incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <>
Subject Re: [VOTE] Releasing Apache Metron 0.2.0BETA-RC3
Date Wed, 17 Aug 2016 05:27:11 GMT
+1 with reservations (binding)

* DISCLAIMER present
* LICENSE/NOTICE seem reasonable
* xsums/sigs OK
* Can build from source
* Unit tests pass (after I stopped my local hbase instance, maybe you 
could use random ports from the ephemeral range for your test services 
instead of the default service ports)
* Integration tests didn't (I stopped after a failure in 
* Tag is deployed and matches VOTE
* Overly aggressive RAT exclusions, but it passes and seems ok. Would 
strongly recommend you prune this list in the future to make sure you 
don't start shipping files which do not have a license header. You 
presently have many exclusions for files which don't even exist in the 


It is important to make sure that not only is the source-release 
artifact properly licensed, but the resulting artifacts that 
source-release creates are also properly licensed (in other words: the 
jars your build creates).

Your shaded jars are not correctly licensed. For example, you include 
org.abego.treelayout:org.abego.treelayout.core:jar:1.0.1 in 
metron-common-0.2.0BETA.jar which is 3-clause BSD licensed, yet the 
contained META-INF/LICENSE file has no mention of this. I also see a 
number of CDDL licensed jars being included.

The most worrisome artifact I see included is in multiple artifacts 
(metron-pcap-backend-0.2.0BETA.jar for one). This artifact befuddles me 
because it is completely unclear whether it is GPL'ed or ASLv2 (last I 
checked, documentation was not clear at all). Ironically, you also have 
com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1 included 
which is a clearly ASLv2 licensed implementation of the same spec (we 
won't get into me asking "why" both are included *winks*).

I don't think you need to fix these for this release, but you should 
make an effort to do this before your next release. Yes, it sucks. Yes, 
you're not the only one who has done it/will do it again.


Took a look at your website too.

* Your required ASF navigation links are not present
* Incubator disclaimer and logo are present (yay)
* Noticed "Ambari" and not "Apache Ambari" on Would be good to make 
sure you're using proper names for ASF projects.

James Sirota wrote:
> This release is exactly the same as RC2, but the Mozilla licensed file was removed so
it doesn’t cause problems for us on the incubator general boards. We no longer use it so
we just removed it.
> This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating
> Full list of changes in this release:
> The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:
> <;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb
> The source archive being voted upon can be found here:
> Other release files, signatures and digests can be found here:
> <>
> The release artifacts are signed with the following key:
> <;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a2312ead3eb>;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a2312ead3eb
> Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3 incubating
> When voting, please list the actions taken to verify the release.
> Recommended build validation and verification instructions are posted here:
> This vote will be open for at least 72 hours.
> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
> [ ] 0 No opinion
> [ ] -1 Do not release this package because...

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message