Hi, And as I took the liberty of reviewing the 1.6.8 release according to the ASF rules, this would have been my response (Please use it as you like) It should point out things that should be addressed for a first Apache release. Things I usually don't check in my reviews as I never actually had to check it: - Apache releases should be available from Apache servers https://www.apache.org/dyn/closer.lua or https://archive.apache.org
Hope this helps with the first release. Chris ------- -1 Chris [FAILED] Download all staged artifacts under the url specified in the release vote email. No signed artifacts, downloaded zip package from GitHub, no signatures or hashes [FAILED] Verify the signature is correct. No signature [FAILED] Check if the signature references an Apache email address. No signature [FAILED] Verify the SHA512 hashes. No hashes [OK] Unzip the archive. [OK] Verify the existence of LICENSE, NOTICE files in the extracted source bundle. [MINOR] Verify the content of LICENSE, NOTICE files in the extracted source bundle. Notice references 2021 and not 2022 [FAILED] [RM] Run RAT externally to ensure there are no surprises. MANY files without Apache headers at all (Searching for http://www.apache.org/licenses/LICENSE-2.0 in the doc folder only brought one result at all, even in the tests directory there are Apache headers only on a few files) The list of non-approved license headers is 2078 lines/files long There are binary files in there: While I would call the ODG files sort of ok (OpenDocument Graphic File), the test contain archives which we generally don't like to see doc/bst2html.py is an MIT licensed file not mentioned in the LICENSE file The used Apache headers in generally all files are non-standard headers, which contain Copyright information to “Copyright (C) 2018 Codethink Limited”) See here to how they should look like: https://www.apache.org/legal/src-headers.html [FAILED] Search for Copyright references, and if they are in headers, make sure these files containing them are mentioned in the LICENSE file. There’s code with Copyright headers for (All of these in various flavors), none of which are mentioned anywhere (NOTICE, LICENSE): - Copyright (C) 2019 Bloomberg Finance L.P. - Copyright (C) 2017 Codethink Limited - Copyright (c) 2014 by Armin Ronacher. - Copyright 2020 The Bazel Authors. - Copyright (c) 2015, Google Inc. - Copyright 2018 Google LLC On 2022/10/17 23:46:23 Daniel Gruno wrote: > Hi Tristan, > > As Apache BuildStream is now a TLP, please ensure that all future releases > agree with the overall release policy, as set out on > https://www.apache.org/legal/release-policy.html (especially the > MUST/MUST-NOTs). The document is quite exhaustive, and should cover all the > various gotchas. > > With regards, > Daniel. > > On 2022/10/12 14:51:58 Tristan Van Berkom wrote: > > Dear BuildStream PMC members, > > > > I have now released the 1.95.3 release candidate releases for both the > > core BuildStream and BuildStream plugins repositories. > > > > I don't know about future releases, but for 2.0 we will definitely be > > releasing the main and plugin repositories together, so it makes sense > > to also vote on both releases simultaneously. > > > > Please take some time (but not too much) to personally assess your > > confidence in the 1.95.3 releases. > > > > To cast your vote, please reply with either a "+1" or a "-1". > > > > This proposal counts as my +1, two additional +1s will count as our > > official consensus to make the 2.0 release, provided that the +1s > > outnumber any -1s. > > > > For additional clarity, below are the specific assets on which we are > > voting. > > > > > > BuildStream 1.95.3 > > ------------------ > > https://files.pythonhosted.org/packages/3a/cc/c5ae68441f8ce2e2cb056b291e7d20181a18d8545e2993161f68d0f2a07c/BuildStream-1.95.3.dev0.tar.gz > > sha256sum: 4ce6b473e6d6738de30409adb4cd717165ba3ef12a1838fd7a919f9762327859 > > > > > > BuildStream plugins 1.95.3 > > -------------------------- > > https://files.pythonhosted.org/packages/93/66/5a583b4b6392e1dca6b448647e1bc99b77f4f1ba3bb5a6185810d2164475/buildstream-plugins-1.95.3.tar.gz > > sha256sum: e0367ed9ffdb8c3fd8b4811b6d782fa024ea72b41507c60a250c2093880eed90 > > > > > > Cheers, > > -Tristan > > > > > > >
