Got it. thx. On Thu, Jun 30, 2016 at 3:38 PM, Andrew Purtell <[email protected]> wrote:
> What I see done customarily is tagging of release candidates as e.g. > "0.8.1RC0" with subsequent push that tag. > > $ git tag -m"0.8.1RC0" 0.8.1RC0 > $ git push --tags > > > Once a candidate is voted to become a release, then add another tag in the > permanent rel/ namespace, e.g. > > $ git co 0.8.1RC0 > $ git tag -m"0.8.1" rel/0.8.1 > $ git push --tags > > > > On Thu, Jun 30, 2016 at 3:34 PM, Kam Kasravi <[email protected]> wrote: > > > Andy > > > > Quick question based on mnemonic's VOTE ( > > > > > http://mail-archives.apache.org/mod_mbox/incubator-general/201605.mbox/%3C573CE75B.5030404%40apache.org%3E > > ) > > It looks like both the commit hash and tag need to be committed in > > git-wip-us.apache.org. IMO this seems to be a bit of the chicken vs egg > > conundrum. > > Committing a tag and hash before VOTE means these may need to be > reapplied > > if the VOTE fails. > > I assume this is ok (someone not knowing a VOTE was in progress could > > checkout by TAG which could change later if the VOTE fails). > > > > Kam > > > > > > On Thu, Jun 30, 2016 at 2:47 PM, Andrew Purtell <[email protected]> > > wrote: > > > > > Sounds like great progress. Let's start a candidate release vote! > > > > > > I'll give it a good looking over before casting my vote. > > > > > > We have a long holiday weekend coming up in the US. You might want to > > > extend the vote beyond the customary 72 hours into next week. > > > > > > > > > On Thu, Jun 30, 2016 at 2:44 PM, Kam Kasravi <[email protected]> > > wrote: > > > > > >> Hi Andy > > >> > > >> I've update KEYS and files in RC0 with updates as suggested (see > > >> https://dist.apache.org/repos/dist/dev/incubator/gearpump/) > > >> Updates include: > > >> > > >> KEYS file now includes code signing key > > >> > > >> LICENSE file now includes SIL Font license > > >> > > >> NOTICE file looks to be complete for source only release > > >> > > >> Rat tool is run as part of a bash script in dev-tools (assumes RAT has > > >> been built in a peer directory). It has been run and noted files have > > had > > >> the apache 2.0 license added (mostly .js, .html files) > > >> > > >> Shaded libraries are now included as part of the build and not > included > > >> from elsewhere > > >> > > >> Repos providing commercial derivatives of apache projects (eg > cloudera) > > >> have been replaced with the apache repo: > > >> https://repository.apache.org/content/repositories > > >> > > >> For later releases which include binary artifacts, it's clear that > we'll > > >> need separate LICENSE, NOTICE files for each artifact. For this source > > >> release I think we're getting fairly close. If the updates checkout by > > you > > >> I can start a candidate release vote. > > >> > > >> Thanks > > >> Kam > > >> > > >> On Tue, Jun 28, 2016 at 11:06 AM, Kam Kasravi <[email protected]> > > >> wrote: > > >> > > >>> We'll add the rat tool as part of prepping the release. > > >>> > > >>> On Mon, Jun 27, 2016 at 5:43 PM, Andrew Purtell <[email protected] > > > > >>> wrote: > > >>> > > >>>> > You can run 'sbt dumpLicenseReport', which runs the equivalent of > > >>>> the RAT tool. > > >>>> > > >>>> I don't think so. Apache RAT does more than just report on licenses, > > it > > >>>> checks for Apache specific release policy compliance. Or did you > mean > > that > > >>>> sbt's dumpLicenseReport is actually set up in your project to run > > Apache > > >>>> RAT? > > >>>> > > >>>> On Mon, Jun 27, 2016 at 5:23 PM, Kam Kasravi <[email protected]> > > >>>> wrote: > > >>>> > > >>>>> Thanks Andy for going through RC0! Comments inline. I'll update and > > >>>>> upload back under RC0. > > >>>>> > > >>>>> > - I imported the KEYS file but then failed to find the signing > key. > > >>>>> > > > >>>>> > gpg --verify gearpump-0.8.1-incubating-src.tgz.asc > > >>>>> gearpump-0.8.1-incubating-src.tgz > > >>>>> > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key > > ID > > >>>>> E7DE27E3 > > >>>>> > gpg: Can't check signature: public key not found > > >>>>> > > > >>>>> > - recv-key E7DE27E3 worked > > >>>>> > > > >>>>> > gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY) < > > >>>>> [email