On Wed, Aug 30, 2023 at 7:17 PM Bertil Chapuis <bchap...@gmail.com> wrote:
>
> Hello Calvin,
> Hello Julian,
>
> Thank you for your reviews and for taking the time to list these points. You 
> will find my comments below.
>
> > 1. The binary version needs to include the license of all components
> > required for compilation. If it is a standard AL2, it can be ignored.
> > You can refer to [1]
> > 2. The binary version of NOTICE needs to include the licenses of all
> > dependent third-party components (AFAIK, this is only required when
> > the license of the dependencies is AL2), you can refer to [2]
>
> We do have a THIRD-PARTY file at the root of the binary distribution that 
> lists the licenses of the components required for compilation and at runtime. 
> We don’t ignore AL2 licences in order to be exhaustive and to keep the build 
> process simple. We released version 0.7.1 believing this was sufficient to 
> comply with this requirement. What do you think?

What I mean is all the contents of its license file (if it is standard
AL2, you don't need to include it) and list them according to your
needs.

The same goes for NOTICE files. If these components use the AL2
protocol and include NOTICE, then you need to include these in the
NOTICE file in the root directory.
I think Josh is familiar with this.
>
> > 3. The LICENSE file of the binary version needs to declare which
> > version of the source code your binary version is based on. You can
> > refer to [3]
>
> Ok, we shall address this.
>
> > Source package:
> > 1. For the LICENSE file in the source code package, I don't know which
> > specific codes are dependent on the source code, so I can't check
> > whether it is correct or not. I suggest that we list the specific
> > modifications in the license.
>
> I’m worried that this listing won’t survive a refactoring. The current 
> approach is to include a clear reference to the original project in the 
> javadoc. Here is an exemple:
>
> https://github.com/apache/incubator-baremaps/blob/a62a1a38f809134e3bf4c69fd192523877babd7e/baremaps-core/src/main/java/org/apache/baremaps/stream/BufferedSpliterator.java#L28
>
> As a result searching for the names listed in the LICENSE file in the 
> codebase quickly returns the adapted files. For instance, searching for 
> OSMPBF will return the osmformat.proto file.
>
>
> > 2. The license of logo.svg is Font Awesome Free License. I see that
> > Font Awesome Free is free, open source, and GPL friendly. You can use
> > it for commercial projects, open source projects, or really almost
> > whatever you want.
> > This is not allowed to be added to ASF projects.
>
> Good catch, we need to address this and find a replacement for this icon.
>
> >
> > [1] https://github.com/apache/hadoop/tree/trunk/licenses-binary
> > [2] https://github.com/apache/hadoop/blob/trunk/NOTICE-binary
> > [3] https://github.com/apache/hadoop/blob/trunk/LICENSE-binary
> >
> > On Wed, Aug 30, 2023 at 4:10 AM Julian Hyde <jhyde.apa...@gmail.com> wrote:
> >>
> >> -1 (binding)
> >>
> >> Downloaded, checked src-tar contents against git tag [1], checked 
> >> LICENSE/NOTICE/README/DISCLAIMER [2], checked signatures/hashes[3], 
> >> checked for binaries in src-tar, compiled using OpenJDK 17 and Maven 
> >> 3.8.1, ran rat.
> >>
> >> Everything that I checked looks good. But I’m voting -1 because of the 
> >> binary licensing issues that Calvin reported. Let’s get those issues fixed 
> >> and do another RC.
> >>
> >> By the way. I think we should keep the voting period to 3 days (or 4 days 
> >> over a weekend). Even though votes may sometimes take a long time, the 
> >> voters SHOULD try to vote promptly. If there is a serious issue, we would 
> >> like to discover it quickly and move to the next RC in a tempo of days 
> >> rather than weeks.
>
> Thank you for clarifying this point.
