Re: [VOTE] Apache Fluo Recipes 1.0.0-incubating (rc1)

2016-10-27 Thread Josh Elser 
Don't forget to use "[RESULT]" in the subject for votes. I re-sent your 
message to general@incubator just to make sure it was clear.


- Josh

Keith Turner wrote:

The vote passed with 3 +1 votes and 0 -1 votes.  Thanks Josh, Justin
and Drew for inspecting the RC.

On Mon, Oct 24, 2016 at 12:33 PM, Keith Turner  wrote:

Dear IPMC,

Please vote for the following release candidate of Apache Fluo Recipes
1.0.0-incubating.

PPMC vote thread:
https://lists.apache.org/thread.html/d1e8ae5cef7c4ab1eac8192b742a3229b346335fec64afd080284dd4@%3Cdev.fluo.apache.org%3E

Staged dist artifacts:
https://dist.apache.org/repos/dist/dev/incubator/fluo/fluo-recipes/1.0.0-incubating-rc1/

Staged Maven repository:
https://repository.apache.org/content/repositories/orgapachefluo-1016/

Signing KEYS:
https://www.apache.org/dist/incubator/fluo/KEYS
(fingerprint for this release: CF72CA07C8BC86A1C862765F9AACFB56352ACF76)

Git repo:
https://git-wip-us.apache.org/repos/asf/incubator-fluo-recipes
(branch: 1.0.0-incubating-rc1,
commit: 682eff983f1fe6e60b75c36d3b2f782c6a93b155)

This vote will end on Thu Oct 27 17:00:00 UTC 2016
(Thu Oct 27 13:00:00 EDT 2016 / Thu Oct 27 10:00:00 PDT 2016)


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Apache Fluo Recipes 1.0.0-incubating (rc1)

2016-10-27 Thread Keith Turner 
The vote passed with 3 +1 votes and 0 -1 votes.  Thanks Josh, Justin
and Drew for inspecting the RC.

On Mon, Oct 24, 2016 at 12:33 PM, Keith Turner  wrote:
> Dear IPMC,
>
> Please vote for the following release candidate of Apache Fluo Recipes
> 1.0.0-incubating.
>
> PPMC vote thread:
> https://lists.apache.org/thread.html/d1e8ae5cef7c4ab1eac8192b742a3229b346335fec64afd080284dd4@%3Cdev.fluo.apache.org%3E
>
> Staged dist artifacts:
> https://dist.apache.org/repos/dist/dev/incubator/fluo/fluo-recipes/1.0.0-incubating-rc1/
>
> Staged Maven repository:
> https://repository.apache.org/content/repositories/orgapachefluo-1016/
>
> Signing KEYS:
> https://www.apache.org/dist/incubator/fluo/KEYS
> (fingerprint for this release: CF72CA07C8BC86A1C862765F9AACFB56352ACF76)
>
> Git repo:
> https://git-wip-us.apache.org/repos/asf/incubator-fluo-recipes
> (branch: 1.0.0-incubating-rc1,
> commit: 682eff983f1fe6e60b75c36d3b2f782c6a93b155)
>
> This vote will end on Thu Oct 27 17:00:00 UTC 2016
> (Thu Oct 27 13:00:00 EDT 2016 / Thu Oct 27 10:00:00 PDT 2016)

Re: [VOTE] Apache Fluo Recipes 1.0.0-incubating (rc1)

2016-10-25 Thread Drew Farris 
+1 for this release (IPMC, Binding)

I checked the following:

- hashes good
- signatures good
- name contains incubating
- DISCLAIMER good
- LICENSE good
- NOTICE good
- No binaries in source release
- All source files have required Apache license headers
  - (77 java, 6 poms, 10 markdown, 4 properties)
- Builds successfully with 'mvn clean package'
  - artifacts built contain 'incubating'

Thanks for the release,

Drew

On Mon, Oct 24, 2016 at 12:34 PM Keith Turner  wrote:

