jhyde.apa...@gmail.com wrote:
> [2] In LICENSE, you should remove the "APPENDIX: How to apply the Apache 
> License to your work” section. 

What is the reasoning for this removal?

The appendix is part of the official license available here: 
https://www.apache.org/licenses/LICENSE-2.0.txt 
It is as well referenced in the "Definitions" section of the license:

      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).

Several Apache graduated projects do have the appendix in their LICENSE in 
source and binary releases (checked Apache Kafka, Apache Pulsar, Apache Hadoop).


------- Original Message -------
On Wednesday, August 30th, 2023 at 14:35, perdj...@protonmail.com 
<perdj...@protonmail.com> wrote:


> j...@joshfischer.io wrote:
> 
> > Rat check showed 1441 unapproved licenses.
> 
> 
> How did you execute the check?
> 
> Since we configured apache-rat to produce one report for all submodules, it 
> requires a "clean" project's folder to give relevant results with current 
> configuration.
> 
> ./mvnw clean && ./mvnw apache-rat:check
> 
> If you executed examples in the same repository a git cleaning might be 
> required as well: git clean -fdx
> 
> At the moment it gives:
> "
> Apache Licensed: 588
> 76 Unknown Licenses
> "
> 
> The remaining cases are being worked on to either exclude or add the license 
> header: https://github.com/apache/incubator-baremaps/pull/732
> 
> 
> ------- Original Message -------
> On Wednesday, August 30th, 2023 at 13:15, Bertil Chapuis bchap...@gmail.com 
> wrote:
> 
> 
> 
> > Hello Calvin,
> > Hello Julian,
> > 
> > Thank you for your reviews and for taking the time to list these points. 
> > You will find my comments below.
> > 
> > > 1. The binary version needs to include the license of all components
> > > required for compilation. If it is a standard AL2, it can be ignored.
> > > You can refer to [1]
> > > 2. The binary version of NOTICE needs to include the licenses of all
> > > dependent third-party components (AFAIK, this is only required when
> > > the license of the dependencies is AL2), you can refer to [2]
> > 
> > We do have a THIRD-PARTY file at the root of the binary distribution that 
> > lists the licenses of the components required for compilation and at 
> > runtime. We don’t ignore AL2 licences in order to be exhaustive and to keep 
> > the build process simple. We released version 0.7.1 believing this was 
> > sufficient to comply with this requirement. What do you think?
> > 
> > > 3. The LICENSE file of the binary version needs to declare which
> > > version of the source code your binary version is based on. You can
> > > refer to [3]
> > 
> > Ok, we shall address this.
> > 
> > > Source package:
> > > 1. For the LICENSE file in the source code package, I don't know which
> > > specific codes are dependent on the source code, so I can't check
> > > whether it is correct or not. I suggest that we list the specific
> > > modifications in the license.
> > 
> > I’m worried that this listing won’t survive a refactoring. The current 
> > approach is to include a clear reference to the original project in the 
> > javadoc. Here is an exemple:
> > 
> > https://github.com/apache/incubator-baremaps/blob/a62a1a38f809134e3bf4c69fd192523877babd7e/baremaps-core/src/main/java/org/apache/baremaps/stream/BufferedSpliterator.java#L28
> > 
> > As a result searching for the names listed in the LICENSE file in the 
> > codebase quickly returns the adapted files. For instance, searching for 
> > OSMPBF will return the osmformat.proto file.
> > 
> > > 2. The license of logo.svg is Font Awesome Free License. I see that
> > > Font Awesome Free is free, open source, and GPL friendly. You can use
> > > it for commercial projects, open source projects, or really almost
> > > whatever you want.
> > > This is not allowed to be added to ASF projects.
> > 
> > Good catch, we need to address this and find a replacement for this icon.