>
> >> Julian
> >>
> >>
> >> [1] Git and src-tar mostly match:
> >>
> >> $ diff -r . /tmp/apache-baremaps-0.7.2-incubating-src/
> >> Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-cli/src: test
> >> Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-ogcapi: target
> >> Only in ./baremaps-renderer: assets
> >> Only in ./baremaps-renderer: declaration.d.ts
> >> Only in ./baremaps-renderer: .gitignore
> >> Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-renderer: 
> >> node_modules
> >> Only in ./baremaps-renderer: package.json
> >> Only in ./baremaps-renderer: package-lock.json
> >> Only in ./baremaps-renderer: .prettierignore
> >> Only in ./baremaps-renderer: .prettierrc.json
> >> Only in ./baremaps-renderer: README.md
> >> Only in ./baremaps-renderer: tsconfig.json
> >> Only in 
> >> /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-server/src/main/resources:
> >>  maputnik
> >> Only in .: basemap
> >> Only in .: examples
> >> Only in .: .git
> >> Only in .: .github
> >> Only in .: .gitignore
> >> Only in .: .min
> >> Only in .: mvnw
> >> Only in .: mvnw.cmd
> >> diff -r ./README /tmp/apache-baremaps-0.7.2-incubating-src/README
> >> 1c1
> >> < # Apache Baremaps (incubating) ${project.version}
> >> ---
> >>> # Apache Baremaps (incubating) 0.7.2
> >> diff -r ./scripts/generate-artifacts.sh 
> >> /tmp/apache-baremaps-0.7.2-incubating-src/scripts/generate-artifacts.sh
> >> 22c22
> >> < version=$(./mvnw -q -Dexec.executable=echo 
> >> -Dexec.args='${project.version}' --non-recursive exec:exec)
> >> ---
> >>> version=$(./mvnw -q -Dexec.executable=echo -Dexec.args='0.7.2' 
> >>> --non-recursive exec:exec)
> >> 35c35
> >> < for artifact in ./baremaps-$version-incubating-*; do
> >> ---
> >>> for artifact in ./apache-baremaps-$version-incubating-*; do
> >>
> >> Any reason not to include .github/, .gitignore, examples, basemap, and the 
> >> various files in baremaps-renderer ?
>
> We use the baremaps-renderer solely to perform integration tests on the 
> basemap before making significant changes to the style. I’m not sure if it 
> makes sense to include it in the release.
>
> >> [2] In LICENSE, you should remove the "APPENDIX: How to apply the Apache 
> >> License to your work” section.
>
> Sorry for that, I believe you already mentioned this point in a previous 
> review.
>
> >> [3] I received the same error as Calvin did:
> >>
> >>  gpg: Good signature from "Bertil Chapuis <bchap...@gmail.com>" [unknown].
> >>  gpg: WARNING: This key is not certified with a trusted signature!
> >>  gpg:          There is no indication that the signature belongs to the 
> >> owner.
> >>
> >> This error can be fixed by Bertil getting his key signed by someone in our 
> >> web of trust. This can be done after release, but let’s get it done.
>
> It would be great if someone could guide me in this process. I believe 
> Bertrand could help as we meet in person from time to time.
>
> Best regards,
>
> Bertil
>
> >>> On Aug 29, 2023, at 12:02 PM, Bertil Chapuis <bchap...@gmail.com> wrote:
> >>>
> >>> Hello Calvin,
> >>>
> >>> It would be great if you can list a few actionable items regarding 
> >>> licensing.
> >>>
> >>> https://github.com/apache/incubator-baremaps/issues/492
> >>>
> >>> I did a pass on almost everything before joining the incubator, and had 
> >>> to rewrite or find alternatives to all the problematic GPL dependencies. 
> >>> A second pass made after joining the incubator revealed a few additional 
> >>> issues, but I think we are close from being compliant. In my opinion, the 
> >>> main issue is related to datasets (e.g. openstreetmap files) used in the 
> >>> tests. We added the DISCLAIMER-WIP to acknowledge these issues in the src 
> >>> and binary distributions without blocking the release process.
> >>>
> >>> Best regards,
> >>>
> >>> Bertil
> >>>
> >>>> On 29 Aug 2023, at 18:12, Josh Fischer <j...@joshfischer.io> wrote:
> >>>>
> >>>> Calvin,
> >>>>
> >>>> You made me think of a license question.  With Heron, we kept a separate 
> >>>> copy of all the licenses that were not ALV2 [1].  Is this something that 
> >>>> needs to be done for Baremaps?
> >>>>
> >>>> 1. https://github.com/apache/incubator-heron/tree/master/licenses
> >>>>
> >>>> - Josh
> >>>>
> >>>>> On Aug 29, 2023, at 11:04 AM, Calvin Kirs <k...@apache.org> wrote:
> >>>>>
> >>>>> I'll find time tomorrow to list specific checks.
> >>>>> BTW, we cannot fully rely on rat to indicate whether the license is 
> >>>>> compliant.
> >>>>> In addition, regarding the modification of source code dependencies,
> >>>>> we'd better list the specific files in the LICENSE file, otherwise it
> >>>>> is difficult for us to judge whether this part is compliant.
> >>>>>
> >>>>> On Tue, Aug 29, 2023 at 11:31 PM Calvin Kirs <k...@apache.org 
> >>>>> <mailto:k...@apache.org>> wrote:
> >>>>>>
> >>>>>> On Tue, Aug 29, 2023 at 10:39 PM Josh Fischer <j...@joshfischer.io> 
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> Right now I’m 0.
