-1 (non-binding) because RYA-169 Mongo direct example is broken. This is fixed in pull request #87 The example is important and should be working in the release IMHO. david.
On Mon, Sep 12, 2016 at 12:04 PM, Aaron D. Mihalik <[email protected]> wrote: > Thanks Josh! This list is great. > > I'll add the RC-X to the "Vote" email for the next RC. I also updated the > release docs to include that note. > > I added these tasks to track: > > (Blocker) RYA-177 - Review License on Rya Dependencies > RYA-178 Review RAT Exclusions > RYA-179 - Review License / Copyright notices on Rya Artifacts > RYA-180 - Review Licensing of Shaded/War'd Rya Artifacts > RYA-182 - Review SCM Tag in Parent POM > > Is RYA-180 subsumed by RYA-177? If we verify that all of the Rya > Dependencies are not "Category X", are there additional concerns about what > we war/shade up? > > --Aaron > > On Mon, Sep 12, 2016 at 11:35 AM Josh Elser <[email protected]> wrote: > > > (thanks for the extension, I started looking at this and then forgot > > about it) > > > > -1 (binding) > > > > First off, please include some sort of "RC-X" identifier in the vote > > subject so that we can differentiate them in the archives. > > > > - The good > > > > * xsums+sigs match > > * Can build from source > > * Ran all unit tests (as invoked during `mvn package`) > > * Found no binary files > > > > - Things that must be fixed > > > > * https://dist.apache.org/repos/dist/release/incubator/rya and > > https://dist.apache.org/repos/dist/dev/incubator/rya don't exist. You > > must have the former created with a KEYS file that contains the GPG > > public keys for those creating Rya release notes. Typically, you should > > use dist.a.o/repos/dist/dev/incubator/rya to stage your release > > artifacts, although policy on whether using the staging repo alone is > > sufficient is not clear to me. (were it not for the licensing issues > > below, we could just fix this) > > * jgridshift:jgridshift appears to be LGPL licensed > > (https://github.com/floscher/jGridShift/blob/master/LICENSE). You may > > not use this software. It looks like it was not appropriately marked in > > its pom which is why the configuration from Rya's parent apache.pom did > > not catch it. This is brought in via org.geotools.xsd:gt-xsd-gml3. > > * colt (http://dst.lbl.gov/ACSSoftware/colt/) appears to be another > > brought in by com.tinkerpop.blueprints:blueprints-core > > * com.google.code.findbugs:jsr305 is another example of GPL licensing. > > While the artifact appears to have the ASL tagged on the pom, all > > Findbugs documentation states that the project is GPL. > > > > I would recommend to make a pass over your dependencies to verify that > > you aren't depending on any projects which are licensed with a license > > on this list: http://www.apache.org/legal/resolved.html#category-x. See > > http://www.apache.org/licenses/GPL-compatibility.html for more details. > > The above three examples were found via a brief glance. > > > > - Things to fix later (later rc's or the next release) > > > > * Copyright year in NOTICE is wrong (2015 instead of 2016) > > * mvn apache-rat:check passes (after `rm DEPENDENCIES`) > > * A number of files which have 'Copyright (C) 2014 Rya' in the license > > header in extras/rya.merger that should not exist. Copyright statement > > should only appear in the NOTICE file (`fgrep -Ri 'copyright' > > rya-project-3.2.10 | fgrep -v 'The ASF licenses this file'`) > > * <tag>v3.2.10-RC1</tag> is incorrect in parent pom > > * I see a bunch of maven-shade-plugin uses and at least one warfile > > project: keep in mind that you should be ensuring that the generated > > artifacts by your official source-release should also be licensed per > > ASF policy. This isn't something you have to fix for this first release, > > but it would bar Rya from a +1 to graduate from me. > > * Saw some XML files in the build which were excluded from the > > apache-rat-plugin. I'd recommend minimizing the exclusions as much as > > possible. > > > > - Josh > > > > Aaron D. Mihalik wrote: > > > I am pleased to be calling this vote for the source release of Apache > Rya > > > (Incubating), version 3.2.10. > > > > > > The source zip, including signatures, digests, etc. can be found at: > > > > > https://repository.apache.org/content/repositories/ > orgapacherya-1001/org/apache/rya/rya-project/3.2.10/ > > > > > > The Git tag is v3.2.10 > > > The Git commit ID is 16196b4c658062545964602835cb5fbd2870e578 > > > > > https://git-wip-us.apache.org/repos/asf?p=incubator-rya.git;a=commit;h= > 16196b4c658062545964602835cb5fbd2870e578 > > > > > > Checksums of rya-project-3.2.10-source-release.zip: > > > SHA1: dee4a5e4f8e74c4de614d02c7b17a5e0db132649 > > > MD5: df4a47ae1232725bc95450f5e49de95c > > > > > > Release artifacts are signed with the following key: > > > https://people.apache.org/keys/committer/mihalik.asc > > > > > > Issues that were closed/resolved for this release are here: > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa? > version=12334209&styleName=Html&projectId=12319020 > > > > > > The vote will be open for 72 hours. > > > Please download the release candidate and evaluate the necessary items > > > including checking hashes, signatures, build from source, and test. > Then > > > please vote: > > > > > > [ ] +1 Release this package as rya-project-3.2.10 > > > [ ] +0 no opinion > > > [ ] -1 Do not release this package because because... > > > > > >
