For what it’s worth (no vote here), I did the following: > * I verified build works and tests all pass.
Yes. > * I verified license headers with Apache RAT (via 'jake rat’). Yes. > * I manually verified all third party licenses in node_modules. node_modules are not included in the bundle. If this is intentional, then LICENSE does not need to be include things like accounting and moment which are not actually bundled, but just listed as dependencies in package.son. From http://www.apache.org/dev/licensing-howto.html#bundled-vs-non-bundled <http://www.apache.org/dev/licensing-howto.html#bundled-vs-non-bundled> : Bundled vs. Non-bundled Dependencies LICENSE and NOTICE must always be tailored to the content of the specific distribution they reside within. Dependencies which are not included in the distribution MUST NOT be added to LICENSE and NOTICE. As far as LICENSE and NOTICE are concerned, only bundled bits matter. If the bundle should include node_modules, then there are slightly more dependencies which should be given credit to. I used this to find them (only production are installed using “npm install --production”): --> find . -type d -name node_modules -exec ls -1 {} \; | sort | uniq -c 1 accounting 1 async 1 buffer-crc32 1 bytes 1 colors 1 combined-stream 1 commander 1 connect 1 connect-xcors 1 cookie 1 cookie-signature 1 debug 1 delayed-stream 1 express 1 form-data 1 formidable 1 fresh 1 methods 2 mime 1 mkdirp 1 moment 1 ms 1 open 1 pause 1 qs 1 range-parser 1 request 1 send There 28 of them. Deep dependencies should be listed as well if they are included in the distribution. From http://www.apache.org/dev/licensing-howto.html#deps-of-deps <http://www.apache.org/dev/licensing-howto.html#deps-of-deps> : Dependencies of Dependencies Dependencies of dependencies (including so-called "transitive dependencies") are no different from first-order dependencies for the purposes of assembling LICENSE and NOTICE: LICENSE and NOTICE need only be modified to accommodate them if and only if their bits are bundled. Please let me know if I can help in any way to resolve this (if this needs a resolution). -- // kai > On May 13, 2015, at 18:52, Tim Barham <[email protected]> wrote: > > [Once more, with feeling :) ] > > Please review and vote on the release of Ripple 0.9.29. > > The package you are voting on is available for review at > http://1drv.ms/1J7SY3v. It was published from its corresponding git tag: > incubator-ripple: 0.9.29 (9737ec47f5) > > Since this will be an official Apache release of Ripple (another attempt at > our first official release!), we must be particularly careful that it > complies with all Apache guidelines for an incubator release. As such, before > voting +1, please refer to and verify compliance with the checklist at > http://incubator.apache.org/guides/releasemanagement.html#check-list. > > If anyone has concerns that we don't meet any of these requirements, please > don't hesitate to raise them here so we can discuss and make changes if > necessary. > > If you do give a +1 vote, please include what steps you took in order to be > confident in the release. > > Please also note from Ross's recent email: > >> What we need is three +1 "binding" votes, in reality that means three IPMC >> members. Once a project graduates it means three project management committee >> members. However, as a mentor (therefore having a binding vote) I look to the >> project participants to indicate their preference and (assuming no blocking >> issues on an IP check) I'll always vote in support of the communities non- >> binding votes. > > So please, even though your vote may not be binding, take some time to review > the release and vote! > > Upon a successful vote, we will arrange for the archive to be uploaded to > dist/incubator/ and publish it to NPM. > > I vote +1: > * I verified build works and tests all pass. > * I verified license headers with Apache RAT (via 'jake rat'). > * I manually verified all third party licenses in node_modules. > > Thanks, > > Tim
