Thanks Chris. I will first try and address the obvious ones and then start a discussion with legal-discuss.
Suresh On Feb 6, 2012, at 11:20 PM, Mattmann, Chris A (388J) wrote: > Hi Suresh, > > I'd start by taking Ate's compiled list of questions, prioritizing them, and > then taking those > "high level" issues to the list. Then you can drill down where necessary. > > Cheers, > Chris > > On Feb 6, 2012, at 8:11 PM, Suresh Marru wrote: > >> Hi Chris, >> >> That will be extremely helpful. How do you suggest to involve them? Should >> we build the artifacts and ask their opinions on blockers vs non-blockers? >> By any chance will they have exercise to review the maven build system and >> also make suggestions on making imrprovments so LICENSES get copied >> correctly? >> >> Thanks, >> Suresh >> >> On Feb 6, 2012, at 11:11 PM, Mattmann, Chris A (388J) wrote: >> >>> Guys, how about getting legal-discuss involved, with some specific, pointed >>> questions? >>> >>> I'm sure Ate's review was thorough but it might be good for the >>> legal-discuss committee >>> to weigh in on "blockers" versus "would be nice, but can move on". >>> >>> We've found legal-discuss super effective and helpful in OODT-ville... >>> >>> Cheers, >>> Chris >>> >>> On Feb 6, 2012, at 8:03 PM, Suresh Marru wrote: >>> >>>> Hi Ate, >>>> >>>> Thank you for taking time to do the review. I will retract the vote and >>>> work on these blockers. >>>> >>>> Can you help us how to verify these ourselves? How do you check them, >>>> manually or are there any tricks we can learn to validate before putting >>>> out the vote? >>>> >>>> Thanks, >>>> Suresh >>>> >>>> On Feb 6, 2012, at 9:28 PM, Ate Douma wrote: >>>> >>>>> Hi guys, >>>>> >>>>> While this candidate definitely is improved a lot on the NOTICE and >>>>> LICENSE requirements, I've again found quite a lot of missing NOTICEs and >>>>> LICENSEs which are required to be provided, leading me to again vote -1 >>>>> on this release. >>>>> >>>>> Looking at the binary distribution, I first with checking the bundled >>>>> artifacts under /lib and /standalone-server/lib and validate the provided >>>>> root /NOTICE and /LICENSE files against them. >>>>> >>>>> As a first example, the bundled axis2 jars each have their own (embedded) >>>>> NOTICE file with 3rd party notices which should have been merged in the >>>>> binary distribution's own (root) NOTICE file, e.g. like the following >>>>> fragments (from axis2-adb-1.5.1.jar): >>>>> >>>>> This product also includes WS-* schemas developed by International >>>>> Business Machines Corporation, Microsoft Corporation, BEA Systems, >>>>> TIBCO Software, SAP AG, Sonic Software, and VeriSign >>>>> >>>>> This product also includes a WSDL developed by salesforce.com >>>>> - Copyright 1999-2006 salesforce.com, inc. >>>>> >>>>> The bundled derby jars also come with an extensive embedded NOTICE file. >>>>> Some parts of that have been merged into the root NOTICE, but some not. >>>>> Maybe not everything in it is applicable, but I think there are at least >>>>> some required parts missing. As a reference I compared that with the >>>>> bundled jackrabbit-standalone-2.2.7.jar which itself also embeds Derby, >>>>> and there you'll see they at least have the following added section: >>>>> >>>>> The JDBC apis for small devices and JDBC3 (under java/stubs/jsr169 and >>>>> java/stubs/jdbc3) were produced by trimming sources supplied by the >>>>> Apache Harmony project. The following notice covers the Harmony sources: >>>>> >>>>> Portions of Harmony were originally developed by >>>>> Intel Corporation and are licensed to the Apache Software >>>>> Foundation under the "Software Grant and Corporate Contribution >>>>> License Agreement", informally known as the "Intel Harmony CLA". >>>>> >>>>> And that jackrabbit-standalone-2.2.7.jar brings in quite some other >>>>> (missing) NOTICEs as well, like: >>>>> >>>>> Based on source code originally developed by >>>>> Day Software (http://www.day.com/). >>>>> >>>>> This product includes software from the following contributions: >>>>> >>>>> Original BZip2 classes contributed by Keiron Liddle >>>>> <[email protected]>, Aftex Software to the Apache Ant project >>>>> >>>>> Original Tar classes from contributors of the Apache Ant project >>>>> >>>>> Original Zip classes from contributors of the Apache Ant project >>>>> >>>>> Original CPIO classes contributed by Markus Kuss and the jRPM project >>>>> (jrpm.sourceforge.net) >>>>> >>>>> Please remember: the ASL 2.0 license, section 4d) *legally* requires us >>>>> to retain (thus merge) *every* NOTICE of embedded 3rd party artifacts. >>>>> This is why keeping the NOTICE file as small as possible (but not >>>>> smaller) really is important for our downstream users. Which won't be >>>>> easy with Airavata because of its many, many 3rd party