+1 on releasing this ________________________________ From: Nabarun Nag <n...@vmware.com> Sent: Tuesday, January 11, 2022 4:45 PM To: dev@geode.apache.org <dev@geode.apache.org> Subject: Re: [VOTE] - Apache Geode Kafka Connector 1.1.0 - Take 2
+1 to move along with this release. Here is the URI of the component archive specification set by Confluent[1]. Our first delivery had to be changed to meet these requirements. Regards Naba [1]https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.confluent.io%2Fhome%2Fconnect%2Fconfluent-hub%2Fcomponent-archive.html&data=04%7C01%7Cdoevans%40vmware.com%7C976d5d23599d45e7ae7b08d9d564d0a5%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637775451252718005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=YbLpP1ev8qOgsQ5v9GS%2F%2FQjHBTHxVw8Tw5hRm%2B1jNAQ%3D&reserved=0 ________________________________ From: Jason Huynh <jhu...@vmware.com> Sent: Tuesday, January 11, 2022 9:35 AM To: dev@geode.apache.org <dev@geode.apache.org> Subject: Re: [VOTE] - Apache Geode Kafka Connector 1.1.0 - Take 2 +1 for this release On 1/6/22, 9:22 AM, "Dan Smith" <dasm...@vmware.com> wrote: Quibbles: - artifact naming does not follow standard naming convention of THING-VERSION.tgz and THING-VERSION-src.tgz (also Geode decided to stop distributing .zip files years ago) - not based on the latest Geode 1.12 patch. I would like to see Geode 1.12.8 picked up once it's available later this month. - the log4j version 2.16.0 advertised in this release fixes only 2 of the 4 recent log4j vulnerabilities. I would prefer to see log4j 2.17.1. - vote email is missing a link to release notes and a link to the KEYS file used to sign the release. - artifact paths and email subject are missing "RC1" qualifier Agreed, I think we'll want to do another release later to pickup the latest geode and log4j. The lack of RC1 is intentional - this is creating an official release based on what was already linked from the confluent hub. Concerns: - NOTICE and LICENSE are found inside a "doc" folder instead of at the top level of the artifact - Some dependencies are missing from LICENSE. While most deps are Apache2 and don't require a mention, LatencyUtils is BSD-2 and should be mentioned, and likely a few others from Geode's LICENSE need to be there as well because they are incorporated in source form into geode-core. Good catch! I created GEODE-9925 for the missing dependencies. Looking at the list of things to do and conflicts with Geode / Confluent requirements. We can remove it from the Apache domain and move it to internal open source repo like gpdb or rabbitMQ while keeping the Apache License. Alternatives can be the VMware or VMware-labs opensource orgs in Github. Can you clarify which things are in conflict? I think the file name for geode is not a hard requirement, just a convention we picked. Also the location of LICENSE and NOTICE files - is there some confluent requirement? Apache says those files should be at the top level for a source distribution, but I'm not clear about a binary distribution. For example, our jar files put them under META-INF, which I think is the java convention. My inclination is to continue with this release as is and create a follow up release that updates log4j and the LICENSE, NOTICE files, so I'm leaving this VOTE open in hopes of getting some more votes. -Dan ________________________________ From: Nabarun Nag <n...@vmware.com> Sent: Tuesday, January 4, 2022 5:13 PM To: dev@geode.apache.org <dev@geode.apache.org> Subject: Re: [VOTE] - Apache Geode Kafka Connector 1.1.0 - Take 2 As it is primarily created for Confluent Marketplace we need to follow the steps required for hosting in the marketplace, which included how things are to be named, folder structure etc. Looking at the list of things to do and conflicts with Geode / Confluent requirements. We can remove it from the Apache domain and move it to internal open source repo like gpdb or rabbitMQ while keeping the Apache License. Alternatives can be the VMware or VMware-labs opensource orgs in Github. We can definitely add the missing licenses and wait for 1.12.8 release of Apache Geode to update those dependencies. Regards Naba ________________________________ From: Owen Nichols <onich...@vmware.com> Sent: Tuesday, January 4, 2022 4:45 PM To: dev@geode.apache.org <dev@geode.apache.org> Subject: Re: [VOTE] - Apache Geode Kafka Connector 1.1.0 - Take 2 Quibbles: - artifact naming does not follow standard naming convention of THING-VERSION.tgz and THING-VERSION-src.tgz (also Geode decided to stop distributing .zip files years ago) - not based on the latest Geode 1.12 patch. I would like to see Geode 1.12.8 picked up once it's available later this month. - the log4j version 2.16.0 advertised in this release fixes only 2 of the 4 recent log4j vulnerabilities. I would prefer to see log4j 2.17.1. - vote email is missing a link to release notes and a link to the KEYS file used to sign the release. - artifact paths and email subject are missing "RC1" qualifier Concerns: - NOTICE and LICENSE are found inside a "doc" folder instead of at the top level of the artifact - Some dependencies are missing from LICENSE. While most deps are Apache2 and don't require a mention, LatencyUtils is BSD-2 and should be mentioned, and likely a few others from Geode's LICENSE need to be there as well because they are incorporated in source form into geode-core. Please consider above suggestions for next time. +0 On 1/4/22, 2:19 PM, "Dan Smith" <dasm...@vmware.com> wrote: Hello Geode Dev Community, This is a release candidate for Apache Geode Kafka Connector version 1.1.0. This contains a bump to log4j 2.16. Please do a review and give your feedback. Voting deadline: 3PM PST Tuesday, Jan 11, 2022. Please note that we are voting upon the source tag: rel/v1.1.0 Source and Binary Distributions: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fgeode%2Fkafka-connector-1.1.0%2F&data=04%7C01%7Cdoevans%40vmware.com%7C976d5d23599d45e7ae7b08d9d564d0a5%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637775451252718005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7esXkfI%2FCep0FT9rzxhIwqMhYHnJFJcgcVcuR%2BYJ50w%3D&reserved=0 Github: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fgeode-kafka-connector%2Ftree%2Frel%2Fv1.1.0&data=04%7C01%7Cdoevans%40vmware.com%7C976d5d23599d45e7ae7b08d9d564d0a5%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637775451252718005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Nq%2FcOCpauEGZgvDFMX93UCT%2B8hlo4OX9ZnB2rE5aIh8%3D&reserved=0 Command to build the connector: mvn package Thanks! -Dan
