Hi Chris, On Sun, Nov 6, 2022 at 11:15 AM Christofer Dutz <[email protected]> wrote:
> Sorry I must do this … but … > > -1 (Chirs) > To avoid confusion, posting your feedback in the future without adding a "-1" is more helpful and appropriate such that it is not misconstrued as an actual vote. > [MINOR] Download all staged artifacts under the url specified in the > release vote email. > > * Generally, we like our download artifacts to be prefixed with > “apache-“ > https://dist.apache.org/repos/dist/release/httpd/ as a counter example. That said, I actually see a benefit to the apache- prefix here, given the non ASF maintenance releases. It will make it easier to distinguish. > * Most projects generally use a {version}/{rc}/ directory structure > with a KEYS file in the projects root > [FAILED] Verify the signature is correct. > I'm expecting us to put a KEYS file here https://dist.apache.org/repos/dist/release/buildstream/. > * No KEYS file containing the public signatures of the release-manager > used to sign the release > * Couldn’t find key on any public servers I searched [OK] Check if the signature references an Apache email address. > [OK] Verify the SHA512 hashes. > > * Both Hashes match > [OK] Unpack the archive. > [OK] Verify the existence of LICENSE, NOTICE files in the extracted source > bundle. > [MINOR] Verify the content of LICENSE, NOTICE files in the extracted > source bundle. > > * The NOTICE file of the plugins archive references 2021 > [FAILED] [RM] Run RAT externally to ensure there are no surprises. > > * Main bundle: > * 1924 Unknown Licenses for the main bundle (Attached as rat.txt) > The bulk seems to be tests and docs? The docs should be more easily addressable. > * Some sources seem to be GPL licensed: > * > BuildStream-1.95.4.dev0/src/buildstream/_scheduler/queues/cachequeryqueue.py > That's a good catch - this one seems to have slipped through the cracks back when the changes landed in January after iterating on them from September 2021. > * Some sources don’t seem to be having any header: > * BuildStream-1.95.4.dev0/src/buildstream/_scheduler/resources.py > I can see how this one happened, it didn't have a header since it was introduced in a refactoring in 2018. Good catch as well. > * Tests/integration/project/files/amhello.tar.gz (all other copies > of this file too) is a binary file (which is generally not allowed) and > contains GPL licensed content and is infringing that license by not > distributing the license with it (which is even less allowed). > Note that these files all note "This program is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it.", in line with generated autotools files. That said, we could have it not be in a tarball, and also given it is a test, we may be able to download it at test time. > * Admittedly I stopped a detailed analysis of other problems as > this is already enough for a -1 > Your input is appreciated. > * Plugin bundle: > * Rat reports: 17 Unknown Licenses for the plugin bundle (Attached > as rat-plugin.txt) > [OK] Search for Copyright references, and if they are in headers, make > sure these files containing them are mentioned in the LICENSE file. > I see an .asf.yaml file which we don't need to distribute. There's 2 empty __init__.py files, 3 *_requirements.txt files. The egg-info directories are generated. The setup.cfg file seems to have lost its header in the packaging process, as it is there in the source repo. The PKG-INFO file actually needs its Authors reference updated. > I’ve uploaded the rat.log and rat-plugin.log here: > https://drive.google.com/drive/folders/1FaQj8TZbH3XMXxEvpEPazOGFd9L0rL4z?usp=sharing Thanks again. Cheers, Sander From: Benjamin Schubert <[email protected]> > Date: Saturday, 5. November 2022 at 16:26 > To: [email protected] <[email protected]> > Subject: Re: [VOTE] Release buildstream / plugins 1.95.4 as 2.0 > Hey everyone, > > > Le mer. 26 oct. 2022 à 15:55, Tristan Van Berkom > > [email protected] a écrit : > > > > > buildstream-plugins-1.95.3.tar.gz > > > --------------------------------- > > > sha256: > 2d33ed4cba762ccc09bbea060e089db08da5ce6150f903a03928da004dcaa387 > > > sha512: > ee22235884e7dfa54f40bd2baa2df1c26284ce19b4393310cd54dbf60b9789dd075eadacb3189b2002b3254025ed02129fc2e451cadd48ce9ff4da4e8de8a92d > > > > > > BuildStream-1.95.4.dev0.tar.gz > > > ------------------------------ > > > sha256: > 77f3aafa1268e4128108ac54fd6231cd5b548b0f2b00d84c9c83fc19f7095f60 > > > sha512: > 7cb335cc837cc70022ac398055e64c691863898daa2a9d0ae89270796b576e2ae692a2583c1a798cc34ba4769f73b92ff98ed26965f2ea2108df2c7ec490bc90 > > > > -0 > > I believe https://github.com/apache/buildstream/issues/1787 should be a > blocker for this release, as it would otherwise negatively impact the first > experience with it. >
