+1 (binding)
Everything built fine. The signatures and hashes were correct, and there were
no extra binaries. At the bottom of the e-mail are the remaining licenses that
don't
fall into the "good" list of ASF pre-approved licenses. These were obtained by
running
mvn license:aggregate-add-third-party
and then
egrep -iv "BSD|ASF|MIT|CDDL|EPL|Apache|Eclipse|Public Domain"
target/generated-sources/license/THIRD-PARTY.txt
I'm assuming that these have been signed off on by Josh, Puja, and Aaron.
(Unknown license) ASM Core (asm:asm:3.1 - http://asm.objectweb.org/asm/)
(GNU LESSER GENERAL PUBLIC LICENSE) JCalendar (com.toedter:jcalendar:1.1.4
- http://www.toedter.com/en/jcalendar/)
(Unknown license) commons-beanutils
(commons-beanutils:commons-beanutils:1.7.0 - no url defined)
(HSQLDB License) HSQLDB (hsqldb:hsqldb:1.8.0.10 - http://hsqldb.org/)
(Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url
defined)
(Unknown license) jsp-api (javax.servlet.jsp:jsp-api:2.1 - no url defined)
(Common Public License Version 1.0) JUnit (junit:junit:4.8.2 -
http://junit.org)
(ASL, version 2) (LGPL, version 2.1) Java Native Access
(net.java.dev.jna:jna:4.0.0 - https://github.com/twall/jna)
(ASL, version 2) (LGPL, version 2.1) Java Native Access Platform
(net.java.dev.jna:jna-platform:4.0.0 - https://github.com/twall/jna)
(Unknown license) Antlr 3.4 Runtime (org.antlr:antlr-runtime:3.4 -
http://www.antlr.org)
(Unknown license) Jettison (org.codehaus.jettison:jettison:1.1 - no url
defined)
(GNU General Public License (GPL), version 2, with the Classpath
exception) JMH Core (org.openjdk.jmh:jmh-core:1.13 -
http://openjdk.java.net/projects/code-tools/jmh/jmh-core/)
(GNU General Public License (GPL), version 2, with the Classpath
exception) JMH Generators: Annotation Processors
(org.openjdk.jmh:jmh-generator-annprocess:1.13 -
http://openjdk.java.net/projects/code-tools/jmh/jmh-generator-annprocess/)
(Unknown license) org.osgi.compendium (org.osgi:org.osgi.compendium:4.2.0
- no url defined)
(Unknown license) org.osgi.core (org.osgi:org.osgi.core:4.2.0 - no url
defined)
(Unknown license) spring-aop (org.springframework:spring-aop:3.0.5.RELEASE
- no url defined)
(Unknown license) spring-asm (org.springframework:spring-asm:3.0.5.RELEASE
- no url defined)
(Unknown license) spring-context-support
(org.springframework:spring-context-support:3.0.7.RELEASE - no url defined)
(Unknown license) spring-tx (org.springframework:spring-tx:3.0.5.RELEASE -
no url defined)
(Unknown license) oro (oro:oro:2.0.8 - no url defined)
(Unknown license) regexp (regexp:regexp:1.3 - no url defined)
(Unknown license) jasper-compiler (tomcat:jasper-compiler:5.5.12 - no url
defined)
(Unknown license) jasper-runtime (tomcat:jasper-runtime:5.5.12 - no url
defined)
-----Original Message-----
From: Aaron D. Mihalik [mailto:[email protected]]
Sent: Monday, October 24, 2016 3:30 PM
To: [email protected]
Subject: Re: [VOTE] Release Rya (Incubating) version 3.2.10 RC3
This is a gentle reminder to everyone to provide some feedback on the release
candidate. We need at least another binding vote to continue this process.
Also, non-binding votes are encouraged :)
Josh/Adina: I have looked at your feedback and made minor updates, tickets, and
comments to address the issues you raised:
> [Josh] Apache Accumulo®, please
I have updated the website accordingly
> [Josh] lots of warnings in your Maven project
Created a Jira issue for this: RYA-216 - Clean up Maven Warnings
> [Josh] include when the 72hrs is "up" (with tz)
I updated the template
> [Adina] Maybe we should put the KEYS file both in
dist.a.o/repos/dist/dev/ and dist.a.o/repos/dist/release/
Initially, I had the KEYS file in both places but I noticed that most projects
only have it in "release" and I thought it might be confusing to maintain two
files with the same content. I'm fine reverting back to both places, however.
Let me know.
> [Josh] you have no other signatures on your key
David Lotts signed my key last week. I updated dist.a.o [1] but my key on
people.a.o [2] is doesn't reflect David's signature. Any idea how to push an
update? The key server that people.a.o pulls from has the update [3].
