > gpg: WARNING: This key is not certified with a trusted > > > > > > > > signature! > > > > > > > > > > > > > > don't worry, it's ok. > > > > > > > > > > > > > > > I checked: > > > > > > > > - Downloaded; checked hashes/signatures; checked LICENSE, > > > > > > > > NOTICE, DISCLAIMER-WIP; compiled and ran tests on OSX, OpenJDK > > > > > > > > 17, Maven 3.8.4. > > > > > > > > - Rat check showed 1441 unapproved licenses. However, since we > > > > > > > > are a WIP and I think this issue is known, so we are good. > > > > > > > > - I tried to run the example from the tar.gz binary, but the > > > > > > > > website seems to refer to the repo - not a release. As an > > > > > > > > example, the openStreet Map example wouldn’t work with one of > > > > > > > > our binary releases. This isn’t a blocker by any means, just a > > > > > > > > developer experience idea that I thought about while checking > > > > > > > > the release. > > > > > > > > > > > > > > > > $ cd examples/openstreetmap > > > > > > > > $ baremaps workflow execute --file workflow.json > > > > > > > > > > > > > > > > Because the “examples” folder wasn’t in the binary release I > > > > > > > > wasn’t sure how to run the example. > > > > > > > > > > > > > > > > - Josh > > > > > > > > > > > > > > > > > On Aug 28, 2023, at 3:20 PM, Bertil Chapuis > > > > > > > > > bchap...@gmail.com wrote: > > > > > > > > > > > > > > > > > > Thank you Josh and Julian. There is no hurry, especially if > > > > > > > > > we can increase the duration of the vote. > > > > > > > > > > > > > > > > > > As we all have busy schedule, I will probably extend future > > > > > > > > > release votes to one week in the future. > > > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > > > Bertil > > > > > > > > > > > > > > > > > > > On 28 Aug 2023, at 19:07, Julian Hyde > > > > > > > > > > jhyde.apa...@gmail.com wrote: > > > > > > > > > > > > > > > > > > > > What Josh said. I’ll review & vote today. Apologies. > > > > > > > > > > > > > > > > > > > > > On Aug 28, 2023, at 7:42 AM, Josh Fischer > > > > > > > > > > > j...@joshfischer.io wrote: > > > > > > > > > > > > > > > > > > > > > > I apologize for my absence. I will spend some time > > > > > > > > > > > looking at it in the next 24 hours. > > > > > > > > > > > > > > > > > > > > > > This is one of the fun and challenging parts of working > > > > > > > > > > > through the incubator. I’ve had votes go over two weeks > > > > > > > > > > > before. Our best bet is to get as many binding > > > > > > > > > > > (preferably 3) votes on the dev@baremaps list. It’s often > > > > > > > > > > > harder to get votes on general@a.o mailto:general@a.o. > > > > > > > > > > > > > > > > > > > > > > Let’s wait a few more days to get binding votes. > > > > > > > > > > > Open-source moves at the speed of open-source, fun! > > > > > > > > > > > > > > > > > > > > > > > On Aug 28, 2023, at 9:10 AM, Bertil Chapuis > > > > > > > > > > > > bchap...@gmail.com wrote: > > > > > > > > > > > > > > > > > > > > > > > > Hello Everyone, > > > > > > > > > > > > > > > > > > > > > > > > We don’t have enough vote for publishing our release. > > > > > > > > > > > > Can we extend the deadline or should we start a new > > > > > > > > > > > > vote? > > > > > > > > > > > > > > > > > > > > > > > > I see that some projects, such as Apache Pekko, ask the > > > > > > > > > > > > incubator mailing-list to vote for their releases. > > > > > > > > > > > > Should we try to do the same? > > > > > > > > > > > > > > > > > > > > > > > > Best regards, > > > > > > > > > > > > > > > > > > > > > > > > Bertil > > > > > > > > > > > > > > > > > > > > > > > > > On 24 Aug 2023, at 14:52, Bertil Chapuis > > > > > > > > > > > > > bchap...