Manu Rebase from https://github.com/apache/incubator-gearpump/pull/47 so you pick up the latest.
Thanks Kam On Mon, Jun 27, 2016 at 7:27 PM, Jiang Weihua <[email protected]> wrote: > +1 on this shading-on-fly solution. > > 在 16/6/28 上午9:25,“Manu Zhang”<[email protected]> 写入: > > > > > What is > > > > > http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar > > ? I'm not sure this will be fatal to the release candidate but this is > > something that needs to be fixed. At the least it should be hosted on > > Apache infrastructure somewhere. Ideally, the shading and staging of > > gs-collections can be made part of the build so no need for a custom > > artifact of gs-collections just for gearpump. Same for > > gearpump-shaded-akka-kyro and anything like this I may have missed. > > > Previously sbt didn't have shade so we make another repo with those > libraries shaded by maven. > Since sbt has shade now, we can try make gs-collections and other shaded > libraries part of the build. > > On Tue, Jun 28, 2016 at 8:43 AM, Andrew Purtell <[email protected]> > wrote: > > > > You can run 'sbt dumpLicenseReport', which runs the equivalent of the > RAT > > tool. > > > > I don't think so. Apache RAT does more than just report on licenses, it > > checks for Apache specific release policy compliance. Or did you mean > that > > sbt's dumpLicenseReport is actually set up in your project to run Apache > > RAT? > > > > On Mon, Jun 27, 2016 at 5:23 PM, Kam Kasravi <[email protected]> > wrote: > > > > > Thanks Andy for going through RC0! Comments inline. I'll update and > > upload > > > back under RC0. > > > > > > > - I imported the KEYS file but then failed to find the signing key. > > > > > > > > gpg --verify gearpump-0.8.1-incubating-src.tgz.asc > > > gearpump-0.8.1-incubating-src.tgz > > > > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID > > > E7DE27E3 > > > > gpg: Can't check signature: public key not found > > > > > > > > - recv-key E7DE27E3 worked > > > > > > > > gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY) < > > > [email protected]>" imported > > > > gpg: Total number processed: 1 > > > > gpg: imported: 1 (RSA: 1) > > > > > > > > - And now the signature check passes > > > > > > > > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID > > > E7DE27E3 > > > > gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) < > > > [email protected]>" > > > > gpg: WARNING: This key is not certified with a trusted signature! > > > > gpg: There is no indication that the signature belongs to > the > > > owner. > > > > Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D FBBB 5806 2555 > E7DE > > > 27E3 > > > > > > > > I encourage Kam and everyone to go to an ApacheCon or the meetups of > > > other projects and get your keys signed by other Apache folks. Yes, I > > > should take my own advice... my code signing key has the same issue. > > > > > - MD5 and SHA1 checksum files match file sums > > > > > > > > > > [Kam] I've updated KEYS to include the CODE SIGNING KEY. I also updated > > > our release shell script so it can also verify the signed artifacts > > > (dev-tools/create_apache_source_release.sh). > > > > > > > - Archive unpacks and layout looks good > > > > > > > > - LICENSE file looks ok, except maybe the text of the SIL Open Font > > > License is missing? > > > > > > [Kam] I'll add this. > > > > > > > > > > > - Is the NOTICE file complete? "If the dependency supplies a NOTICE > > > file, its contents must be analyzed and the relevant portions bubbled > up > > > into the top-level NOTICE file." ( > > > http://www.apache.org/dev/licensing-howto.html) We don't want to add > > > anything here not legally required, though. I'm assuming you went > through > > > all of your dependencies and checked if they have anything in a NOTICE > > > file? If not let's do that. > > > > > > [Kam] For the source release I didn't - but best to do it now so > > > subsequent binary artifacts are correctly handled. > > > > > > > > - I can't find build instructions on the website (eg. > > > http://gearpump.incubator.apache.org/how-to-contribute.html). They are > > in > > > the README.md, however. How does one invoke 'sbt' such that it will > also > > > run the Apache RAT tool? > > > > > > [Kam] You can run 'sbt dumpLicenseReport', which runs the equivalent of > > > the RAT tool. The sbt plugin is here > > > https://github.com/sbt/sbt-license-report. I've updated the README.md. > > > > > > > > - What is > > > > > > http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar > > > ? I'm not sure this will be fatal to the release candidate but this is > > > something that needs to be fixed. At the least it should be