I'll start putting the content into the NOTICE files in trunk. On 26 Oct 2011, at 06:47, Ate Douma (Commented) (JIRA) wrote:
> > [ > https://issues.apache.org/jira/browse/WOOKIE-274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13135730#comment-13135730 > ] > > Ate Douma commented on WOOKIE-274: > ---------------------------------- > > I finally had a bit of time to review this release candidate to verify it > from legal requirements perspective (I didn't have yet time to actually > build/test/run it). > > I'm sorry to be a pain in the **s again but I'm afraid I already found quite > a number of issues though, and a few serious enough that I regrettably have > to vote -1 on this release candidate ... > > Please note that I know and recognize a *lot* of effort already has been made > to get these legal requirements properly covered and I hope the feedback > below won't make you all feel discouraged and too frustrated. > All this might seem or feel 'just too much' hassle, and it *is* a lot of > hassle to get right initially. But once that is settled, maintaining it > becomes mostly a trivial task, although it always will remain requiring > proper verification. > And I think its getting close now and the issues below probably/hopefully > shouldn't take too much work anymore to fix. > > To start with the release blockers: > - both the binary distributions don't have the required NOTICE file (the > wookie.war within them *does* have one, but the requirement concerns the > distribution archive itself, e.g. the .zip or tar.gz) > - the wookie-0.9.1-incubating -sources.jar and -javadoc.jar don't have *any* > of the required legal files embedded (NOTICE, LICENSE, DISCLAIMER missing) > - those NOTICE files which are provided only contain a single notice about > Wookie itself, while several of the artifacts contain 3rd party licensed > sources and/or binaries requiring to be mentioned in the NOTICE file, like > jdom, json, slf4j, ... etc. Note that this is a regression from the > 0.9.0-incubating release which did provide the needed notices (although in > some cases more notices than needed) > > To reiterate the requirements for both the NOTICE and LICENSE files: > a) The NOTICE file should mention requirement notices for all 3rd party > licensed sources and/or binaries which are contained within the release > artifact/archive (and preferably only those) > For the -src, -sources and -javadoc artifacts this typically only needs to > mention the project itself (Wookie), but might also require additional > notices for (only) those 3rd party licensed "sources" which. > The latter is the case for the Wookie -src distribution like for the checked > in jquery, yui, flexiframe, sources, etc. Those 3rd party licenses *are* > properly listed in the LICENSE file but they also need to be mentioned > (noticed) in the NOTICE file. > b) The LICENSE file should list all used/needed licensed for the objects > *within* the release artifact/archive (and preferably only those) > > In addition to the above I have a few more findings and recommendations which > are not blockers but suggested to look into and preferably resolve before a > next release: > - The wookie-parser wookie-java-connector jars (all 3 types) come with a > LICENSE file listing way too many 3rd party licenses. Most likely these > LICENSE files only need to contain the Apache license itself as/if no other > 3rd party licensed source or binary is contained in them. > - The provided pom files all have a <scm> definition pointing to the wookie > svn *trunk* location, these should preferably point to the actual (and final) > tag location where this release sources can be found. > Note: the way the Wookie release currently is done/prepared using a > (temporary) branch makes this a bit difficult as *during* the release period > the final tag location (e.g. /wookie/tags/0.9.1-incubating) doesn't exist yet! > The typical/common release procedure is to first create the final tag, and > then/thereafter produce the (final) release candidate artifacts from that tag. > It is also not recommended to modify a tag once created, so 'fixing' a > release candidate which already is up for vote (or worse: afterwards) is seen > as bad practice/pattern as it makes the tag 'unreliable' and more difficult > to verify if it still is the same as downloadable source distribution to be > verified. > - The -src, -standalone and -war distributions have an embedded root folder > called "Apache-Wookie". A more commonly used pattern/format is > "apache-[project]-[version]" (all in lowercase) similar to or same as the > distribution name itself. > That is less dangerous and easier for the end user so that extracting > distributions keeps different versions nicely separated without potentially > overriding each other. > > > > >> Test 0.9.1 RC1 Builds >> --------------------- >> >> Key: WOOKIE-274 >> URL: https://issues.apache.org/jira/browse/WOOKIE-274 >> Project: Wookie >> Issue Type: Task >> Components: Build and Distributions >> Affects Versions: 0.9.1 >> Reporter: Paul Sharples >> Fix For: 0.9.1 >> >> >> Release Artifacts >> http://people.apache.org/~psharples/wookie/staging-area/0p9p1/rc1/ >> Maven Artifacts >> https://repository.apache.org/content/repositories/orgapachewookie-088/org/apache/wookie >> > > -- > This message is automatically generated by JIRA. > If you think it was sent incorrectly, please contact your JIRA > administrators: > https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa > For more information on JIRA, see: http://www.atlassian.com/software/jira > >