> >>>>>>>
> >>>>>>> I’ve not run across this before, I’m not sure if it’s an issue for 
> >>>>>>> the release.  See gpg output below about the key not being certified. 
> >>>>>>>  This is the reason my vote is 0 at the moment.
> >>>>>>> gpg --verify $FILE.asc $FILE
> >>>>>>> gpg: Signature made Thu Aug 24 07:11:17 2023 CDT
> >>>>>>> gpg:                using RSA key 
> >>>>>>> 16D7A0B27D5ADD52BD57932971751399FB39CB84
> >>>>>>> gpg: Good signature from "Bertil Chapuis <bchap...@gmail.com>" 
> >>>>>>> [unknown]
> >>>>>>> gpg: WARNING: This key is not certified with a trusted signature!
> >>>>>>
> >>>>>> don't worry, it's ok.
> >>>>>>>
> >>>>>>> I checked:
> >>>>>>> - Downloaded; checked hashes/signatures; checked LICENSE, NOTICE, 
> >>>>>>> DISCLAIMER-WIP; compiled and ran tests on OSX, OpenJDK 17, Maven 
> >>>>>>> 3.8.4.
> >>>>>>> - Rat check showed 1441 unapproved licenses.  However, since we are a 
> >>>>>>> WIP and I think this issue is known, so we are good.
> >>>>>>> - I tried to run the example from the tar.gz binary, but the website 
> >>>>>>> seems to refer to the repo - not a release. As an example, the 
> >>>>>>> openStreet Map example wouldn’t work with one of our binary releases. 
> >>>>>>> This isn’t a blocker by any means, just a developer experience idea 
> >>>>>>> that I thought about while checking the release.
> >>>>>>>
> >>>>>>> $ cd examples/openstreetmap
> >>>>>>> $ baremaps workflow execute --file workflow.json
> >>>>>>>
> >>>>>>> Because the “examples” folder wasn’t in the binary release I wasn’t 
> >>>>>>> sure how to run the example.
> >>>>>>>
> >>>>>>> - Josh
> >>>>>>>
> >>>>>>>> On Aug 28, 2023, at 3:20 PM, Bertil Chapuis <bchap...@gmail.com> 
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>> Thank you Josh and Julian. There is no hurry, especially if we can 
> >>>>>>>> increase the duration of the vote.
> >>>>>>>>
> >>>>>>>> As we all have busy schedule, I will probably extend future release 
> >>>>>>>> votes to one week in the future.
> >>>>>>>>
> >>>>>>>> Best,
> >>>>>>>>
> >>>>>>>> Bertil
> >>>>>>>>
> >>>>>>>>> On 28 Aug 2023, at 19:07, Julian Hyde <jhyde.apa...@gmail.com> 
> >>>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>> What Josh said. I’ll review & vote today. Apologies.
> >>>>>>>>>
> >>>>>>>>>> On Aug 28, 2023, at 7:42 AM, Josh Fischer <j...@joshfischer.io> 
> >>>>>>>>>> wrote:
> >>>>>>>>>>
> >>>>>>>>>> I apologize for my absence.  I will spend some time looking at it 
> >>>>>>>>>> in the next 24 hours.
> >>>>>>>>>>
> >>>>>>>>>> This is one of the fun and challenging parts of working through 
> >>>>>>>>>> the incubator. I’ve had votes go over two weeks before.  Our best 
> >>>>>>>>>> bet is to get as many binding (preferably 3) votes on the 
> >>>>>>>>>> dev@baremaps list.  It’s often harder to get votes on general@a.o 
> >>>>>>>>>> <mailto:general@a.o>.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Let’s wait a few more days to get binding votes. Open-source moves 
> >>>>>>>>>> at the speed of open-source, fun!
> >>>>>>>>>>
> >>>>>>>>>>> On Aug 28, 2023, at 9:10 AM, Bertil Chapuis <bchap...@gmail.com> 
> >>>>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>> Hello Everyone,
> >>>>>>>>>>>
> >>>>>>>>>>> We don’t have enough vote for publishing our release. Can we 
> >>>>>>>>>>> extend the deadline or should we start a new vote?
> >>>>>>>>>>>
> >>>>>>>>>>> I see that some projects, such as Apache Pekko, ask the incubator 
> >>>>>>>>>>> mailing-list to vote for their releases. Should we try to do the 
> >>>>>>>>>>> same?