> [Josh] Put some thought in how your source-release creates binaries
Agreed... created RYA-217 Evaluate Shaded and Zip'd artifacts
--Aaron
[1]
https://urldefense.proofpoint.com/v2/url?u=https-3A__dist.apache.org_repos_dist_release_incubator_rya_KEYS&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=oRAGQlItutHUnC5pj152XKymSWuxBwgqInEwC-XkZBc&e=
[2]
https://urldefense.proofpoint.com/v2/url?u=http-3A__people.apache.org_keys_committer_mihalik.asc&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=wnTXMcREN54rvH0rdTYWgUnwpJ_4F0rLwQIdQOVofaI&e=
[3]
https://urldefense.proofpoint.com/v2/url?u=http-3A__keys2.kfwebs.net_pks_lookup-3Fop-3Dvindex-26search-3D0x8E6245BF6937DEAE1F7B72DDC3CC40CAF50EAE1A&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=vN-ly-lFFX3zxR2i_unUjErbKeTlpQazoERvKvoGKoE&e=
On Sun, Oct 23, 2016 at 2:54 PM Adina Crainiceanu <[email protected]> wrote:
+1 binding
I checked:
* name includes incubating
* DISCLAIMER exists and has the correct content
* LICENSE and NOTICE exist and they have the correct content (if we don't
bundle any dependencies)
* release artifacts placed in
https://urldefense.proofpoint.com/v2/url?u=https-3A__dist.apache.org_repos_dist_dev_incubator_rya_&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=RqgcGrrexpEUivnXcJkwH7QtW9iWlZJ8O6zJp_VtJmY&e=
* checksums correct (md5 and sha1)
* signature correct. Maybe we should put the KEYS file both in
https://urldefense.proofpoint.com/v2/url?u=https-3A__dist.apache.org_repos_dist_dev_incubator_rya_&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=RqgcGrrexpEUivnXcJkwH7QtW9iWlZJ8O6zJp_VtJmY&e=
(where I expected it to check the release) and
https://urldefense.proofpoint.com/v2/url?u=https-3A__dist.apache.org_repos_dist_release_incubator_rya_&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=N_01x-2tZjuhIZ7TQSs94guF0-qR2KoZ3LV7YSk8AKw&e=
(where others can download when we have the official release)
* no unexpected binaries in the .zip file
* can build from source, with included tests (I did mvm clean install)
Thank you,
Adina
On Fri, Oct 21, 2016 at 1:31 PM, Josh Elser <[email protected]> wrote:
> +1
>
> * Sig/Xsums OK, but you have no other signatures on your key to verify
> that the key used to sign these artifacts is actually your key, Aaron.
> Maybe you can find someone (in person or via phone) or who can your
> key
for
> you? [1]
> * Verified that geoindexing is "off"
> * Cursory glance over dependencies getting bundled in shaded JARs and
> they look OK
> * Listed commit exists in the repo
> * L&N look correct for source release
> * DISCLAIMER present
> * Could build from source (`mvn package`)
>
> Overview on your website:
>
> * "Apache Rya (incubating) is a scalable RDF triple store built on top
> of a columnar index store (Accumulo)." Apache Accumulo®, please.
> * Required links are present to ASF
> * Incubator branding looks good (to my memory)
> * "Apache Rya (incubating)" is prominent too.
>
> Other things:
>
> * Noticed lots of warnings in your Maven project. Would be good to
> address this to reduce the likelihood of build issues by users. [2]
> * Nit: would be good to include when the 72hrs is "up" (with tz)
> instead of relying on the timestamp that the message landed in
> someone's inbox.
> * Got an error running a `mvn install` (since your dependency graph
> seems to be busted -- couldn't run a `mvn dependency:tree` without as
> I should
be
> able to). [3] Rerunning it was fine the second time..
> * Maintaining your shaded jars over time is probably a losing battle
> (if the licensing issues this time around weren't sign enough). I'd
> suggest
you
> start putting some thought in how your source-release creates binaries
that
> can be useful for people who want to run Rya but are not using the
> exact versions of all of the dependencies you're bundling for them.