> > 
> > > [1] https://github.com/apache/hadoop/tree/trunk/licenses-binary
> > > [2] https://github.com/apache/hadoop/blob/trunk/NOTICE-binary
> > > [3] https://github.com/apache/hadoop/blob/trunk/LICENSE-binary
> > > 
> > > On Wed, Aug 30, 2023 at 4:10 AM Julian Hyde jhyde.apa...@gmail.com wrote:
> > > 
> > > > -1 (binding)
> > > > 
> > > > Downloaded, checked src-tar contents against git tag [1], checked 
> > > > LICENSE/NOTICE/README/DISCLAIMER [2], checked signatures/hashes[3], 
> > > > checked for binaries in src-tar, compiled using OpenJDK 17 and Maven 
> > > > 3.8.1, ran rat.
> > > > 
> > > > Everything that I checked looks good. But I’m voting -1 because of the 
> > > > binary licensing issues that Calvin reported. Let’s get those issues 
> > > > fixed and do another RC.
> > > > 
> > > > By the way. I think we should keep the voting period to 3 days (or 4 
> > > > days over a weekend). Even though votes may sometimes take a long time, 
> > > > the voters SHOULD try to vote promptly. If there is a serious issue, we 
> > > > would like to discover it quickly and move to the next RC in a tempo of 
> > > > days rather than weeks.
> > 
> > Thank you for clarifying this point.
> > 
> > > > Julian
> > > > 
> > > > [1] Git and src-tar mostly match:
> > > > 
> > > > $ diff -r . /tmp/apache-baremaps-0.7.2-incubating-src/
> > > > Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-cli/src: test
> > > > Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-ogcapi: 
> > > > target
> > > > Only in ./baremaps-renderer: assets
> > > > Only in ./baremaps-renderer: declaration.d.ts
> > > > Only in ./baremaps-renderer: .gitignore
> > > > Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-renderer: 
> > > > node_modules
> > > > Only in ./baremaps-renderer: package.json
> > > > Only in ./baremaps-renderer: package-lock.json
> > > > Only in ./baremaps-renderer: .prettierignore
> > > > Only in ./baremaps-renderer: .prettierrc.json
> > > > Only in ./baremaps-renderer: README.md
> > > > Only in ./baremaps-renderer: tsconfig.json
> > > > Only in 
> > > > /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-server/src/main/resources:
> > > >  maputnik
> > > > Only in .: basemap
> > > > Only in .: examples
> > > > Only in .: .git
> > > > Only in .: .github
> > > > Only in .: .gitignore
> > > > Only in .: .min
> > > > Only in .: mvnw
> > > > Only in .: mvnw.cmd
> > > > diff -r ./README /tmp/apache-baremaps-0.7.2-incubating-src/README
> > > > 1c1
> > > > < # Apache Baremaps (incubating) ${project.version}
> > > > ---
> > > > 
> > > > > # Apache Baremaps (incubating) 0.7.2
> > > > > diff -r ./scripts/generate-artifacts.sh 
> > > > > /tmp/apache-baremaps-0.7.2-incubating-src/scripts/generate-artifacts.sh
> > > > > 22c22
> > > > > < version=$(./mvnw -q -Dexec.executable=echo 
> > > > > -Dexec.args='${project.version}' --non-recursive exec:exec)
> > > > > ---
> > > > > version=$(./mvnw -q -Dexec.executable=echo -Dexec.args='0.7.2' 
> > > > > --non-recursive exec:exec)
> > > > > 35c35
> > > > > < for artifact in ./baremaps-$version-incubating-; do
> > > > > ---
> > > > > for artifact in ./apache-baremaps-$version-incubating-; do
> > > > 
> > > > Any reason not to include .github/, .gitignore, examples, basemap, and 
> > > > the various files in baremaps-renderer ?
> > 
> > We use the baremaps-renderer solely to perform integration tests on the 
> > basemap before making significant changes to the style. I’m not sure if it 
> > makes sense to include it in the release.
> > 
> > > > [2] In LICENSE, you should remove the "APPENDIX: How to apply the 
> > > > Apache License to your work” section.
> > 
> > Sorry for that, I believe you already mentioned this point in a previous 
> > review.
> > 
> > > > [3] I received the same error as Calvin did:
> > > > 
> > > > gpg: Good signature from "Bertil Chapuis bchap...@gmail.com" [unknown].
> > > > gpg: WARNING: This key is not certified with a trusted signature!
> > > > gpg: There is no indication that the signature belongs to the owner.
