+1 [biding] Checked all usual things, nothing overly suspicious. And I agree with Paul on both counts - keeping KEYS in the version control is a bit unusual and doesn't solve anything.
-- Cos On Sat, Oct 24, 2020 at 12:19PM, Paul King wrote: > One point I forgot - There is certainly mixed practice with regard to > whether the KEYS file should be checked into the source repo. Some projects > place it just on dist.apache.org/repos/dist/release. That way there is a > single point of truth. Right now the one in the source repo is out of sync > with the dist.apache.org one. > > Cheers, Paul. > > On Sat, Oct 24, 2020 at 12:11 PM Paul King <[email protected]> wrote: > > > +1 > > > > Checked hashes and signatures. > > "mvn clean verify" passes > > "mvn apache-rat:rat" passes > > incubating in name > > DISCLAIMER exists > > NOTICE seems okay > > LICENSE seems okay > > no unexpected binary files > > > > Mentoring notes: > > * You should minimise changes to KEYS since ideally each release manager > > would attend a key-signing party and have their key spread amongst other > > trusted parties. Then verifiers could verify that the release has been > > signed not only with a valid key but also from a trusted source. Key > > signing would need to be repeated each time a release manager's key > > changes. Key signing isn't mandatory, just highly recommended, but isn't > > easy to do right now due to COVID. > > * For files like NCBlowfishHasher.java, (correctly mentioned in LICENSE > > and NOTICE, thanks) if the statement "Code almost entirely based on work of > > ..." is indeed true, then I believe it is usually clearer to leave the > > original license header in the source file and perhaps amend with > > "Subsequent changes Copyright by the NLPCraft team and made under the > > ASLv2..." but what you have is possibly okay - just not as clear. IANAL, > > but my understanding is that you have the obligation to make it clear that > > the requirements the original author requested for use of that file in > > source form etc. are still in play and aren't overwritten by slapping the > > ASLv2 header at the front of the file. > > > > Cheers, Paul. > > > > > > On Thu, Oct 22, 2020 at 2:35 AM Aaron Radzinski <[email protected]> > > wrote: > > > >> NLPCraft-ers, > >> This is a call for a vote to release Apache NLPCraft (incubating) version > >> 0.7.1. This release includes bug fixes and incremental improvements for > >> NLPCraft 0.7.0 release. > >> > >> Release information: > >> 1. Release location: > >> https://dist.apache.org/repos/dist/dev/incubator/nlpcraft/nlpcraft/0.7.1/ > >> 3. Git tag: https://github.com/apache/incubator-nlpcraft/tree/v0.7.1 > >> 4. JIRA issues fixed in release: > >> https://issues.apache.org/jira/projects/NLPCRAFT/versions/12347777 > >> 5. KEYS file: > >> https://dist.apache.org/repos/dist/release/incubator/nlpcraft/KEYS > >> > >> The vote will be open for at least 72 hours or until a necessary number of > >> votes are reached. > >> > >> Please vote accordingly: > >> [ ] +1 approve > >> [ ] +0 no opinion > >> [ ] -1 disapprove with the reason > >> > >> Thank you, > >> Aaron (NLPCraft community). > >> > >
signature.asc
Description: PGP signature
