Hi Christofer, On Wed, 2022-10-19 at 06:16 +0000, Christofer Dutz wrote: > Hi, > > And as I took the liberty of reviewing the 1.6.8 release according to the ASF > rules, this would have been my response (Please use it as you like) > It should point out things that should be addressed for a first Apache > release. > Things I usually don't check in my reviews as I never actually had to check > it: > - Apache releases should be available from Apache servers > https://www.apache.org/dyn/closer.lua or https://archive.apache.org > > Hope this helps with the first release.
The BuildStream project has never made an official Apache release and this will be the first one, so we're learning the ropes here. Please take note that BuildStream was previously under LGPL, as remains the case for the 1.x series, which is not under active feature development but widely used and needs to have periodic bugfix releases to address user issues (until it is eventually obsoleted by users transitioning to the new BuildStream 2). While we do not do "official apache releases" of BuildStream 1, periodically tagging and announcing BuildStream 1 bugfix releases is mandatory. While I hope this clarifies things for your review of 1.6.8, I still have a question regarding your response, my understanding of the release policy (which I've read multiple times in the previous months), is that release artifacts are only to be published on apache infrastructure *after* the release candidate is approved by the PMC: https://www.apache.org/legal/release-policy.html#release-distribution Is there something we did wrong in the process of proposing this release candidate to PMC members ? Best Regards, -Tristan > > Chris > > ------- > > -1 > > Chris > > [FAILED] Download all staged artifacts under the url specified in the > release vote email. > No signed artifacts, downloaded zip package from GitHub, no > signatures or hashes > [FAILED] Verify the signature is correct. > No signature > [FAILED] Check if the signature references an Apache email address. > No signature > [FAILED] Verify the SHA512 hashes. > No hashes > [OK] Unzip the archive. > [OK] Verify the existence of LICENSE, NOTICE files in the extracted > source bundle. > [MINOR] Verify the content of LICENSE, NOTICE files in the extracted > source bundle. > Notice references 2021 and not 2022 > [FAILED] [RM] Run RAT externally to ensure there are no surprises. > MANY files without Apache headers at all (Searching for > http://www.apache.org/licenses/LICENSE-2.0 in the doc folder only > brought one result at all, even in the tests directory there are > Apache headers only on a few files) > The list of non-approved license headers is 2078 lines/files long > There are binary files in there: While I would call the ODG files > sort of ok (OpenDocument Graphic File), the test contain archives > which we generally don't like to see > doc/bst2html.py is an MIT licensed file not mentioned in the LICENSE > file > The used Apache headers in generally all files are non-standard > headers, which contain Copyright information to “Copyright (C) 2018 > Codethink Limited”) See here to how they should look like: > https://www.apache.org/legal/src-headers.html > [FAILED] Search for Copyright references, and if they are in headers, > make sure these files containing them are mentioned in the LICENSE > file. > There’s code with Copyright headers for (All of these in various > flavors), none of which are mentioned anywhere (NOTICE, LICENSE): > - Copyright (C) 2019 Bloomberg Finance L.P. > - Copyright (C) 2017 Codethink Limited > - Copyright (c) 2014 by Armin Ronacher. > - Copyright 2020 The Bazel Authors. > - Copyright (c) 2015, Google Inc. > - Copyright 2018 Google LLC > > > > > > > > On 2022/10/17 23:46:23 Daniel Gruno wrote: > > Hi Tristan, > > > > As Apache BuildStream is now a TLP, please ensure that all future > > releases agree with the overall release policy, as set out on > > https://www.apache.org/legal/release-policy.html (especially the > > MUST/MUST-NOTs). The document is quite exhaustive, and should cover > > all the various gotchas. > > > > With regards, > > Daniel. > > > > On 2022/10/12 14:51:58 Tristan Van Berkom wrote: > > > Dear BuildStream PMC members, > > > > > > I have now released the 1.95.3 release candidate releases for > > > both the > > > core BuildStream and BuildStream plugins repositories. > > > > > > I don't know about future releases, but for 2.0 we will > > > definitely be > > > releasing the main and plugin repositories together, so it makes > > > sense > > > to also vote on both releases simultaneously. > > > > > > Please take some time (but not too much) to personally assess > > > your > > > confidence in the 1.95.3 releases. > > > > > > To cast your vote, please reply with either a "+1" or a "-1". > > > > > > This proposal counts as my +1, two additional +1s will count as > > > our > > > official consensus to make the 2.0 release, provided that the +1s > > > outnumber any -1s. > > > > > > For additional clarity, below are the specific assets on which we > > > are > > > voting. > > > > > > > > > BuildStream 1.95.3 > > > ------------------ > > > https://files.pythonhosted.org/packages/3a/cc/c5ae68441f8ce2e2cb056b291e7d20181a18d8545e2993161f68d0f2a07c/BuildStream-1.95.3.dev0.tar.gz > > > sha256sum: > > > 4ce6b473e6d6738de30409adb4cd717165ba3ef12a1838fd7a919f9762327859 > > > > > > > > > BuildStream plugins 1.95.3 > > > -------------------------- > > > https://files.pythonhosted.org/packages/93/66/5a583b4b6392e1dca6b448647e1bc99b77f4f1ba3bb5a6185810d2164475/buildstream-plugins-1.95.3.tar.gz > > > sha256sum: > > > e0367ed9ffdb8c3fd8b4811b6d782fa024ea72b41507c60a250c2093880eed90 > > > > > > > > > Cheers, > > > -Tristan > > > > > > > > >
