incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Sirota <jsir...@hortonworks.com>
Subject [Result] [VOTE] Releasing Apache Metron 0.2.0BETA-RC3
Date Fri, 19 Aug 2016 23:03:30 GMT
Vote passes with 3 +1 binding votes:
- Taylor Goetz 
- Billie Rinaldi
- Josh Elser

And One non-binding vote

- Debo Dutta

Thanks to everyone who voted

James






On 8/17/16, 9:39 AM, "Josh Elser" <elserj@apache.org> wrote:

>Casey,
>
>Thanks so much for the quick turn-around on JIRA issues. Great to see :)
>
>Re: findbug's jsr305 jar, yup, that is precisely the confusion I have 
>with it. I would encourage use of 
>https://github.com/stephenc/findbugs-annotations/ just to avoid any 
>potential issues. This person has done a few clean-room impls which are 
>ASLv2 licensed which are super helpful. I know of two projects now which 
>have successfully swapped these jars and have not faced any issues.
>
>- Josh
>
>Casey Stella wrote:
>> Josh,
>>
>> You are of course correct on all points.
>>
>>     - We neglected to be careful about the implications of binary bundling
>>     and transitive dependencies (JIRA
>>     <https://issues.apache.org/jira/browse/METRON-374>).
>>     - It's a good idea to use ephemeral ports on our integration test
>>     components (JIRA<https://issues.apache.org/jira/browse/METRON-375>).
>>     - We should correct the issues with the webpage (JIRA
>>     <https://issues.apache.org/jira/browse/METRON-376>)
>>
>> Regarding Findbugs, if you open up the pom
>> <http://central.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.pom>
>> from com.google.code.findbugs:jsr305-1.3.9 the ASLv2 is referenced.  That
>> being said, it's pretty clear that findbugs itself is lgpl, so I am also
>> confused.  Regardless, a more careful inspection and handling of our
>> transitive dependencies is obviously called for.  Thanks for the careful
>> attention. :)
>>
>> Casey
>>
>> On Wed, Aug 17, 2016 at 1:27 AM, Josh Elser<elserj@apache.org>  wrote:
>>
>>> +1 with reservations (binding)
>>>
>>> * DISCLAIMER present
>>> * LICENSE/NOTICE seem reasonable
>>> * xsums/sigs OK
>>> * Can build from source
>>> * Unit tests pass (after I stopped my local hbase instance, maybe you
>>> could use random ports from the ephemeral range for your test services
>>> instead of the default service ports)
>>> * Integration tests didn't (I stopped after a failure in
>>> BulkLoadMapperIntegrationTest)
>>> * Tag is deployed and matches VOTE
>>> * Overly aggressive RAT exclusions, but it passes and seems ok. Would
>>> strongly recommend you prune this list in the future to make sure you don't
>>> start shipping files which do not have a license header. You presently have
>>> many exclusions for files which don't even exist in the codebase.
>>>
>>> Reservations:
>>>
>>> It is important to make sure that not only is the source-release artifact
>>> properly licensed, but the resulting artifacts that source-release creates
>>> are also properly licensed (in other words: the jars your build creates).
>>>
>>> Your shaded jars are not correctly licensed. For example, you include
>>> org.abego.treelayout:org.abego.treelayout.core:jar:1.0.1 in
>>> metron-common-0.2.0BETA.jar which is 3-clause BSD licensed, yet the
>>> contained META-INF/LICENSE file has no mention of this. I also see a number
>>> of CDDL licensed jars being included.
>>>
>>> The most worrisome artifact I see included is
>>> com.google.code.findbugs:jsr305-1.3.9 in multiple artifacts
>>> (metron-pcap-backend-0.2.0BETA.jar for one). This artifact befuddles me
>>> because it is completely unclear whether it is GPL'ed or ASLv2 (last I
>>> checked, documentation was not clear at all). Ironically, you also have
>>> com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1 included
>>> which is a clearly ASLv2 licensed implementation of the same spec (we won't
>>> get into me asking "why" both are included *winks*).
>>>
>>> I don't think you need to fix these for this release, but you should make
>>> an effort to do this before your next release. Yes, it sucks. Yes, you're
>>> not the only one who has done it/will do it again.
>>>
>>> Branding:
>>>
>>> Took a look at your website too.
>>>
>>> * Your required ASF navigation links are not present
>>> http://www.apache.org/foundation/marks/pmcs.html#navigation
>>> * Incubator disclaimer and logo are present (yay)
>>> * Noticed "Ambari" and not "Apache Ambari" on
>>> http://metron.incubator.apache.org/documentation/. Would be good to make
>>> sure you're using proper names for ASF projects.
>>>
>>>
>>>
>>> James Sirota wrote:
>>>
>>>> This release is exactly the same as RC2, but the Mozilla licensed file
>>>> was removed so it doesn’t cause problems for us on the incubator general
>>>> boards. We no longer use it so we just removed it.
>>>>
>>>> This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating
>>>>
>>>> Full list of changes in this release:
>>>>
>>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>>> 0BETA-RC3-incubating/CHANGES
>>>>
>>>> The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:
>>>>
>>>> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.
>>>> git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>http
>>>> s://git-wip-us.apache.org/repos/asf?p=incubator-metron.
>>>> git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb
>>>>
>>>> The source archive being voted upon can be found here:
>>>>
>>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>>> 0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz
>>>>
>>>> Other release files, signatures and digests can be found here:
>>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>>> 0BETA-RC3-incubating/
>>>> <https://dist.apache.org/repos/dist/dev/incubator/metron/0.
>>>> 2.0BETA-RC3-incubating/>
>>>> The release artifacts are signed with the following key:
>>>>
>>>> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.
>>>> git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18
>>>> ;hb=75642001803396e8884385b0fc297a2312ead3eb>https://git-
>>>> wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=
>>>> KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=756420018
>>>> 03396e8884385b0fc297a2312ead3eb
>>>>
>>>>
>>>> Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3
>>>> incubating
>>>>
>>>> When voting, please list the actions taken to verify the release.
>>>> Recommended build validation and verification instructions are posted
>>>> here:
>>>> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
>>>>
>>>> This vote will be open for at least 72 hours.
>>>>
>>>> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
>>>> [ ] 0 No opinion
>>>> [ ] -1 Do not release this package because...
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>
>>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>For additional commands, e-mail: general-help@incubator.apache.org
>
>
Mime
View raw message