@gmail.com wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > Hello Everyone, > > > > > > > > > > > > > > > > > > > > > > > > > > Following our online release party (thank you Leonard > > > > > > > > > > > > > and Perdjesk), we have created a build for Apache > > > > > > > > > > > > > Baremaps (incubating) 0.7.2, release candidate 1. > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks to everyone who has contributed to this > > > > > > > > > > > > > release. > > > > > > > > > > > > > > > > > > > > > > > > > > You can read the release notes here: > > > > > > > > > > > > > https://github.com/apache/incubator-baremaps/releases/tag/v0.7.2-rc1 > > > > > > > > > > > > > > > > > > > > > > > > > > The commit to be voted upon: > > > > > > > > > > > > > https://github.com/apache/incubator-baremaps/tree/v0.7.2-rc1 > > > > > > > > > > > > > > > > > > > > > > > > > > Its hash is e917d5b02fdb64c3f715afd449bb1fe9ca5c2f58. > > > > > > > > > > > > > > > > > > > > > > > > > > Its tag is v0.7.2-rc1. > > > > > > > > > > > > > > > > > > > > > > > > > > The artifacts to be voted on are located here: > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/baremaps/0.7.2-rc1/ > > > > > > > > > > > > > > > > > > > > > > > > > > The hashes of the artifacts are as follows: > > > > > > > > > > > > > d910b50ebed4200d0ef6f0c1ee3e4db0cd95ea005fe54fca66dfc4ec4dca73e96edc8913654c85c73539d6a9d27481157fea9f456a9f3aa451c178a811a89ea0 > > > > > > > > > > > > > ./apache-baremaps-0.7.2-incubating-src.tar.gz > > > > > > > > > > > > > fda00056b9785bbbb7f966e92cf7e118071f5b6d44f9652176a4626cec38c5b0738933b24e23efef423eafba2111bc6a22e6f00a67fda2f10b0011f9c22f3208 > > > > > > > > > > > > > ./apache-baremaps-0.7.2-incubating-bin.tar.gz > > > > > > > > > > > > > > > > > > > > > > > > > > Release artifacts are signed with the following key: > > > > > > > > > > > > > http://people.apache.org/keys/committer/bchapuis.asc > > > > > > > > > > > > > https://downloads.apache.org/incubator/baremaps/KEYS > > > > > > > > > > > > > > > > > > > > > > > > > > The README file for the src distribution contains > > > > > > > > > > > > > instructions for building and testing the release. > > > > > > > > > > > > > > > > > > > > > > > > > > Please vote on releasing this package as Apache > > > > > > > > > > > > > Baremaps 0.7.2. > > > > > > > > > > > > > > > > > > > > > > > > > > The vote is open for the next 72 hours and passes if > > > > > > > > > > > > > a majority of at least three +1 PMC votes are cast. > > > > > > > > > > > > > > > > > > > > > > > > > > [ ] +1 Release this package as Apache Baremaps > > > > > > > > > > > > > <version> > > > > > > > > > > > > > [ ] 0 I don't feel strongly about it, but I'm okay > > > > > > > > > > > > > with the release > > > > > > > > > > > > > [ ] -1 Do not release this package because... > > > > > > > > > > > > > > > > > > > > > > > > > > Here is my vote: > > > > > > > > > > > > > > > > > > > > > > > > > > +1 (binding): I checked the signatures and the > > > > > > > > > > > > > checksums; I built the project from its sources; and > > > > > > > > > > > > > checked the binary distribution. > > > > > > > > > > > > > > > > > > > > > > > > > > Best regards, > > > > > > > > > > > > > > > > > > > > > > > > > > Bertil Chapuis > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > > > > To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org > > > > > > > > > > For additional commands, e-mail: > > > > > > > > > > dev-h...@baremaps.apache.org > > > > > > > > > > > > > > -- > > > > > > > Best wishes! > > > > > > > CalvinKirs > > > > > > > > > > > > -- > > > > > > Best wishes! > > > > > > CalvinKirs > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org > > > > > > mailto:dev-unsubscr...@baremaps.apache.org > > > > > > For additional commands, e-mail: dev-h...@baremaps.apache.org > > > > > > mailto:dev-h...@baremaps.apache.org > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org > > > For additional commands, e-mail: dev-h...@baremaps.apache.org > > > > -- > > Best wishes! > > CalvinKirs > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org > > For additional commands, e-mail: dev-h...@baremaps.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org For additional commands, e-mail: dev-h...@baremaps.apache.org