> Dear IPMC,
>
> Please vote for the following release candidate of Apache Fluo Recipes
> 1.0.0-incubating.
>
> PPMC vote thread:
>
> https://lists.apache.org/thread.html/d1e8ae5cef7c4ab1eac8192b742a3229b346335fec64afd080284dd4@%3Cdev.fluo.apache.org%3E
>
> Staged dist artifacts:
>
> https://dist.apache.org/repos/dist/dev/incubator/fluo/fluo-recipes/1.0.0-incubating-rc1/
>
> Staged Maven repository:
> https://repository.apache.org/content/repositories/orgapachefluo-1016/
>
> Signing KEYS:
> https://www.apache.org/dist/incubator/fluo/KEYS
> (fingerprint for this release: CF72CA07C8BC86A1C862765F9AACFB56352ACF76)
>
> Git repo:
> https://git-wip-us.apache.org/repos/asf/incubator-fluo-recipes
> (branch: 1.0.0-incubating-rc1,
> commit: 682eff983f1fe6e60b75c36d3b2f782c6a93b155)
>
> This vote will end on Thu Oct 27 17:00:00 UTC 2016
> (Thu Oct 27 13:00:00 EDT 2016 / Thu Oct 27 10:00:00 PDT 2016)
>

Re: [VOTE] Apache Fluo Recipes 1.0.0-incubating-rc1

2016-10-23 Thread Christopher 
+1

Verified sigs and hashes
mvn verify passes
Source tarball matches git commit (except expected DEPENDENCIES file added
by maven-remote-resources-plugin)
Jar manifests contain specified git commit
Jar sources and javadocs exist
Confirmed LICENSE, NOTICE, DISCLAIMER in source tarball
Manually inspected all jar MANIFEST.MF, LICENSE, and NOTICE files and all
look good to me


On Sat, Oct 22, 2016 at 12:39 AM Christopher  wrote:

