Hi Julian
On Sat, 17 Nov 2018 12:10:43 -0800
Julian Hyde <[email protected]> wrote:
-1 due to a LICENSE file that claims that there are category X
artifacts in binary distribution
Downloaded artifacts, checked checksums. Checked that contents of
src-tar match contents of git at
2d8c4c1d48cfa75b1ec8ba403d188ac3037034ba.
Source distribution: Compiled on Linux, JDK 8. Checked DISCLAIMER,
LICENSE and NOTICE. Ran RAT.
Binary artifacts: Checked DISCLAIMER, LICENSE, NOTICE. The LICENSE
file mentions several category X licenses (jboss-marshalling is LGPL,
JAXB is GPLv2, STAX is GPLv3, jsr305 is LGPL). I understand that
these are optional. But you are distributing some of those category X
artifacts (e.g. jars/jsr305-3.0.0.jar), and that is not allowed in an
AL distribution. If they are truly optional, you should leave them
out of the distro, people can use Crail without them, and can get
them if they need them.
Let me check whether we need them or not. These are not used by Crail
directly but pulled in as dependencies of dependencies.
I think your LICENSE file makes things look worse than they really
are. For example, it states that jsr305-3.0.0.jar is LGPL v2.1,
whereas
com.google <http://com.google/>.code.findbugs:jsr305:3.0.0 is
actually AL 2.0[1]. In other cases, the artifacts are dual CDDL/GPL.
In any case, if there are any category X items in LICENSE, we cannot
distribute.
Take a look at: https://github.com/findbugsproject/findbugs/issues/128
It is not AL2.0 actual license is unclear but believed to be BSD. I do not
trust the license entries at maven central. I either pull the license file
from META-INF or from the source (looking for the appropriate tag/branch).
LICENSE file of the source distribution could and should be much
shorter than the LICENSE file in the binary distribution, because you
are not distributing these things in the source distribution.
I will create 2 license file versions one for the source release one for the
binary.
Julian
[1]
https://search.maven.org/artifact/com.google.code.findbugs/jsr305/3.0.0/jar
On Nov 17, 2018, at 3:13 AM, Patrick Stuedi <[email protected]>
wrote:
+1
+ Compiles from source
+ Runs from binaries
Thanks!
-Patrick
On Thu, Nov 15, 2018 at 5:16 PM Jonas Pfefferle <[email protected]>
wrote:
Hi all
For another round, we prepared a new release to address the issues
found
in
rc5. This is a call to vote on releasing Apache Crail
1.1-incubating,
release candidate 6. The following issues has been addressed:
* Add licenses and CREDITS files to binary tarball and jars META-INF
* Add README to binary tarball
The source and binary tarball, including signatures, digests, etc.
can be
found at:
https://dist.apache.org/repos/dist/dev/incubator/crail/1.1-rc6/
The commit to be voted upon:
https://git-wip-us.apache.org/repos/asf?p=incubator-crail.git;a=commit;h=2d8c4c1d48cfa75b1ec8ba403d188ac3037034ba
The Nexus Staging URL:
https://repository.apache.org/content/repositories/orgapachecrail-1005/
Release artifacts are signed with the key AA557B11:
https://www.apache.org/dist/incubator/crail/KEYS
For information about the contents of this release, see:
https://git-wip-us.apache.org/repos/asf?p=incubator-crail.git;a=blob_plain;f=HISTORY.md;hb=2d8c4c1d48cfa75b1ec8ba403d188ac3037034ba
or for better readability
https://github.com/apache/incubator-crail/blob/v1.1-rc6/HISTORY.md
Please vote on releasing this package as Apache Crail 1.1-incubating
The vote will be open for 72 hours (will be extended as needed
because of
weekend).
[ ] +1 Release this package as Apache Crail 1.1-incubating
[ ] +0 no opinion
[ ] -1 Do not release this package because ...
Thanks,
Jonas
