Sorry I must do this … but …
-1 (Chirs)
[MINOR] Download all staged artifacts under the url specified in the release
vote email.
* Generally, we like our download artifacts to be prefixed with “apache-“
* Most projects generally use a {version}/{rc}/ directory structure with a
KEYS file in the projects root
[FAILED] Verify the signature is correct.
* No KEYS file containing the public signatures of the release-manager used
to sign the release
* Couldn’t find key on any public servers I searched
[OK] Check if the signature references an Apache email address.
[OK] Verify the SHA512 hashes.
* Both Hashes match
[OK] Unpack the archive.
[OK] Verify the existence of LICENSE, NOTICE files in the extracted source
bundle.
[MINOR] Verify the content of LICENSE, NOTICE files in the extracted source
bundle.
* The NOTICE file of the plugins archive references 2021
[FAILED] [RM] Run RAT externally to ensure there are no surprises.
* Main bundle:
* 1924 Unknown Licenses for the main bundle (Attached as rat.txt)
* Some sources seem to be GPL licensed:
*
BuildStream-1.95.4.dev0/src/buildstream/_scheduler/queues/cachequeryqueue.py
* Some sources don’t seem to be having any header:
* BuildStream-1.95.4.dev0/src/buildstream/_scheduler/resources.py
* Tests/integration/project/files/amhello.tar.gz (all other copies of
this file too) is a binary file (which is generally not allowed) and contains
GPL licensed content and is infringing that license by not distributing the
license with it (which is even less allowed).
* Admittedly I stopped a detailed analysis of other problems as this is
already enough for a -1
* Plugin bundle:
* Rat reports: 17 Unknown Licenses for the plugin bundle (Attached as
rat-plugin.txt)
[OK] Search for Copyright references, and if they are in headers, make sure
these files containing them are mentioned in the LICENSE file.
I’ve uploaded the rat.log and rat-plugin.log here:
https://drive.google.com/drive/folders/1FaQj8TZbH3XMXxEvpEPazOGFd9L0rL4z?usp=sharing
From: Benjamin Schubert <[email protected]>
Date: Saturday, 5. November 2022 at 16:26
To: [email protected] <[email protected]>
Subject: Re: [VOTE] Release buildstream / plugins 1.95.4 as 2.0
Hey everyone,
> Le mer. 26 oct. 2022 à 15:55, Tristan Van Berkom
> [email protected] a écrit :
>
> > buildstream-plugins-1.95.3.tar.gz
> > ---------------------------------
> > sha256: 2d33ed4cba762ccc09bbea060e089db08da5ce6150f903a03928da004dcaa387
> > sha512:
> > ee22235884e7dfa54f40bd2baa2df1c26284ce19b4393310cd54dbf60b9789dd075eadacb3189b2002b3254025ed02129fc2e451cadd48ce9ff4da4e8de8a92d
> >
> > BuildStream-1.95.4.dev0.tar.gz
> > ------------------------------
> > sha256: 77f3aafa1268e4128108ac54fd6231cd5b548b0f2b00d84c9c83fc19f7095f60
> > sha512:
> > 7cb335cc837cc70022ac398055e64c691863898daa2a9d0ae89270796b576e2ae692a2583c1a798cc34ba4769f73b92ff98ed26965f2ea2108df2c7ec490bc90
>
-0
I believe https://github.com/apache/buildstream/issues/1787 should be a blocker
for this release, as it would otherwise negatively impact the first experience
with it.
