Thanks Josh! This list is great. I'll add the RC-X to the "Vote" email for the next RC. I also updated the release docs to include that note.
I added these tasks to track: (Blocker) RYA-177 - Review License on Rya Dependencies RYA-178 Review RAT Exclusions RYA-179 - Review License / Copyright notices on Rya Artifacts RYA-180 - Review Licensing of Shaded/War'd Rya Artifacts RYA-182 - Review SCM Tag in Parent POM Is RYA-180 subsumed by RYA-177? If we verify that all of the Rya Dependencies are not "Category X", are there additional concerns about what we war/shade up? --Aaron On Mon, Sep 12, 2016 at 11:35 AM Josh Elser <[email protected]> wrote: > (thanks for the extension, I started looking at this and then forgot > about it) > > -1 (binding) > > First off, please include some sort of "RC-X" identifier in the vote > subject so that we can differentiate them in the archives. > > - The good > > * xsums+sigs match > * Can build from source > * Ran all unit tests (as invoked during `mvn package`) > * Found no binary files > > - Things that must be fixed > > * https://dist.apache.org/repos/dist/release/incubator/rya and > https://dist.apache.org/repos/dist/dev/incubator/rya don't exist. You > must have the former created with a KEYS file that contains the GPG > public keys for those creating Rya release notes. Typically, you should > use dist.a.o/repos/dist/dev/incubator/rya to stage your release > artifacts, although policy on whether using the staging repo alone is > sufficient is not clear to me. (were it not for the licensing issues > below, we could just fix this) > * jgridshift:jgridshift appears to be LGPL licensed > (https://github.com/floscher/jGridShift/blob/master/LICENSE). You may > not use this software. It looks like it was not appropriately marked in > its pom which is why the configuration from Rya's parent apache.pom did > not catch it. This is brought in via org.geotools.xsd:gt-xsd-gml3. > * colt (http://dst.lbl.gov/ACSSoftware/colt/) appears to be another > brought in by com.tinkerpop.blueprints:blueprints-core > * com.google.code.findbugs:jsr305 is another example of GPL licensing. > While the artifact appears to have the ASL tagged on the pom, all > Findbugs documentation states that the project is GPL. > > I would recommend to make a pass over your dependencies to verify that > you aren't depending on any projects which are licensed with a license > on this list: http://www.apache.org/legal/resolved.html#category-x. See > http://www.apache.org/licenses/GPL-compatibility.html for more details. > The above three examples were found via a brief glance. > > - Things to fix later (later rc's or the next release) > > * Copyright year in NOTICE is wrong (2015 instead of 2016) > * mvn apache-rat:check passes (after `rm DEPENDENCIES`) > * A number of files which have 'Copyright (C) 2014 Rya' in the license > header in extras/rya.merger that should not exist. Copyright statement > should only appear in the NOTICE file (`fgrep -Ri 'copyright' > rya-project-3.2.10 | fgrep -v 'The ASF licenses this file'`) > * <tag>v3.2.10-RC1</tag> is incorrect in parent pom > * I see a bunch of maven-shade-plugin uses and at least one warfile > project: keep in mind that you should be ensuring that the generated > artifacts by your official source-release should also be licensed per > ASF policy. This isn't something you have to fix for this first release, > but it would bar Rya from a +1 to graduate from me. > * Saw some XML files in the build which were excluded from the > apache-rat-plugin. I'd recommend minimizing the exclusions as much as > possible. > > - Josh > > Aaron D. Mihalik wrote: > > I am pleased to be calling this vote for the source release of Apache Rya > > (Incubating), version 3.2.10. > > > > The source zip, including signatures, digests, etc. can be found at: > > > https://repository.apache.org/content/repositories/orgapacherya-1001/org/apache/rya/rya-project/3.2.10/ > > > > The Git tag is v3.2.10 > > The Git commit ID is 16196b4c658062545964602835cb5fbd2870e578 > > > https://git-wip-us.apache.org/repos/asf?p=incubator-rya.git;a=commit;h=16196b4c658062545964602835cb5fbd2870e578 > > > > Checksums of rya-project-3.2.10-source-release.zip: > > SHA1: dee4a5e4f8e74c4de614d02c7b17a5e0db132649 > > MD5: df4a47ae1232725bc95450f5e49de95c > > > > Release artifacts are signed with the following key: > > https://people.apache.org/keys/committer/mihalik.asc > > > > Issues that were closed/resolved for this release are here: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12334209&styleName=Html&projectId=12319020 > > > > The vote will be open for 72 hours. > > Please download the release candidate and evaluate the necessary items > > including checking hashes, signatures, build from source, and test. Then > > please vote: > > > > [ ] +1 Release this package as rya-project-3.2.10 > > [ ] +0 no opinion > > [ ] -1 Do not release this package because because... > > >
