-1 (binding) Main issues is inclusion of packages with open CVE's, I think that should be fixed for this release.
I'm also concerned about differences I found between the released daffodil-debugger jar and the same jar I built from source. Class files inside that jar differ, and it's not clear why. I checked: [OK] hashes and signatures of source and helper binares are correct [OK] signature of git tag is correct [OK] source release matches git tag [OK] source compiles using yarn build [NOT OK] compiled source matches convenience binary The org.apache.daffodil.daffodil-debugger-1.0.0.jar packaged in daffodil-debugger-3.2.1-1.0.0.zip is different when I build the .vsix file from source. Numerous .class files inside that jar have different hashes. This is unexpected. We don't have this issue with Daffodil, so I'm concerned something with the vscode build system is broke. [OK] src and binaries include correct LICENSE/NOTICE [OK] RAT check passes [OK] no unexpected binaries in source [OK] vsix installs without error [NOT OK] No open CVE's found using sbt-dependency-check plugin Scan found three packages with open CVES: - log4j-api-2.17.0.jar - logback-classic-1.2.3.jar - logback-core-1.2.3.jar We depend on Daffodil 3.2.1 which should pull in log4j 2.17.2 which addresses the CVE's. Seems like something is overriding that? Also not sure where the logback dependency is pulled in from, but maybe related. [MINOR] The "publisher" for the vsix file is "asf". That should probably be "Apache Software Foundation" or just "Apache", or maybe it should be "Apache Daffodil". We can have this discussion later, but this should be fixed for the next release. [MINOR] The README shows up in VS Code, but is focused on how to build the extension. This makes sense for the main github README, but I wonder if the README displayed in VS Code wants to be different, and focus more on features/usability. We already have a differnt LICENSE file, we should do the same for the README? [MINOR] The LICENSE file has incorrect indentation making it difficult to see where one sub component ends and another begins. Would be helfup to fix this for the next release. The file bundled in the .vsix binary looks good. On 3/17/22 3:06 PM, Shane Dell wrote:
Hello all, Ignore the last vote as I did not change my email to the proper one registered for apache. I'd like to call a vote to release Apache Daffodil VS Code 1.0.0-rc2. All distribution packages, including signatures, digests, etc. can be found at: https://dist.apache.org/repos/dist/dev/daffodil/daffodil-vscode/1.0.0-rc2/ This release has been signed with PGP key 86DDE7B41291E380237934F007570D3ADC76D51B, corresponding to [email protected], which is included in the KEYS file here: https://downloads.apache.org/daffodil/KEYS The release candidate has been tagged in git with 1.0.0-rc2. For reference, here is a list of all closed GitHub issues tagged with 1.0.0: https://github.com/apache/daffodil-vscode/issues?q=is%3Aissue+is%3Aclosed+is%3A1.0.0 Please review and vote. The vote will be open for at least 72 hours (Sunday, 17 March 2022, 12 Noon EST). [ ] +1 approve [ ] +0 no opinion [ ] -1 disapprove (and reason why) Thank you, - Shane Dell