> > > > 
> > > > This error can be fixed by Bertil getting his key signed by someone in 
> > > > our web of trust. This can be done after release, but let’s get it done.
> > 
> > It would be great if someone could guide me in this process. I believe 
> > Bertrand could help as we meet in person from time to time.
> > 
> > Best regards,
> > 
> > Bertil
> > 
> > > > > On Aug 29, 2023, at 12:02 PM, Bertil Chapuis bchap...@gmail.com wrote:
> > > > > 
> > > > > Hello Calvin,
> > > > > 
> > > > > It would be great if you can list a few actionable items regarding 
> > > > > licensing.
> > > > > 
> > > > > https://github.com/apache/incubator-baremaps/issues/492
> > > > > 
> > > > > I did a pass on almost everything before joining the incubator, and 
> > > > > had to rewrite or find alternatives to all the problematic GPL 
> > > > > dependencies. A second pass made after joining the incubator revealed 
> > > > > a few additional issues, but I think we are close from being 
> > > > > compliant. In my opinion, the main issue is related to datasets (e.g. 
> > > > > openstreetmap files) used in the tests. We added the DISCLAIMER-WIP 
> > > > > to acknowledge these issues in the src and binary distributions 
> > > > > without blocking the release process.
> > > > > 
> > > > > Best regards,
> > > > > 
> > > > > Bertil
> > > > > 
> > > > > > On 29 Aug 2023, at 18:12, Josh Fischer j...@joshfischer.io wrote:
> > > > > > 
> > > > > > Calvin,
> > > > > > 
> > > > > > You made me think of a license question. With Heron, we kept a 
> > > > > > separate copy of all the licenses that were not ALV2 [1]. Is this 
> > > > > > something that needs to be done for Baremaps?
> > > > > > 
> > > > > > 1. https://github.com/apache/incubator-heron/tree/master/licenses
> > > > > > 
> > > > > > - Josh
> > > > > > 
> > > > > > > On Aug 29, 2023, at 11:04 AM, Calvin Kirs k...@apache.org wrote:
> > > > > > > 
> > > > > > > I'll find time tomorrow to list specific checks.
> > > > > > > BTW, we cannot fully rely on rat to indicate whether the license 
> > > > > > > is compliant.
> > > > > > > In addition, regarding the modification of source code 
> > > > > > > dependencies,
> > > > > > > we'd better list the specific files in the LICENSE file, 
> > > > > > > otherwise it
> > > > > > > is difficult for us to judge whether this part is compliant.
> > > > > > > 
> > > > > > > On Tue, Aug 29, 2023 at 11:31 PM Calvin Kirs <k...@apache.org 
> > > > > > > mailto:k...@apache.org> wrote:
> > > > > > > 
> > > > > > > > On Tue, Aug 29, 2023 at 10:39 PM Josh Fischer 
> > > > > > > > j...@joshfischer.io wrote:
> > > > > > > > 
> > > > > > > > > Right now I’m 0.
> > > > > > > > > 
> > > > > > > > > I’ve not run across this before, I’m not sure if it’s an 
> > > > > > > > > issue for the release. See gpg output below about the key not 
> > > > > > > > > being certified. This is the reason my vote is 0 at the 
> > > > > > > > > moment.
> > > > > > > > > gpg --verify $FILE.asc $FILE
> > > > > > > > > gpg: Signature made Thu Aug 24 07:11:17 2023 CDT
> > > > > > > > > gpg: using RSA key 16D7A0B27D5ADD52BD57932971751399FB39CB84
> > > > > > > > > gpg: Good signature from "Bertil Chapuis bchap...@gmail.com" 
> > > > > > > > > [unknown]
> > > > > > > > > gpg: WARNING: This key is not certified with a trusted 
> > > > > > > > > signature!
> > > > > > > > 
> > > > > > > > don't worry, it's ok.
> > > > > > > > 
> > > > > > > > > I checked:
> > > > > > > > > - Downloaded; checked hashes/signatures; checked LICENSE, 
> > > > > > > > > NOTICE, DISCLAIMER-WIP; compiled and ran tests on OSX, 
> > > > > > > > > OpenJDK 17, Maven 3.8.4.