> What makes you think that jsr305 is not compatibly licensed? I spent some
> time investigating this and the following is what I found. Unless I've
> missed something, it looks like there's no issue with jsr305 as a
> dependency.
>
> * It looks to me like it's licensed under BSD. This is according to the
> findbugs project[1], which has been redistributing the artifact after it
> effectively went dormant[2]. The Google Groups set up for developing jsr305
> seems to confirm the developers had agreed to distribute it under this[3].
> * It looks like jsr305 is often incorrectly uploaded to Maven Central (by
> findbugs?) under AL2, which is the license in the POM for our dependency
> (version 3.0.0) [4]. It was once uploaded (again, seemingly incorrectly) as
> LGPL, but we're not using that version [5].
> * There is an outstanding GitHub issue for findbugs to clarify the
> license[6], because it looks like they've been mislabeling it when they
> redistribute. But, it's also possible that they've been able to relicense
> under AL2, and forgot to update their docs which still say it's BSD.
> * jsr305 is used by us during the build, as a test dependency. it looks
> like that's okay, since we're not bundling it[7].
> * It is also used as a compile and/or runtime transitive dependency via
> Apache Spark. Even if we did depend on it directly, it seems like it should
> be fine because it's an optional part of the project[8], as long as we're
> not bundling it, and we're not.
> * Is it a problem for Apache Spark to depend on this directly? If it's
> not, I can't imagine it would be for us to depend on it transitively,
> through them.
>
> [1]:
> https://github.com/findbugsproject/findbugs/blob/3.0.1/findbugs/licenses/LICENSE-jsr305.txt
> [2]: https://jcp.org/en/jsr/detail?id=305
> [3]: https://groups.google.com/forum/#!topic/jsr-305/gQWGmiWMjE8
> [4]:
> https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.0/jsr305-3.0.0.pom
> [5]:
> https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.8/jsr305-1.3.8.pom
> [6]: https://github.com/findbugsproject/findbugs/issues/128
> [7]: http://www.apache.org/legal/resolved.html#prohibited
> [8]: http://www.apache.org/legal/resolved.html#optional
>
>
> On Fri, Oct 21, 2016 at 6:37 PM Josh Elser  wrote:
>
> +1
>
> * Sigs/xsums OK
> * No binaries in release
> * KEYS is accurate
> * Can build from source
> * Direct dependencies OK (beware that you are transitively bringing in
> com.google.code.findbugs:jsr305:jar:3.0.0 which is not compatibly
> licensed -- this should be fixed in the future)
> * No Copyright notices
> * apache-rat:check passes
> * Can run all tests
> * Artifacts built from release appear to be appropriately licensed.
> * Commit is contained in repository
> * Would prefer to see apache-fluo-recipes as the name instead.
>
> - Josh
>
> Keith Turner wrote:
> > Fluo Developers,
> >
> > Please consider the following candidate for Fluo Recipes
> 1.0.0-incubating.
> >
> > Git Commit:
> >  682eff983f1fe6e60b75c36d3b2f782c6a93b155
> > Branch:
> >  1.0.0-incubating-rc1
> >
> > If this vote passes, a gpg-signed tag will be created using:
> >  git tag -f -m 'Apache Fluo Recipes 1.0.0-incubating' -s
> > rel/fluo-recipes-1.0.0-incubating \
> >  682eff983f1fe6e60b75c36d3b2f782c6a93b155
> > Staging repo:
> > https://repository.apache.org/content/repositories/orgapachefluo-1016
> > Source (official release artifact):
> >
> https://repository.apache.org/content/repositories/orgapachefluo-1016/org/apache/fluo/fluo-recipes/1.0.0-incubating/fluo-recipes-1.0.0-incubating-source-release.tar.gz
> > (Append ".sha1", ".md5", or ".asc" to download the signature/hash for a
> > given artifact.)
> >
> > All artifacts were built and staged with:
> >  mvn release:prepare&&  mvn release:perform
> >
> > Signing keys are available at
> > https://www.apache.org/dist/incubator/fluo/KEYS
> > (Expected fingerprint: CF72CA07C8BC86A1C862765F9AACFB56352ACF76)
> >
> > Release notes (in progress) can be found at:
> > https://fluo.apache.org/.../1.0.0-incubating
> >
> > Please vote one of:
> > [ ] +1 - I have verified and accept...
> > [ ] +0 - I have reservations, but not strong enough to vote against...
> > [ ] -1 - Because..., I do not accept...
> > ... these artifacts as the 1.0.0-incubating release of Apache Fluo
> Recipes.
> >
> > This vote will end on Sun Oct 23 22:30:00 UTC 2016
> > (Sun Oct 23 18:30:00 EDT 2016 / Sun Oct 23 15:30:00 PDT 2016)
> >
> > Thanks!
> >
> > P.S. Hint: download the whole

Re: On Findbugs jsr305 (was Re: [VOTE] Apache Fluo Recipes 1.0.0-incubating-rc1)

2016-10-23 Thread Christopher 
Aside from the reporter of that issue's understandable confusion about the
difference between FindBugs license itself and of something bundled with
FindBugs, the evidence seems overwhelming that the artifact is BSD:

- Original developers agreed to BSD on Google Groups forum
- Original repo (as archived on code.google.com) contains BSD LICENSE
- FindBugs repo where it's bundled declares it BSD
- RHEL/CentOS and Fedora RPMs all delcare it BSD
- LICENSE in the current maintainer's repo is BSD (relocated from
code.google.com)
- The current maintainer has acknowledged the incorrect AL2 license in the
Maven Central artifact and is willing to accept a PR to fix[1].

Even if it were LGPL, I still don't think there'd be an issue, because of
how we're using it as a build-dep and transitive-dep for an optional
feature.
If you still think there's an issue, let's please escalate to LEGAL for
resolution.