protected]>" imported > > >>>>> > gpg: Total number processed: 1 > > >>>>> > gpg: imported: 1 (RSA: 1) > > >>>>> > > > >>>>> > - And now the signature check passes > > >>>>> > > > >>>>> > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key > > ID > > >>>>> E7DE27E3 > > >>>>> > gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) < > > >>>>> [email protected]>" > > >>>>> > gpg: WARNING: This key is not certified with a trusted signature! > > >>>>> > gpg: There is no indication that the signature belongs > to > > >>>>> the owner. > > >>>>> > Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D FBBB 5806 2555 > > >>>>> E7DE 27E3 > > >>>>> > > > >>>>> > I encourage Kam and everyone to go to an ApacheCon or the meetups > > of > > >>>>> other projects and get your keys signed by other Apache folks. > Yes, I > > >>>>> should take my own advice... my code signing key has the same > issue. > > >>>>> > > - MD5 and SHA1 checksum files match file sums > > >>>>> > > > >>>>> > > >>>>> [Kam] I've updated KEYS to include the CODE SIGNING KEY. I also > > >>>>> updated our release shell script so it can also verify the signed > > artifacts > > >>>>> (dev-tools/create_apache_source_release.sh). > > >>>>> > > >>>>> > - Archive unpacks and layout looks good > > >>>>> > > > >>>>> > - LICENSE file looks ok, except maybe the text of the SIL Open > Font > > >>>>> License is missing? > > >>>>> > > >>>>> [Kam] I'll add this. > > >>>>> > > >>>>> > > > >>>>> > - Is the NOTICE file complete? "If the dependency supplies a > NOTICE > > >>>>> file, its contents must be analyzed and the relevant portions > > bubbled up > > >>>>> into the top-level NOTICE file." ( > > >>>>> http://www.apache.org/dev/licensing-howto.html) We don't want to > add > > >>>>> anything here not legally required, though. I'm assuming you went > > through > > >>>>> all of your dependencies and checked if they have anything in a > > NOTICE > > >>>>> file? If not let's do that. > > >>>>> > > >>>>> [Kam] For the source release I didn't - but best to do it now so > > >>>>> subsequent binary artifacts are correctly handled. > > >>>>> > > >>>>> > > - I can't find build instructions on the website (eg. > > >>>>> http://gearpump.incubator.apache.org/how-to-contribute.html). They > > >>>>> are in the README.md, however. How does one invoke 'sbt' such that > > it will > > >>>>> also run the Apache RAT tool? > > >>>>> > > >>>>> [Kam] You can run 'sbt dumpLicenseReport', which runs the > equivalent > > >>>>> of the RAT tool. The sbt plugin is here > > >>>>> https://github.com/sbt/sbt-license-report. I've updated the > > README.md. > > >>>>> > > >>>>> > > - What is > > >>>>> > > > http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar > > >>>>> ? I'm not sure this will be fatal to the release candidate but this > > is > > >>>>> something that needs to be fixed. At the least it should be hosted > on > > >>>>> Apache infrastructure somewhere. Ideally, the shading and staging > of > > >>>>> gs-collections can be made part of the build so no need for a > custom > > >>>>> artifact of gs-collections just for gearpump. Same for > > >>>>> gearpump-shaded-akka-kyro and anything like this I may have missed. > > >>>>> > > >>>>> [Kam] Fink also includes shaded jars. I'll follow their example. > > >>>>> > > >>>>> > > - Some code builds against a downstream commercial derivative > of > > >>>>> an Apache project, hosted on a third party repository. You should > > not be > > >>>>> doing this. If you depend on Hadoop, build against an Apache > released > > >>>>> version of Hadoop. > > >>>>> > > >>>>> [Kam] Got it. I'll update our Build.scala, rerun > > >>>>> 'sbt dumpLicenseReport' and reverify. > > >>>>> > > >>>>> > > When ready to start a release candidate vote, Mnemonic recently > > >>>>> ran a vote, you can use that as an example. > > >>>>> > > > >>>>> > Vote thread: https://s.apache.org/NqCu > > >>>>> > > > >>>>> > Result: https://s.apache.org/wERS > > >>>>> > > >>>>> > > >>>>> On Mon, Jun 27, 2016 at 3:52 PM, Andrew Purtell < > [email protected] > > > > > >>>>> wrote: > > >>>>> > > >>>>>> Kam posted artifacts for 0.8.1 RC0 and asked me to take a look at > > >>>>>> them. Here are my notes: > > >>>>>> > > >>>>>> - I imported the KEYS file but then failed to find the signing > key. > > >>>>>> > > >>>>>> gpg --verify gearpump-0.8.1-incubating-src.tgz.asc > > >>>>>> gearpump-0.8.1-incubating-src.tgz > > >>>>>> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key > ID > > >>>>>> E7DE27E3 > > >>>>>> gpg: Can't check signature: public key not found > > >>>>>> > > >>>>>> > > >>>>>> - recv-key E7DE27E3 worked > > >>>>>> > > >>>>>> gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY) < > > >>>>>> [email protected]>" imported > > >>>>>> gpg: Total number processed: 1 > > >>>>>> gpg: imported: 1 (RSA: 1) > > >>>>>> > > >>>>>> > > >>>>>> - And now the signature check passes > > >>>>>> > > >>>>>> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA key > ID > > >>>>>> E7DE27E3 > > >>>>>> gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) < > > >>>>>> [email protected]>" > > >>>>>> gpg: WARNING: This key is not certified with a trusted signature! > > >>>>>> gpg: There is no indication that the signature belongs to > > >>>>>> the owner. > > >>>>>> Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D FBBB 5806 2555 > > >>>>>> E7DE 27E3 > > >>>>>> > > >>>>>> I encourage Kam and everyone to go to an ApacheCon or the meetups > of > > >>>>>> other projects and get your keys signed by other Apache folks. > Yes, > > I > > >>>>>> should take my own advice... my code signing key has the same > issue. > > >>>>>> > > >>>>>> > > >>>>>> - MD5 and SHA1 checksum files match file sums > > >>>>>> > > >>>>>> - Archive unpacks and layout looks good > > >>>>>> > > >>>>>> - LICENSE file looks ok, except maybe the text of the SIL Open > Font > > >>>>>> License is missing? > > >>>>>> > > >>>>>> - Is the NOTICE file complete? "If the dependency supplies a > NOTICE > > >>>>>> file, its contents must be analyzed and the relevant portions > > bubbled up > > >>>>>> into the top-level NOTICE file." ( > > >>>>>> http://www.apache.org/dev/licensing-howto.html) We don't want to > > add > > >>>>>> anything here not legally required, though. I'm assuming you went > > through > > >>>>>> all of your dependencies and checked if they have anything in a > > NOTICE > > >>>>>> file? If not let's do that. > > >>>>>> > > >>>>>> - I can't find build instructions on the website (eg. > > >>>>>> http://gearpump.incubator.apache.org/how-to-contribute.html). > They > > >>>>>> are in the README.md, however. How does one invoke 'sbt' such > that > > it will > > >>>>>> also run the Apache RAT tool? > > >>>>>> > > >>>>>> - What is > > >>>>>> > > > http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar > > >>>>>> ? I'm not sure this will be fatal to the release candidate but > this > > is > > >>>>>> something that needs to be fixed. At the least it should be hosted > > on > > >>>>>> Apache infrastructure somewhere. Ideally, the shading and staging > of > > >>>>>> gs-collections can be made part of the build so no need for a > custom > > >>>>>> artifact of gs-collections just for gearpump. Same for > > >>>>>> gearpump-shaded-akka-kyro and anything like this I may have > missed. > > >>>>>> > > >>>>>> - Some code builds against a downstream commercial derivative of > an > > >>>>>> Apache project, hosted on a third party repository. You should not > > be doing > > >>>>>> this. If you depend on Hadoop, build against an Apache released > > version of > > >>>>>> Hadoop. > > >>>>>> > > >>>>>> When ready to start a release candidate vote, Mnemonic recently > ran > > a > > >>>>>> vote, you can use that as an example. > > >>>>>> > > >>>>>> Vote thread: https://s.apache.org/NqCu > > >>>>>> > > >>>>>> Result: https://s.apache.org/wERS > > >>>>>> > > >>>>>> > > >>>>> > > >>>> > > >>>> > > >>>> -- > > >>>> Best regards, > > >>>> > > >>>> - Andy > > >>>> > > >>>> Problems worthy of attack prove their worth by hitting back. - Piet > > >>>> Hein (via Tom White) > > >>>> > > >>> > > >>> > > >> > > > > > > > > > -- > > > Best regards, > > > > > > - Andy > > > > > > Problems worthy of attack prove their worth by hitting back. - Piet > Hein > > > (via Tom White) > > > > > > > > > -- > Best regards, > > - Andy > > Problems worthy of attack prove their worth by hitting back. - Piet Hein > (via Tom White) >