> > > > > > > > > - Rat check showed 1441 unapproved licenses. However, since 
> > > > > > > > > we are a WIP and I think this issue is known, so we are good.
> > > > > > > > > - I tried to run the example from the tar.gz binary, but the 
> > > > > > > > > website seems to refer to the repo - not a release. As an 
> > > > > > > > > example, the openStreet Map example wouldn’t work with one of 
> > > > > > > > > our binary releases. This isn’t a blocker by any means, just 
> > > > > > > > > a developer experience idea that I thought about while 
> > > > > > > > > checking the release.
> > > > > > > > > 
> > > > > > > > > $ cd examples/openstreetmap
> > > > > > > > > $ baremaps workflow execute --file workflow.json
> > > > > > > > > 
> > > > > > > > > Because the “examples” folder wasn’t in the binary release I 
> > > > > > > > > wasn’t sure how to run the example.
> > > > > > > > > 
> > > > > > > > > - Josh
> > > > > > > > > 
> > > > > > > > > > On Aug 28, 2023, at 3:20 PM, Bertil Chapuis 
> > > > > > > > > > bchap...@gmail.com wrote:
> > > > > > > > > > 
> > > > > > > > > > Thank you Josh and Julian. There is no hurry, especially if 
> > > > > > > > > > we can increase the duration of the vote.
> > > > > > > > > > 
> > > > > > > > > > As we all have busy schedule, I will probably extend future 
> > > > > > > > > > release votes to one week in the future.
> > > > > > > > > > 
> > > > > > > > > > Best,
> > > > > > > > > > 
> > > > > > > > > > Bertil
> > > > > > > > > > 
> > > > > > > > > > > On 28 Aug 2023, at 19:07, Julian Hyde 
> > > > > > > > > > > jhyde.apa...@gmail.com wrote:
> > > > > > > > > > > 
> > > > > > > > > > > What Josh said. I’ll review & vote today. Apologies.
> > > > > > > > > > > 
> > > > > > > > > > > > On Aug 28, 2023, at 7:42 AM, Josh Fischer 
> > > > > > > > > > > > j...@joshfischer.io wrote:
> > > > > > > > > > > > 
> > > > > > > > > > > > I apologize for my absence. I will spend some time 
> > > > > > > > > > > > looking at it in the next 24 hours.
> > > > > > > > > > > > 
> > > > > > > > > > > > This is one of the fun and challenging parts of working 
> > > > > > > > > > > > through the incubator. I’ve had votes go over two weeks 
> > > > > > > > > > > > before. Our best bet is to get as many binding 
> > > > > > > > > > > > (preferably 3) votes on the dev@baremaps list. It’s 
> > > > > > > > > > > > often harder to get votes on general@a.o 
> > > > > > > > > > > > mailto:general@a.o.
> > > > > > > > > > > > 
> > > > > > > > > > > > Let’s wait a few more days to get binding votes. 
> > > > > > > > > > > > Open-source moves at the speed of open-source, fun!
> > > > > > > > > > > > 
> > > > > > > > > > > > > On Aug 28, 2023, at 9:10 AM, Bertil Chapuis 
> > > > > > > > > > > > > bchap...@gmail.com wrote:
> > > > > > > > > > > > > 
> > > > > > > > > > > > > Hello Everyone,
> > > > > > > > > > > > > 
> > > > > > > > > > > > > We don’t have enough vote for publishing our release. 
> > > > > > > > > > > > > Can we extend the deadline or should we start a new 
> > > > > > > > > > > > > vote?
> > > > > > > > > > > > > 
> > > > > > > > > > > > > I see that some projects, such as Apache Pekko, ask 
> > > > > > > > > > > > > the incubator mailing-list to vote for their 
> > > > > > > > > > > > > releases. Should we try to do the same?
> > > > > > > > > > > > > 
> > > > > > > > > > > > > Best regards,
> > > > > > > > > > > > > 
> > > > > > > > > > > > > Bertil
> > > > > > > > > > > > > 
> > > > > > > > > > > > > > On 24 Aug 2023, at 14:52, Bertil Chapuis 
> > > > > > > > > > > > > > bchap...@gmail.com wrote:
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > Hello Everyone,
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > Following our online release party (thank you 
> > > > > > > > > > > > > > Leonard and Perdjesk), we have created a build for 
> > > > > > > > > > > > > > Apache Baremaps (incubating) 0.7.2, release 
> > > > > > > > > > > > > > candidate 1.
