+1 (binding)
Four checks I marked as MINOR and I'm fine with them being fixed prior
to the release (website link update & issues without milestone) or in
the next release (license issue, yarn audit CVE).
I checked:
[OK] hashes and signatures of source and helper binaries are correct
[OK] signature of git tag is correct
[OK] source release matches git tag
[OK] source compiles using yarn package
[OK] compiled source matches convenience binary exactly (except for
timestamps in zip file)
[OK] RAT check passes
[OK] no unexpected binaries in source
[OK] vsix installs without error
[MINOR] Page for release published on website
Page still links to rc2 release, but I was able to download files
from the VOTE mail. Make sure to update this page as part of the
final release process. And the VOTE email should link to the site
page instead of directly to the artifacts--this way we can review
the planned release notes.
[MIONR] No open CVE's found using sbt-dependency-check plugin and yarn
audit (except for false positives)
- yarn audit found three CVE's in the loader-utils package, but it is
a ts-loader dependency which is only a dev dependency, so less of an
issue. We should try to upgrade this in a future release
[MINOR] no closed issues without a milestone
- There's a handful of issues that have been closed but have not been
assigned a milestone. Were they clsoed as part of 1.2.0? Can they be
added to this milestone?
https://github.com/apache/daffodil-vscode/issues?q=is%3Aissue+is%3Aclosed+no%3Amilestone
[MINOR] src and binaries include correct LICENSE/NOTICE
- The build/extension.webpack.config.js file is marked as MIT from
Microsoft, but is not listed in the LICENSE file. I mentioned this
in the 1.1.0 release VOTE and this has not been fixed. If this is
not fixed in the next 1.3.0 release then I will vote -1.
- There are a large number of dev yarn dependencies that are listed in
the .vsix LICENSE file. Because they are dev only, they do not need
to be listed in LICENSE or NOTICE files. My guess is we didn't use
the --production flag with yarn list when figuring out what to add
to the LICENSE/NOTICE files. Removing the dev deps should make it
easier to manage these filse and check for correctness.
- It looks like a number of Omega Edit jars are ALv2 and do not have a
NOTICE file, but are not listed in the NONOTICE file. For
consistency, we should probably add them to NONOTICE so they can be
checked just like any other dependencies.
- Two packages are listed in NOLICENSE. If a dependency is unlicensed
we cannot use it in ASF--it is considered category X. If it just
doesn't have a LICENSE file but specifies a license somehow else, we
still need to list it in our LICENSE file with whatever relevant
information is available. These two dependencies are MIT and are
fine, but we need to remove the NOLICENSE file and list them in
LICENSE.
On 12/1/22 8:40 AM, Shane Dell wrote:
Hello all,I'd like to call a vote to release Apache Daffodil VS Code 1.2.0-rc3.
All distribution packages, including signatures, digests, etc. can be
found at:
https://dist.apache.org/repos/dist/dev/daffodil/daffodil-vscode/1.2.0-rc3/
This release has been signed with PGP key
86DDE7B41291E380237934F007570D3ADC76D51B, corresponding
to shaned...@apache.org, which is included in the KEYS file here:
https://downloads.apache.org/daffodil/KEYS
The release candidate has been tagged in git with 1.2.0-rc3.
For reference, here is a list of all closed GitHub issues tagged with 1.2.0:
https://github.com/apache/daffodil-vscode/milestone/3?closed=1
Please review and vote. The vote will be open for at least 72 hours
(Tuesday, 6 December 2022, 9:00am EST).
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove (and reason why)
Thank you,
- Shane Dell