> * I didn't inspect the JARs you're also distributing for licensing
> correctness. Will let this slide since for now :)
>
> - Josh
>
> [1]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.apache.org_de
> v_release-2Dsigning.html-23web-2Dof-2Dtrust&d=CwIFaQ&c=Nwf-pp4xtYRe0sC
> RVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD
> 0qo8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=JIUjOmAJK7rviGMEz
> 2CWNsPlVmfcCG9cut5EWcqv6DU&e= [2]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.apache.org_
> CQf3&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2
> kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT
> 5VIhodw6Bys&s=jW8-JckYUpKzpZreQGZyXybPtt-vcNC19HCyYm6DV6w&e=
> [3]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.apache.org_
> ssGd&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2
> kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT
> 5VIhodw6Bys&s=SiS7n7mDlGH48lmnr6PxgubewLkTMcfYbwGQF8MyJos&e=
>
>
> Aaron D. Mihalik wrote:
>
>> I am pleased to be calling this vote for the source release of Apache
>> Rya (Incubating), version 3.2.10.
>>
>> The source zip, including signatures, digests, etc. can be found at:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__dist.apache.org_
>> repos_dist_dev_incubator_rya_rya-2Dinc&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8
>> _LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo
>> 8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=w0kg8QTGTOMKE4-uSuG
>> -ibGklc44f5lzV2z26blO2Ws&e=
>> ubating-3.2.10-rc3/
>>
>> Ancillary artifacts such as poms, jars, wars, ect. can be found here:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__repository.apach
>> e.org_content_repositories_orgapache&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_L
>> WH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&
>> m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=bpuzbTB6lojJ_cE8-NgDi
>> O_J4sCpibZ11axua527md8&e=
>> rya-1004/org/apache/rya/rya-project/3.2.10-incubating/
>>
>> The Git tag is rya-incubating-3.2.10-rc3 The Git commit ID is
>> 66d8b7f060bddeeb7c50cb0918f98ce3b265c564
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__git-2Dwip-2Dus.a
>> pache.org_repos_asf-3Fp-3Dincubator-2Drya.git&d=CwIFaQ&c=Nwf-pp4xtYRe
>> 0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4
>> WXTD0qo8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=ktCV0PbRwcqf
>> 2MNSik7aRx7i_PeCRQl2f1NRUoSp7ic&e= ;
>> a=commit;h=66d8b7f060bddeeb7c50cb0918f98ce3b265c564
>>
>> Checksums of rya-project-3.2.10-source-release.zip:
>> SHA1: 4468f55b9f381e9103ca1e2e9c25b30e1cad4ed0
>> MD5: a28d9a146857576903ff4fc3f7dae908
>>
>> Release artifacts are signed with the following key:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__people.apache.or
>> g_keys_committer_mihalik.asc&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF
>> 7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=ZfEFJt
>> jCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=qdngMmn6ujEDbPPZPSrvB04jx25ps
>> 5UmWv1cMWfW8CQ&e=
>>
>> KEYS file available here:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__dist.apache.org_
>> repos_dist_release_incubator_rya_KEYS&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_
>> LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8
>> &m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=oRAGQlItutHUnC5pj152
>> XKymSWuxBwgqInEwC-XkZBc&e=
>>
>> Issues that were closed/resolved for this release are here:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.or
>> g_jira_secure_ReleaseNote.jspa-3Fversi&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8
>> _LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo
>> 8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=mn5qEPBUNKYU7SabEEC
>> oF4hfI7O-vZ_hZ5SHZzWJpgY&e=
>> on=12334209&styleName=Html&projectId=12319020
>>
>> Issues resolved between RC1 and RC2 are here:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.or
>> g_jira_browse_RYA-2D184&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmr
>> YIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=ZfEFJtjCrTq
>> WYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=8SiHJo-jCqvx8XchCZNLNI2ax61fD_Bojx
>> fofsSHw84&e=
>>
>> Issues resolved between RC2 and RC3 are here:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.or
>> g_jira_browse_RYA-2D209&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmr
>> YIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=ZfEFJtjCrTq
>> WYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=FhXvmswKKU781YHDxS_f4MpVXWYEkH8YVq
>> Idpl62rrA&e=
>>
>> The vote will be open for 72 hours.
>> Please download the release candidate and evaluate the necessary
>> items including checking hashes, signatures, build from source, and
>> test. The please vote:
>>
>> [ ] +1 Release this package as rya-project-3.2.10 [ ] +0 no opinion [
>> ] -1 Do not release this package because because...
>>
>>
--
Dr. Adina Crainiceanu
Associate Professor, Computer Science Department United States Naval Academy
410-293-6822 <(410)%20293-6822>
[email protected]
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.usna.edu_Users_cs_adina_&d=CwIFaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=ZfEFJtjCrTqWYlOG5OQ1anhuoUqfwnAT5VIhodw6Bys&s=auxia68b3jUMOO3sTEBKTD-NEIiXXm9-mXkBv6-7Zug&e=