hosted on > > > Apache infrastructure somewhere. Ideally, the shading and staging of > > > gs-collections can be made part of the build so no need for a custom > > > artifact of gs-collections just for gearpump. Same for > > > gearpump-shaded-akka-kyro and anything like this I may have missed. > > > > > > [Kam] Fink also includes shaded jars. I'll follow their example. > > > > > > > > - Some code builds against a downstream commercial derivative of an > > > Apache project, hosted on a third party repository. You should not be > > doing > > > this. If you depend on Hadoop, build against an Apache released version > > of > > > Hadoop. > > > > > > [Kam] Got it. I'll update our Build.scala, rerun 'sbt > dumpLicenseReport' > > > and reverify. > > > > > > > > When ready to start a release candidate vote, Mnemonic recently > ran a > > > vote, you can use that as an example. > > > > > > > > Vote thread: https://s.apache.org/NqCu > > > > > > > > Result: https://s.apache.org/wERS > > > > > > > > > On Mon, Jun 27, 2016 at 3:52 PM, Andrew Purtell <[email protected]> > > > wrote: > > > > > >> Kam posted artifacts for 0.8.1 RC0 and asked me to take a look at > them. > > >> Here are my notes: > > >> > > >> - I imported the KEYS file but then failed to find the signing key. > > >> > > >> gpg --verify gearpump-0.8.1-incubating-src.tgz.asc > > >> gearpump-0.8.1-incubating-src.tgz > > >> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID > > >> E7DE27E3 > > >> gpg: Can't check signature: public key not found > > >> > > >> > > >> - recv-key E7DE27E3 worked > > >> > > >> gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY) < > > >> [email protected]>" imported > > >> gpg: Total number processed: 1 > > >> gpg: imported: 1 (RSA: 1) > > >> > > >> > > >> - And now the signature check passes > > >> > > >> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key ID > > >> E7DE27E3 > > >> gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) < > > >> [email protected]>" > > >> gpg: WARNING: This key is not certified with a trusted signature! > > >> gpg: There is no indication that the signature belongs to the > > >> owner. > > >> Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D FBBB 5806 2555 E7DE > > >> 27E3 > > >> > > >> I encourage Kam and everyone to go to an ApacheCon or the meetups of > > >> other projects and get your keys signed by other Apache folks. Yes, I > > >> should take my own advice... my code signing key has the same issue. > > >> > > >> > > >> - MD5 and SHA1 checksum files match file sums > > >> > > >> - Archive unpacks and layout looks good > > >> > > >> - LICENSE file looks ok, except maybe the text of the SIL Open Font > > >> License is missing? > > >> > > >> - Is the NOTICE file complete? "If the dependency supplies a NOTICE > > file, > > >> its contents must be analyzed and the relevant portions bubbled up > into > > the > > >> top-level NOTICE file." ( > http://www.apache.org/dev/licensing-howto.html > > ) > > >> We don't want to add anything here not legally required, though. I'm > > >> assuming you went through all of your dependencies and checked if they > > have > > >> anything in a NOTICE file? If not let's do that. > > >> > > >> - I can't find build instructions on the website (eg. > > >> http://gearpump.incubator.apache.org/how-to-contribute.html). They > are > > >> in the README.md, however. How does one invoke 'sbt' such that it > will > > >> also run the Apache RAT tool? > > >> > > >> - What is > > >> > > > http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar > > >> ? I'm not sure this will be fatal to the release candidate but this is > > >> something that needs to be fixed. At the least it should be hosted on > > >> Apache infrastructure somewhere. Ideally, the shading and staging of > > >> gs-collections can be made part of the build so no need for a custom > > >> artifact of gs-collections just for gearpump. Same for > > >> gearpump-shaded-akka-kyro and anything like this I may have missed. > > >> > > >> - Some code builds against a downstream commercial derivative of an > > >> Apache project, hosted on a third party repository. You should not be > > doing > > >> this. If you depend on Hadoop, build against an Apache released > version > > of > > >> Hadoop. > > >> > > >> When ready to start a release candidate vote, Mnemonic recently ran a > > >> vote, you can use that as an example. > > >> > > >> Vote thread: https://s.apache.org/NqCu > > >> > > >> Result: https://s.apache.org/wERS > > >> > > >> > > > > > > > > > -- > > Best regards, > > > > - Andy > > > > Problems worthy of attack prove their worth by hitting back. - Piet Hein > > (via Tom White) > > > > > >
