[
https://issues.apache.org/jira/browse/WOOKIE-274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13135730#comment-13135730
]
Ate Douma commented on WOOKIE-274:
----------------------------------
I finally had a bit of time to review this release candidate to verify it from
legal requirements perspective (I didn't have yet time to actually
build/test/run it).
I'm sorry to be a pain in the **s again but I'm afraid I already found quite a
number of issues though, and a few serious enough that I regrettably have to
vote -1 on this release candidate ...
Please note that I know and recognize a *lot* of effort already has been made
to get these legal requirements properly covered and I hope the feedback below
won't make you all feel discouraged and too frustrated.
All this might seem or feel 'just too much' hassle, and it *is* a lot of hassle
to get right initially. But once that is settled, maintaining it becomes mostly
a trivial task, although it always will remain requiring proper verification.
And I think its getting close now and the issues below probably/hopefully
shouldn't take too much work anymore to fix.
To start with the release blockers:
- both the binary distributions don't have the required NOTICE file (the
wookie.war within them *does* have one, but the requirement concerns the
distribution archive itself, e.g. the .zip or tar.gz)
- the wookie-0.9.1-incubating -sources.jar and -javadoc.jar don't have *any* of
the required legal files embedded (NOTICE, LICENSE, DISCLAIMER missing)
- those NOTICE files which are provided only contain a single notice about
Wookie itself, while several of the artifacts contain 3rd party licensed
sources and/or binaries requiring to be mentioned in the NOTICE file, like
jdom, json, slf4j, ... etc. Note that this is a regression from the
0.9.0-incubating release which did provide the needed notices (although in some
cases more notices than needed)
To reiterate the requirements for both the NOTICE and LICENSE files:
a) The NOTICE file should mention requirement notices for all 3rd party
licensed sources and/or binaries which are contained within the release
artifact/archive (and preferably only those)
For the -src, -sources and -javadoc artifacts this typically only needs to
mention the project itself (Wookie), but might also require additional notices
for (only) those 3rd party licensed "sources" which.
The latter is the case for the Wookie -src distribution like for the checked in
jquery, yui, flexiframe, sources, etc. Those 3rd party licenses *are* properly
listed in the LICENSE file but they also need to be mentioned (noticed) in the
NOTICE file.
b) The LICENSE file should list all used/needed licensed for the objects
*within* the release artifact/archive (and preferably only those)
In addition to the above I have a few more findings and recommendations which
are not blockers but suggested to look into and preferably resolve before a
next release:
- The wookie-parser wookie-java-connector jars (all 3 types) come with a
LICENSE file listing way too many 3rd party licenses. Most likely these LICENSE
files only need to contain the Apache license itself as/if no other 3rd party
licensed source or binary is contained in them.
- The provided pom files all have a <scm> definition pointing to the wookie svn
*trunk* location, these should preferably point to the actual (and final) tag
location where this release sources can be found.
Note: the way the Wookie release currently is done/prepared using a (temporary)
branch makes this a bit difficult as *during* the release period the final tag
location (e.g. /wookie/tags/0.9.1-incubating) doesn't exist yet!
The typical/common release procedure is to first create the final tag, and
then/thereafter produce the (final) release candidate artifacts from that tag.
It is also not recommended to modify a tag once created, so 'fixing' a release
candidate which already is up for vote (or worse: afterwards) is seen as bad
practice/pattern as it makes the tag 'unreliable' and more difficult to verify
if it still is the same as downloadable source distribution to be verified.
- The -src, -standalone and -war distributions have an embedded root folder
called "Apache-Wookie". A more commonly used pattern/format is
"apache-[project]-[version]" (all in lowercase) similar to or same as the
distribution name itself.
That is less dangerous and easier for the end user so that extracting
distributions keeps different versions nicely separated without potentially
overriding each other.
> Test 0.9.1 RC1 Builds
> ---------------------
>
> Key: WOOKIE-274
> URL: https://issues.apache.org/jira/browse/WOOKIE-274
> Project: Wookie
> Issue Type: Task
> Components: Build and Distributions
> Affects Versions: 0.9.1
> Reporter: Paul Sharples
> Fix For: 0.9.1
>
>
> Release Artifacts
> http://people.apache.org/~psharples/wookie/staging-area/0p9p1/rc1/
> Maven Artifacts
> https://repository.apache.org/content/repositories/orgapachewookie-088/org/apache/wookie
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