> >>>>>>>>>>>
> >>>>>>>>>>> Best regards,
> >>>>>>>>>>>
> >>>>>>>>>>> Bertil
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>> On 24 Aug 2023, at 14:52, Bertil Chapuis <bchap...@gmail.com> 
> >>>>>>>>>>>> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Hello Everyone,
> >>>>>>>>>>>>
> >>>>>>>>>>>> Following our online release party (thank you Leonard and 
> >>>>>>>>>>>> Perdjesk), we have created a build for Apache Baremaps 
> >>>>>>>>>>>> (incubating) 0.7.2, release candidate 1.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Thanks to everyone who has contributed to this release.
> >>>>>>>>>>>>
> >>>>>>>>>>>> You can read the release notes here:
> >>>>>>>>>>>> https://github.com/apache/incubator-baremaps/releases/tag/v0.7.2-rc1
> >>>>>>>>>>>>
> >>>>>>>>>>>> The commit to be voted upon:
> >>>>>>>>>>>> https://github.com/apache/incubator-baremaps/tree/v0.7.2-rc1
> >>>>>>>>>>>>
> >>>>>>>>>>>> Its hash is e917d5b02fdb64c3f715afd449bb1fe9ca5c2f58.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Its tag is v0.7.2-rc1.
> >>>>>>>>>>>>
> >>>>>>>>>>>> The artifacts to be voted on are located here:
> >>>>>>>>>>>> https://dist.apache.org/repos/dist/dev/incubator/baremaps/0.7.2-rc1/
> >>>>>>>>>>>>
> >>>>>>>>>>>> The hashes of the artifacts are as follows:
> >>>>>>>>>>>> d910b50ebed4200d0ef6f0c1ee3e4db0cd95ea005fe54fca66dfc4ec4dca73e96edc8913654c85c73539d6a9d27481157fea9f456a9f3aa451c178a811a89ea0
> >>>>>>>>>>>>  ./apache-baremaps-0.7.2-incubating-src.tar.gz
> >>>>>>>>>>>> fda00056b9785bbbb7f966e92cf7e118071f5b6d44f9652176a4626cec38c5b0738933b24e23efef423eafba2111bc6a22e6f00a67fda2f10b0011f9c22f3208
> >>>>>>>>>>>>  ./apache-baremaps-0.7.2-incubating-bin.tar.gz
> >>>>>>>>>>>>
> >>>>>>>>>>>> Release artifacts are signed with the following key:
> >>>>>>>>>>>> http://people.apache.org/keys/committer/bchapuis.asc
> >>>>>>>>>>>> https://downloads.apache.org/incubator/baremaps/KEYS
> >>>>>>>>>>>>
> >>>>>>>>>>>> The README file for the src distribution contains instructions 
> >>>>>>>>>>>> for building and testing the release.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Please vote on releasing this package as Apache Baremaps 0.7.2.
> >>>>>>>>>>>>
> >>>>>>>>>>>> The vote is open for the next 72 hours and passes if a majority 
> >>>>>>>>>>>> of at least three +1 PMC votes are cast.
> >>>>>>>>>>>>
> >>>>>>>>>>>> [ ] +1 Release this package as Apache Baremaps <version>
> >>>>>>>>>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the 
> >>>>>>>>>>>> release
> >>>>>>>>>>>> [ ] -1 Do not release this package because...
> >>>>>>>>>>>>
> >>>>>>>>>>>> Here is my vote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> +1 (binding): I checked the signatures and the checksums; I 
> >>>>>>>>>>>> built the project from its sources; and checked the binary 
> >>>>>>>>>>>> distribution.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Best regards,
> >>>>>>>>>>>>
> >>>>>>>>>>>> Bertil Chapuis
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> ---------------------------------------------------------------------
> >>>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org
> >>>>>>>>> For additional commands, e-mail: dev-h...@baremaps.apache.org
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Best wishes!
> >>>>>> CalvinKirs
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Best wishes!
> >>>>> CalvinKirs
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org 
> >>>>> <mailto:dev-unsubscr...@baremaps.apache.org>
> >>>>> For additional commands, e-mail: dev-h...@baremaps.apache.org 
> >>>>> <mailto:dev-h...@baremaps.apache.org>
> >>>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org
> >> For additional commands, e-mail: dev-h...@baremaps.apache.org
> >>
> >
> >
> > --
> > Best wishes!
> > CalvinKirs
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org
> > For additional commands, e-mail: dev-h...@baremaps.apache.org
> >
>


-- 
Best wishes!
CalvinKirs

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org
For additional commands, e-mail: dev-h...@baremaps.apache.org

Reply via email to