Hi - Thanks for providing this. Some key items are missing. I have to VOTE -1 (While I am not on this PPMC I am giving you a head start with an IPMC binding vote.)
(1) A detached signature is required in the directory that has the release package. (2) A KEYS file needs to be present which contains the public key of the release manager who signed this release. (3) A brand new policy is that SHA-1 is compromised and new releases need an SHA-256 or SHA-512. See https://www.apache.org/dev/release-distribution#sigs-and-sums <https://www.apache.org/dev/release-distribution#sigs-and-sums> and http://www.apache.org/legal/release-policy.html#what-must-every-release-contain <http://www.apache.org/legal/release-policy.html#what-must-every-release-contain> I looked at the following: DISCLAIMER LICENSE NOTICE These look OK. Many files are missing license headers in the source. Please provide a way to run a release audit tool to check on licenses in the source files. See https://creadur.apache.org/rat/ <https://creadur.apache.org/rat/> Binaries cannot be included in source packages: A discussion is needed about the third_party directory. Binary files cannot be included. E.G. cereal-1.2.1.tar.gz. In the website directory there are binaries for the logo source. I wonder why you need ai, eps, psd and pdf versions of the logo in your source release. This is branding information and the project should control when these are given out. For branding policy see http://www.apache.org/foundation/marks/#guidelines <http://www.apache.org/foundation/marks/#guidelines> , http://www.apache.org/foundation/marks/faq/#poweredby <http://www.apache.org/foundation/marks/faq/#poweredby> , and https://www.apache.org/foundation/press/kit/ <https://www.apache.org/foundation/press/kit/> The icomoon font in the tools/ui has licenses that are incompatible with Apache releases. I would not block this release for this, but these will need to be replaced. I did not do any builds …. Regards, Dave > On Aug 15, 2018, at 3:14 PM, Neng Lu <[email protected]> wrote: > > Hi All, > > This is the first release candidate for Apache Heron, version > 0.20.0-incubating. > > It is the starting poiont of Heron and contains heron's main features, such > as streaming > processing, stateful processing, streamlet api, api server, eco support, > etc. > > Full list of changes and fixes are available: > https://github.com/apache/incubator-heron/compare/0.17.5.1-rc...release/v-0.20.0-incubating > > *** Please download, test and vote on this release. This vote will stay open > for at least 72 hours *** > > Source files: > https://dist.apache.org/repos/dist/dev/incubator/heron/heron-0.20.0-incubating-candidate-1/ > > SHA-1 checksums: > 9a42c828f2264eb6c0e49ae52c8ba525f0e1c4ee > ./incubator-heron-v-0.20.0-incubating-candidate-1.tar.gz > > The tag to be voted upon: > v0.20.0-incubating-candidate-1 (d2946ce0cfb3a6fe230a93d9f16550d7f46d2cf3) > https://github.com/apache/incubator-heron/releases/tag/v-0.20.0-incubating-candidate-1 > > Please download the the source package, and follow the compiling guide( > https://apache.github.io/incubator-heron/docs/developers/compiling/compiling/) > to build > and run the Heron locally. > > Best Regards, > Neng Lu
signature.asc
Description: Message signed with OpenPGP
