(thanks for the extension, I started looking at this and then forgot
about it)
-1 (binding)
First off, please include some sort of "RC-X" identifier in the vote
subject so that we can differentiate them in the archives.
- The good
* xsums+sigs match
* Can build from source
* Ran all unit tests (as invoked during `mvn package`)
* Found no binary files
- Things that must be fixed
* https://dist.apache.org/repos/dist/release/incubator/rya and
https://dist.apache.org/repos/dist/dev/incubator/rya don't exist. You
must have the former created with a KEYS file that contains the GPG
public keys for those creating Rya release notes. Typically, you should
use dist.a.o/repos/dist/dev/incubator/rya to stage your release
artifacts, although policy on whether using the staging repo alone is
sufficient is not clear to me. (were it not for the licensing issues
below, we could just fix this)
* jgridshift:jgridshift appears to be LGPL licensed
(https://github.com/floscher/jGridShift/blob/master/LICENSE). You may
not use this software. It looks like it was not appropriately marked in
its pom which is why the configuration from Rya's parent apache.pom did
not catch it. This is brought in via org.geotools.xsd:gt-xsd-gml3.
* colt (http://dst.lbl.gov/ACSSoftware/colt/) appears to be another
brought in by com.tinkerpop.blueprints:blueprints-core
* com.google.code.findbugs:jsr305 is another example of GPL licensing.
While the artifact appears to have the ASL tagged on the pom, all
Findbugs documentation states that the project is GPL.
I would recommend to make a pass over your dependencies to verify that
you aren't depending on any projects which are licensed with a license
on this list: http://www.apache.org/legal/resolved.html#category-x. See
http://www.apache.org/licenses/GPL-compatibility.html for more details.
The above three examples were found via a brief glance.
- Things to fix later (later rc's or the next release)
* Copyright year in NOTICE is wrong (2015 instead of 2016)
* mvn apache-rat:check passes (after `rm DEPENDENCIES`)
* A number of files which have 'Copyright (C) 2014 Rya' in the license
header in extras/rya.merger that should not exist. Copyright statement
should only appear in the NOTICE file (`fgrep -Ri 'copyright'
rya-project-3.2.10 | fgrep -v 'The ASF licenses this file'`)
* <tag>v3.2.10-RC1</tag> is incorrect in parent pom
* I see a bunch of maven-shade-plugin uses and at least one warfile
project: keep in mind that you should be ensuring that the generated
artifacts by your official source-release should also be licensed per
ASF policy. This isn't something you have to fix for this first release,
but it would bar Rya from a +1 to graduate from me.
* Saw some XML files in the build which were excluded from the
apache-rat-plugin. I'd recommend minimizing the exclusions as much as
possible.
- Josh
Aaron D. Mihalik wrote:
I am pleased to be calling this vote for the source release of Apache Rya
(Incubating), version 3.2.10.
The source zip, including signatures, digests, etc. can be found at:
https://repository.apache.org/content/repositories/orgapacherya-1001/org/apache/rya/rya-project/3.2.10/
The Git tag is v3.2.10
The Git commit ID is 16196b4c658062545964602835cb5fbd2870e578
https://git-wip-us.apache.org/repos/asf?p=incubator-rya.git;a=commit;h=16196b4c658062545964602835cb5fbd2870e578
Checksums of rya-project-3.2.10-source-release.zip:
SHA1: dee4a5e4f8e74c4de614d02c7b17a5e0db132649
MD5: df4a47ae1232725bc95450f5e49de95c
Release artifacts are signed with the following key:
https://people.apache.org/keys/committer/mihalik.asc
Issues that were closed/resolved for this release are here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12334209&styleName=Html&projectId=12319020
The vote will be open for 72 hours.
Please download the release candidate and evaluate the necessary items
including checking hashes, signatures, build from source, and test. Then
please vote:
[ ] +1 Release this package as rya-project-3.2.10
[ ] +0 no opinion
[ ] -1 Do not release this package because because...
