incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <>
Subject Re: [VOTE] Apache Lucy (incubating) 0.2.0 RC 3
Date Tue, 09 Aug 2011 02:48:19 GMT
On 2011-08-09, Marvin Humphrey wrote:

> On Mon, Aug 08, 2011 at 02:45:30PM +0200, Stefan Bodewig wrote:
>> No kind of functional testing performed, just the normal sanity checks.

> Great, thank you for the review!

>> What kind of SHA algo has been used for the .sha file?

> SHA512.

> GPG was used to produce all sigs and sums.

>   $ gpg --print-md SHA512 apache-lucy-incubating-0.2.0.tar.gz
>   apache-lucy-incubating-0.2.0.tar.gz: 435CE486 CC933673 6A8D6526 C0B31526
>                                        8091B64F 637472E5 70D16513 3EB54054
>                                        E4617DEB E6DA4F3B 3C4842D3 CA4D3B8A
>                                        5B904960 ECF9EF88 3CDD9416 A8E8CF19

>> I've tried all sha*sum tools on my Ubuntu box but neither returns a result
>> that looks close to your .sha file.

> The sum in the .sha artifact file is the same as the one produced by sha512sum,
> though -- just the formatting is different:

>   $ sha512sum apache-lucy-incubating-0.2.0.tar.gz
>   435ce486cc9336736a8d6526c0b315268091b64f637472e570d165133eb54054e4617debe6da4f3b3c4842d3ca4d3b8a5b904960ecf9ef883cdd9416a8e8cf19

I can confirm that.  For some reason I thought the first few numbers
didn't match yesterday.  So the sha512sum is good as well.  You might
want to use a different extension in the future (.sha512) to reduce the
confusion in particular since most Java projects only provide sha1

> Unfortunately, one of the downsides of using GPG to produce the sums is that
> the resulting file cannot be used with e.g. "sha512sum --check":

The same is true for the mvn generated checksum files most Java projects
use.  Those files only contain the hash with no file name of the file
they apply to.  At least this is true for the Java artifacts I have
reviewed in the past.

> However, if I use openssl on my Mac to produce the .md5 and the .sha, I also
> get files that "XXXsum --check" can't parse.  So unless we want to require the
> Lucy RM to produce the sums on a system with the XXXsum executables installed
> (e.g.  Linux), we aren't guaranteed to generate sum files that XXXsum can chew.

I don't think we have ever required anything like that, don't worry.

>> There are 100 files where RAT doesn't recognize the license (because
>> it doesn't recognize the ICU license for example).  A report created
>> with RAT's current trunk and Ant can be found here


>> Yes, I've seen the excludes file but didn't want to allow you any
>> cheating ;-)

> Heh.  I don't really like using the excludes, as I'm wary of inadvertently
> globbing files that shouldn't be excluded.

When I looked through the files I thought that had just happened - I no
longer do so, see below.

> It would be nice if we could comment the rat-excludes file and have
> the relevant comment show up next to each excluded file in the report,
> as that would make auditing easier.

Sounds like an enhancement request for RAT.

>> Inside the snowstem module there are a few files that don't carry a
>> "this file is generated" notice but not any sort of license either, I
>> guess these should be fixed (maybe for the next release as you'll likely
>> get enough +1s anyway).

> With the exception of one JSON file, those files with no licenses are verbatim
> imports from the Snowball project:


>   We have not bothered to insert the licensing arrangement into the text of
>   the Snowball software.


> I would be hesitant to insert copyright and licensing notices into those files
> when the Snowball people have chosen to omit them.  We do include the relevant
> information in NOTICE, though.

Yes, that's OK.  Just from looking at the source files it wasn't clear
to me that this was the case.  It wouldn't have helped in my case if you
had a README inside the snowstem directory as I was only looking at the
RAT report, but a small pointer there might help others.

> That one JSON file is used for testing and is derived from Snowball source
> materials; I would have inserted a "this file is generated" comment, but JSON
> is officially a commentless format.  Instead, there is a README file which sits
> right next to it in the directory which contains the following:

>   The file 'tests.json' and this file were autogenerated by
>  'tests.json' contains materials from the Snowball
>   project.  See the LICENSE and NOTICE files for more information.

This is great.

> As for votes, RC 3 has already garnered three +1 votes from Incubator PMC
> members: Chris Mattmann, Joe Schaefer, and myself -- so in all likelihood it
> will be going forward.

I know.  After your explanations (and pointing out that I'm unable to
compare two numbers 8-) you now have my +1 as well.

> [rat:report]   C:/Users/stefan.bodewig/Desktop/apache-lucy-incubating-0.2.0/log

> This file is not a part of the Lucy distribution, and I assume it was created
> as a side-effect of your review process.  :)



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message