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > Thanks to everyone who has contributed to this 
> > > > > > > > > > > > > > release.
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > You can read the release notes here:
> > > > > > > > > > > > > > https://github.com/apache/incubator-baremaps/releases/tag/v0.7.2-rc1
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > The commit to be voted upon:
> > > > > > > > > > > > > > https://github.com/apache/incubator-baremaps/tree/v0.7.2-rc1
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > Its hash is 
> > > > > > > > > > > > > > e917d5b02fdb64c3f715afd449bb1fe9ca5c2f58.
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > Its tag is v0.7.2-rc1.
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > The artifacts to be voted on are located here:
> > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/baremaps/0.7.2-rc1/
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > The hashes of the artifacts are as follows:
> > > > > > > > > > > > > > d910b50ebed4200d0ef6f0c1ee3e4db0cd95ea005fe54fca66dfc4ec4dca73e96edc8913654c85c73539d6a9d27481157fea9f456a9f3aa451c178a811a89ea0
> > > > > > > > > > > > > >  ./apache-baremaps-0.7.2-incubating-src.tar.gz
> > > > > > > > > > > > > > fda00056b9785bbbb7f966e92cf7e118071f5b6d44f9652176a4626cec38c5b0738933b24e23efef423eafba2111bc6a22e6f00a67fda2f10b0011f9c22f3208
> > > > > > > > > > > > > >  ./apache-baremaps-0.7.2-incubating-bin.tar.gz
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > Release artifacts are signed with the following key:
> > > > > > > > > > > > > > http://people.apache.org/keys/committer/bchapuis.asc
> > > > > > > > > > > > > > https://downloads.apache.org/incubator/baremaps/KEYS
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > The README file for the src distribution contains 
> > > > > > > > > > > > > > instructions for building and testing the release.
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > Please vote on releasing this package as Apache 
> > > > > > > > > > > > > > Baremaps 0.7.2.
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > The vote is open for the next 72 hours and passes 
> > > > > > > > > > > > > > if a majority of at least three +1 PMC votes are 
> > > > > > > > > > > > > > cast.
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > [ ] +1 Release this package as Apache Baremaps 
> > > > > > > > > > > > > > <version>
> > > > > > > > > > > > > > [ ] 0 I don't feel strongly about it, but I'm okay 
> > > > > > > > > > > > > > with the release
> > > > > > > > > > > > > > [ ] -1 Do not release this package because...
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > Here is my vote:
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > +1 (binding): I checked the signatures and the 
> > > > > > > > > > > > > > checksums; I built the project from its sources; 
> > > > > > > > > > > > > > and checked the binary distribution.
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > Best regards,
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > Bertil Chapuis
> > > > > > > > > > > 
> > > > > > > > > > > ---------------------------------------------------------------------
> > > > > > > > > > > To unsubscribe, e-mail: 
> > > > > > > > > > > dev-unsubscr...@baremaps.apache.org
> > > > > > > > > > > For additional commands, e-mail: 
> > > > > > > > > > > dev-h...@baremaps.apache.org
> > > > > > > > 
> > > > > > > > --
> > > > > > > > Best wishes!
> > > > > > > > CalvinKirs
> > > > > > > 
> > > > > > > --
> > > > > > > Best wishes!
> > > > > > > CalvinKirs
> > > > > > > 
> > > > > > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org 
> > > > > > > mailto:dev-unsubscr...@baremaps.apache.org
> > > > > > > For additional commands, e-mail: dev-h...@baremaps.apache.org 
> > > > > > > mailto:dev-h...@baremaps.apache.org
> > > > 
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org
> > > > For additional commands, e-mail: dev-h...@baremaps.apache.org
> > > 
> > > --
> > > Best wishes!
> > > CalvinKirs
> > > 
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org
> > > For additional commands, e-mail: dev-h...@baremaps.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org
For additional commands, e-mail: dev-h...@baremaps.apache.org

Reply via email to