dependencies. >>>>> >>>>> And there also are issues with the LICENSE file: like for example the >>>>> jackrabbit-standalone-2.2.7.jar its /META-INF/LICENSE file has many >>>>> licenses which should be merged into the root LICENSE file of the >>>>> Airavata distribution but currently are missing. >>>>> >>>>> Without going through each and every bundled artifact, which might lead >>>>> to a very long list of issue, I can already conclude the requirements for >>>>> the NOTICE and LICENSE files still aren't met. >>>>> >>>>> Regrettably, I don't have the time right now to do a full and thorough >>>>> scan of all the possible missing pieces. >>>>> Airavata is quite a big project on its 3rd party usages (which is cool), >>>>> but that also comes at the price of quite extensive due diligence work >>>>> concerning the LICENSE and NOTICE requirements. I've been trough a >>>>> similar exercise for Apache Rave and Apache Shindig last week (which >>>>> together are many times smaller on their 3rd party dependencies) and that >>>>> alone already gook me many hours if not days to complete. >>>>> >>>>> I do think you're on the right track, but it just isn't completely done >>>>> yet. >>>>> >>>>> Besides the above serious issues, I have a few additional suggestions for >>>>> improvements (not truly blockers) I'd like to point out: >>>>> >>>>> - Many/most NOTICE files shows to be concatenated: they contain many >>>>> duplications of sections like: "This product includes software developed >>>>> at >>>>> The Apache Software Foundation (http://www.apache.org/).", many times >>>>> over. >>>>> You might want to clean that up, it should only be needed as the initial >>>>> notice at the top. And there are other type of fragments duplicated as >>>>> well. >>>>> >>>>> - NOTICE and LICENSE files under [...]/src/main/appended-resources are >>>>> intended to be *appended* to the default NOTICE and LICENSE files already >>>>> provided by the maven-remote-resources-plugin. Meaning: you shouldn't >>>>> provide the default (Airavata based) initial notice in the NOTICE file, >>>>> nor should you need to include the ASL 2.0 license in the LICENSE file. >>>>> As it is now, these now are all duplicated within the final artifacts. >>>>> >>>>> I'd like to suggest to really check the final embedded NOTICE and LICENSE >>>>> files in all build artifacts, the above to issues should be easy to spot. >>>>> >>>>> Kind regards, >>>>> >>>>> Ate >>>>> >>>>> >>>>> On 02/06/2012 05:35 AM, Suresh Marru wrote: >>>>>> Discussion thread for vote on airavata 0.2-incubating release candidate >>>>>> 3. >>>>>> >>>>>> If you have any questions or feedback or to post results of validating >>>>>> the >>>>>> release, please reply to this thread. Once you verify the release, >>>>>> please post >>>>>> your vote to the VOTE thread. >>>>>> >>>>>> For reference, the Apache release guide - >>>>>> http://www.apache.org/dev/release.html >>>>>> Incubator specific release guidelines - >>>>>> http://incubator.apache.org/guides/releasemanagement.html >>>>>> >>>>>> Some tips to validate the release before you vote: >>>>>> >>>>>> * Download the binary version and run the 5 minute or 10 minute tutorial >>>>>> as >>>>>> described in README and website. >>>>>> * Download the source files from compressed files and release tag and >>>>>> build >>>>>> (which includes tests). >>>>>> * Verify the distributon for the required LICENSE, NOTICE and DISCLAIMER >>>>>> files >>>>>> * Verify if all the staged files are signed and the signature is >>>>>> verifiable. >>>>>> * Verify if the signing key in the project's KEYS file is hosted on a >>>>>> public server >>>>>> >>>>>> Thanks for your time in validating the release and voting, >>>>>> Suresh >>>>> >>>> >>> >>> >>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>> Chris Mattmann, Ph.D. >>> Senior Computer Scientist >>> NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA >>> Office: 171-266B, Mailstop: 171-246 >>> Email: [email protected] >>> WWW: http://sunset.usc.edu/~mattmann/ >>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>> Adjunct Assistant Professor, Computer Science Department >>> University of Southern California, Los Angeles, CA 90089 USA >>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>> >> > > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Chris Mattmann, Ph.D. > Senior Computer Scientist > NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA > Office: 171-266B, Mailstop: 171-246 > Email: [email protected] > WWW: http://sunset.usc.edu/~mattmann/ > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Adjunct Assistant Professor, Computer Science Department > University of Southern California, Los Angeles, CA 90089 USA > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >
signature.asc
Description: Message signed with OpenPGP using GPGMail
