Re: [VOTE] - Apache Geode Kafka Connector 1.1.0 - Take 2

[Dan Smith]

Quibbles:
- artifact naming does not follow standard naming convention of 
THING-VERSION.tgz and THING-VERSION-src.tgz (also Geode decided to stop 
distributing .zip files years ago)
- not based on the latest Geode 1.12 patch.  I would like to see Geode 1.12.8 
picked up once it's available later this month.
- the log4j version 2.16.0 advertised in this release fixes only 2 of the 4 
recent log4j vulnerabilities.  I would prefer to see log4j 2.17.1.
- vote email is missing a link to release notes and a link to the KEYS file 
used to sign the release.
- artifact paths and email subject are missing "RC1" qualifier
Agreed, I think we'll want to do another release later to pickup the latest 
geode and log4j. The lack of RC1 is intentional - this is creating an official 
release based on what was already linked from the confluent hub.

Concerns:
- NOTICE and LICENSE are found inside a "doc" folder instead of at the top 
level of the artifact
- Some dependencies are missing from LICENSE.  While most deps are Apache2 and 
don't require a mention, LatencyUtils is BSD-2 and should be mentioned, and 
likely a few others from Geode's LICENSE need to be there as well because they 
are incorporated in source form into geode-core.
​Good catch! I created GEODE-9925 for the missing dependencies.

Looking at the list of things to do and conflicts with Geode / Confluent 
requirements. We can remove it from the Apache domain and move it to internal 
open source repo like gpdb or rabbitMQ while keeping the Apache License. 
Alternatives can be the VMware or VMware-labs opensource orgs in Github.

Can you clarify which things are in conflict? I think the file name for geode 
is not a hard requirement, just a convention we picked. Also the location of 
LICENSE and NOTICE files - is there some confluent requirement? Apache says 
those files should be at the top level for a source distribution, but I'm not 
clear about a binary distribution. For example, our jar files put them under 
META-INF, which I think is the java convention.

My inclination is to continue with this release as is and create a follow up 
release that updates log4j and the LICENSE, NOTICE files, so I'm leaving this 
VOTE open in hopes of getting some more votes.

-Dan
________________________________
From: Nabarun Nag <n...@vmware.com>
Sent: Tuesday, January 4, 2022 5:13 PM
To: dev@geode.apache.org <dev@geode.apache.org>
Subject: Re: [VOTE] - Apache Geode Kafka Connector 1.1.0 - Take 2

As it is primarily created for Confluent Marketplace we need to follow the 
steps required for hosting in the marketplace, which included how things are to 
be named, folder structure etc.

Looking at the list of things to do and conflicts with Geode / Confluent 
requirements. We can remove it from the Apache domain and move it to internal 
open source repo like gpdb or rabbitMQ while keeping the Apache License. 
Alternatives can be the VMware or VMware-labs opensource orgs in Github.

We can definitely add the missing licenses and wait for 1.12.8 release of 
Apache Geode to update those dependencies.


Regards
Naba

________________________________
From: Owen Nichols <onich...@vmware.com>
Sent: Tuesday, January 4, 2022 4:45 PM
To: dev@geode.apache.org <dev@geode.apache.org>
Subject: Re: [VOTE] - Apache Geode Kafka Connector 1.1.0 - Take 2

Quibbles:
- artifact naming does not follow standard naming convention of 
THING-VERSION.tgz and THING-VERSION-src.tgz (also Geode decided to stop 
distributing .zip files years ago)
- not based on the latest Geode 1.12 patch.  I would like to see Geode 1.12.8 
picked up once it's available later this month.
- the log4j version 2.16.0 advertised in this release fixes only 2 of the 4 
recent log4j vulnerabilities.  I would prefer to see log4j 2.17.1.
- vote email is missing a link to release notes and a link to the KEYS file 
used to sign the release.
- artifact paths and email subject are missing "RC1" qualifier

Concerns:
- NOTICE and LICENSE are found inside a "doc" folder instead of at the top 
level of the artifact
- Some dependencies are missing from LICENSE.  While most deps are Apache2 and 
don't require a mention, LatencyUtils is BSD-2 and should be mentioned, and 
likely a few others from Geode's LICENSE need to be there as well because they 
are incorporated in source form into geode-core.

Please consider above suggestions for next time.

+0

On 1/4/22, 2:19 PM, "Dan Smith" <dasm...@vmware.com> wrote:

    Hello Geode Dev Community,

    This is a release candidate for Apache Geode Kafka Connector version 1.1.0.
    This contains a bump to log4j 2.16.

    Please do a review and give your feedback.

    Voting deadline:
    3PM PST Tuesday, Jan 11, 2022.

    Please note that we are voting upon the source tag: rel/v1.1.0

    Source and Binary Distributions: 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fgeode%2Fkafka-connector-1.1.0%2F&amp;data=04%7C01%7Cdasmith%40vmware.com%7Cda7685c734334a01854f08d9cfe896aa%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637769420151268448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=dC2oeeZUYR9FzMpPxNifKcdT4PZeCTJczNd1a5l4%2BmY%3D&amp;reserved=0
    Github: 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fgeode-kafka-connector%2Ftree%2Frel%2Fv1.1.0&amp;data=04%7C01%7Cdasmith%40vmware.com%7Cda7685c734334a01854f08d9cfe896aa%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637769420151268448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=p26uItxzcZyEqFs9mxk2QgRj6kR1P6bfkNyezA64qp0%3D&amp;reserved=0

    Command to build the connector:
    mvn package

    Thanks!
    -Dan