[1]: https://github.com/amaembo/jsr-305/issues/27


On Sun, Oct 23, 2016 at 2:47 PM Josh Elser  wrote:

> The ambiguity of the conversation you provided in [6] is exactly why I
> have this opinion. Unless one of the devs can definitively say "it is
> BSD", there's way too much mis-information for me to feel comfortable
> with it.
>
> Given the availability of
> https://stephenc.github.com/findbugs-annotations, it's a no-brainer to
> use that instead, IMO.
>
> Specifically to Fluo, I did not inspect its usage that closely. If it's
> only used at build time, then, as you point out, it's a non-issue.
>
> Christopher wrote:
> > What makes you think that jsr305 is not compatibly licensed? I spent some
> > time investigating this and the following is what I found. Unless I've
> > missed something, it looks like there's no issue with jsr305 as a
> > dependency.
> >
> > * It looks to me like it's licensed under BSD. This is according to the
> > findbugs project[1], which has been redistributing the artifact after it
> > effectively went dormant[2]. The Google Groups set up for developing
> jsr305
> > seems to confirm the developers had agreed to distribute it under
> this[3].
> > * It looks like jsr305 is often incorrectly uploaded to Maven Central (by
> > findbugs?) under AL2, which is the license in the POM for our dependency
> > (version 3.0.0) [4]. It was once uploaded (again, seemingly incorrectly)
> as
> > LGPL, but we're not using that version [5].
> > * There is an outstanding GitHub issue for findbugs to clarify the
> > license[6], because it looks like they've been mislabeling it when they
> > redistribute. But, it's also possible that they've been able to relicense
> > under AL2, and forgot to update their docs which still say it's BSD.
> > * jsr305 is used by us during the build, as a test dependency. it looks
> > like that's okay, since we're not bundling it[7].
> > * It is also used as a compile and/or runtime transitive dependency via
> > Apache Spark. Even if we did depend on it directly, it seems like it
> should
> > be fine because it's an optional part of the project[8], as long as we're
> > not bundling it, and we're not.
> > * Is it a problem for Apache Spark to depend on this directly? If it's
> not,
> > I can't imagine it would be for us to depend on it transitively, through
> > them.
> >
> > [1]:
> >
> https://github.com/findbugsproject/findbugs/blob/3.0.1/findbugs/licenses/LICENSE-jsr305.txt
> > [2]: https://jcp.org/en/jsr/detail?id=305
> > [3]: https://groups.google.com/forum/#!topic/jsr-305/gQWGmiWMjE8
> > [4]:
> >
> https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.0/jsr305-3.0.0.pom
> > [5]:
> >
> https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.8/jsr305-1.3.8.pom
> > [6]: https://github.com/findbugsproject/findbugs/issues/128
> > [7]: http://www.apache.org/legal/resolved.html#prohibited
> > [8]: http://www.apache.org/legal/resolved.html#optional
> >
> > On Fri, Oct 21, 2016 at 6:37 PM Josh Elser  wrote:
> >
> >> +1
> >>
> >> * Sigs/xsums OK
> >> * No binaries in release
> >> * KEYS is accurate
> >> * Can build from source
> >> * Direct dependencies OK (beware that you are transitively bringing in
> >> com.google.code.findbugs:jsr305:jar:3.0.0 which is not compatibly
> >> licensed -- this should be fixed in the future)
> >> * No Copyright notices
> >> * apache-rat:check passes
> >> * Can run all tests
> >> * Artifacts built from release appear to be appropriately licensed.
> >> * Commit is contained in repository
> >> * Would prefer to see apache-fluo-recipes as the name instead.
> >>
> >> - Josh
> >>
> >> Keith Turner wrote:
> >>> Fluo Developers,
> >>>
> >>> Please consider the following candidate for Fluo Recipes
> >> 1.0.0-incubating.
> >>> Git Commit:
> >>>   682eff983f1fe6e60b75c36d3b2f782c6a93b155
> >>> Branch:
> >>>   1.0.0-incubating-rc1
> >>>
> >>> If this vote passes, a gpg-signed tag will be created using:
> >>>   git tag -f -m 'Apache Fluo Recipes 1.0.0-incubating' -s
> >>>