Great, glad it's helpful. Also, thanks for taking this on. The first
release is always the hardest, and I didn't do a good job commending you
on stepping up :)
Aaron D. Mihalik wrote:
Thanks Josh! This list is great.
I'll add the RC-X to the "Vote" email for the next RC. I also updated the
release docs to include that note.
I added these tasks to track:
(Blocker) RYA-177 - Review License on Rya Dependencies
RYA-178 Review RAT Exclusions
RYA-179 - Review License / Copyright notices on Rya Artifacts
RYA-180 - Review Licensing of Shaded/War'd Rya Artifacts
RYA-182 - Review SCM Tag in Parent POM
Is RYA-180 subsumed by RYA-177? If we verify that all of the Rya
Dependencies are not "Category X", are there additional concerns about what
we war/shade up?
No, sadly :). The LICENSE and NOTICE files you have at the top-level of
the source-release are "easy" right now because you do not bundle any
other code than just "Apache Rya (incubating)". Therefore, you only have
to deal with Rya's licensing (which is simple).
When you start creating artifacts that contain other artifacts, you must
update LICENSE and NOTICE appropriately (in META-INF/ in JARs/WARs). A
tl;dr is that, for every dependency you bundle, you must include it's
license in the LICENSE file and propagate any relevant information from
their NOTICE file (e.g. copyright/attribution statements) into your
NOTICE file. There are lots of good write-ups coming out of other ASF
projects of late which can help distill this.
I would recommend we just make a note to deal with this post-3.2.10. As
an incubator project, you get a pass on doing this all 100% correct;
however, the incompatible licensing is pretty heinous (so I'm treating
these separately). :)
--Aaron
On Mon, Sep 12, 2016 at 11:35 AM Josh Elser<[email protected]> wrote:
(thanks for the extension, I started looking at this and then forgot
about it)
-1 (binding)
First off, please include some sort of "RC-X" identifier in the vote
subject so that we can differentiate them in the archives.
- The good
* xsums+sigs match
* Can build from source
* Ran all unit tests (as invoked during `mvn package`)
* Found no binary files
- Things that must be fixed
* https://dist.apache.org/repos/dist/release/incubator/rya and
https://dist.apache.org/repos/dist/dev/incubator/rya don't exist. You
must have the former created with a KEYS file that contains the GPG
public keys for those creating Rya release notes. Typically, you should
use dist.a.o/repos/dist/dev/incubator/rya to stage your release
artifacts, although policy on whether using the staging repo alone is
sufficient is not clear to me. (were it not for the licensing issues
below, we could just fix this)
* jgridshift:jgridshift appears to be LGPL licensed
(https://github.com/floscher/jGridShift/blob/master/LICENSE). You may
not use this software. It looks like it was not appropriately marked in
its pom which is why the configuration from Rya's parent apache.pom did
not catch it. This is brought in via org.geotools.xsd:gt-xsd-gml3.
* colt (http://dst.lbl.gov/ACSSoftware/colt/) appears to be another
brought in by com.tinkerpop.blueprints:blueprints-core
* com.google.code.findbugs:jsr305 is another example of GPL licensing.
While the artifact appears to have the ASL tagged on the pom, all
Findbugs documentation states that the project is GPL.
I would recommend to make a pass over your dependencies to verify that
you aren't depending on any projects which are licensed with a license
on this list: http://www.apache.org/legal/resolved.html#category-x. See
http://www.apache.org/licenses/GPL-compatibility.html for more details.
The above three examples were found via a brief glance.
- Things to fix later (later rc's or the next release)
* Copyright year in NOTICE is wrong (2015 instead of 2016)
* mvn apache-rat:check passes (after `rm DEPENDENCIES`)
* A number of files which have 'Copyright (C) 2014 Rya' in the license
header in extras/rya.merger that should not exist. Copyright statement
should only appear in the NOTICE file (`fgrep -Ri 'copyright'
rya-project-3.2.10 | fgrep -v 'The ASF licenses this file'`)
*<tag>v3.2.10-RC1</tag> is incorrect in parent pom
* I see a bunch of maven-shade-plugin uses and at least one warfile
project: keep in mind that you should be ensuring that the generated
artifacts by your official source-release should also be licensed per
ASF policy. This isn't something you have to fix for this first release,
but it would bar Rya from a +1 to graduate from me.
* Saw some XML files in the build which were excluded from the
apache-rat-plugin. I'd recommend minimizing the exclusions as much as
possible.
- Josh
Aaron D. Mihalik wrote:
I am pleased to be calling this vote for the source release of Apache Rya
(Incubating), version 3.2.10.
The source zip, including signatures, digests, etc. can be found at:
https://repository.apache.org/content/repositories/orgapacherya-1001/org/apache/rya/rya-project/3.2.10/
The Git tag is v3.2.10
The Git commit ID is 16196b4c658062545964602835cb5fbd2870e578
https://git-wip-us.apache.org/repos/asf?p=incubator-rya.git;a=commit;h=16196b4c658062545964602835cb5fbd2870e578
Checksums of rya-project-3.2.10-source-release.zip:
SHA1: dee4a5e4f8e74c4de614d02c7b17a5e0db132649
MD5: df4a47ae1232725bc95450f5e49de95c
Release artifacts are signed with the following key:
https://people.apache.org/keys/committer/mihalik.asc
Issues that were closed/resolved for this release are here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12334209&styleName=Html&projectId=12319020
The vote will be open for 72 hours.
Please download the release candidate and evaluate the necessary items
including checking hashes, signatures, build from source, and test. Then
please vote:
[ ] +1 Release this package as rya-project-3.2.10
[ ] +0 no opinion
[ ] -1 Do not release this package because because...
