+1 Verified sigs and hashes mvn verify passes Source tarball matches git commit (except expected DEPENDENCIES file added by maven-remote-resources-plugin) Jar manifests contain specified git commit Jar sources and javadocs exist Confirmed LICENSE, NOTICE, DISCLAIMER in source tarball Manually inspected all jar MANIFEST.MF, LICENSE, and NOTICE files and all look good to me
On Sat, Oct 22, 2016 at 12:39 AM Christopher <[email protected]> wrote: > What makes you think that jsr305 is not compatibly licensed? I spent some > time investigating this and the following is what I found. Unless I've > missed something, it looks like there's no issue with jsr305 as a > dependency. > > * It looks to me like it's licensed under BSD. This is according to the > findbugs project[1], which has been redistributing the artifact after it > effectively went dormant[2]. The Google Groups set up for developing jsr305 > seems to confirm the developers had agreed to distribute it under this[3]. > * It looks like jsr305 is often incorrectly uploaded to Maven Central (by > findbugs?) under AL2, which is the license in the POM for our dependency > (version 3.0.0) [4]. It was once uploaded (again, seemingly incorrectly) as > LGPL, but we're not using that version [5]. > * There is an outstanding GitHub issue for findbugs to clarify the > license[6], because it looks like they've been mislabeling it when they > redistribute. But, it's also possible that they've been able to relicense > under AL2, and forgot to update their docs which still say it's BSD. > * jsr305 is used by us during the build, as a test dependency. it looks > like that's okay, since we're not bundling it[7]. > * It is also used as a compile and/or runtime transitive dependency via > Apache Spark. Even if we did depend on it directly, it seems like it should > be fine because it's an optional part of the project[8], as long as we're > not bundling it, and we're not. > * Is it a problem for Apache Spark to depend on this directly? If it's > not, I can't imagine it would be for us to depend on it transitively, > through them. > > [1]: > https://github.com/findbugsproject/findbugs/blob/3.0.1/findbugs/licenses/LICENSE-jsr305.txt > [2]: https://jcp.org/en/jsr/detail?id=305 > [3]: https://groups.google.com/forum/#!topic/jsr-305/gQWGmiWMjE8 > [4]: > https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.0/jsr305-3.0.0.pom > [5]: > https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.8/jsr305-1.3.8.pom > [6]: https://github.com/findbugsproject/findbugs/issues/128 > [7]: http://www.apache.org/legal/resolved.html#prohibited > [8]: http://www.apache.org/legal/resolved.html#optional > > > On Fri, Oct 21, 2016 at 6:37 PM Josh Elser <[email protected]> wrote: > > +1 > > * Sigs/xsums OK > * No binaries in release > * KEYS is accurate > * Can build from source > * Direct dependencies OK (beware that you are transitively bringing in > com.google.code.findbugs:jsr305:jar:3.0.0 which is not compatibly > licensed -- this should be fixed in the future) > * No Copyright notices > * apache-rat:check passes > * Can run all tests > * Artifacts built from release appear to be appropriately licensed. > * Commit is contained in repository > * Would prefer to see apache-fluo-recipes as the name instead. > > - Josh > > Keith Turner wrote: > > Fluo Developers, > > > > Please consider the following candidate for Fluo Recipes > 1.0.0-incubating. > > > > Git Commit: > > 682eff983f1fe6e60b75c36d3b2f782c6a93b155 > > Branch: > > 1.0.0-incubating-rc1 > > > > If this vote passes, a gpg-signed tag will be created using: > > git tag -f -m 'Apache Fluo Recipes 1.0.0-incubating' -s > > rel/fluo-recipes-1.0.0-incubating \ > > 682eff983f1fe6e60b75c36d3b2f782c6a93b155 > > Staging repo: > > https://repository.apache.org/content/repositories/orgapachefluo-1016 > > Source (official release artifact): > > > https://repository.apache.org/content/repositories/orgapachefluo-1016/org/apache/fluo/fluo-recipes/1.0.0-incubating/fluo-recipes-1.0.0-incubating-source-release.tar.gz > > (Append ".sha1", ".md5", or ".asc" to download the signature/hash for a > > given artifact.) > > > > All artifacts were built and staged with: > > mvn release:prepare&& mvn release:perform > > > > Signing keys are available at > > https://www.apache.org/dist/incubator/fluo/KEYS > > (Expected fingerprint: CF72CA07C8BC86A1C862765F9AACFB56352ACF76) > > > > Release notes (in progress) can be found at: > > https://fluo.apache.org/.../1.0.0-incubating > > > > Please vote one of: > > [ ] +1 - I have verified and accept... > > [ ] +0 - I have reservations, but not strong enough to vote against... > > [ ] -1 - Because..., I do not accept... > > ... these artifacts as the 1.0.0-incubating release of Apache Fluo > Recipes. > > > > This vote will end on Sun Oct 23 22:30:00 UTC 2016 > > (Sun Oct 23 18:30:00 EDT 2016 / Sun Oct 23 15:30:00 PDT 2016) > > > > Thanks! > > > > P.S. Hint: download the whole staging repo with > > wget -erobots=off -r -l inf -np -nH \ > > > https://repository.apache.org/content/repositories/orgapachefluo-1016/ > > # note the trailing slash is needed > > > >
