Hi Sander, well … everyone is encouraged to vote … you don’t even have to be a Committer.
That’s why we have the “+1/0/-1” and “+1/0/-1 (binding)” as only binding votes count. At least that’s what we teach projects in the incubator. From: https://www.apache.org/foundation/voting.html “PMC members have formally binding votes, but in general communities encourage all their members to vote, even if their votes are only advisory.“ And we generally count everyone interested in a project as that project’s community. Also, one of the checks we usually do for incubator releases, is that there’s an “apache-“ prefix on the release artifacts. But I did mark it as “MINOR”. But I did click though the repo for other projects and just clicking though the directories starting with “a” more than 90% seem to be prefixing their source bundles with “apache-“. It does however seem, that especially the ancient ASF projects don’t quite seem to follow this strategy, but the newer ones seem to all to it the same way. If there’s no KEY anywhere, I cannot validate the signature. If I can’t validate the signature technically nobody can vote +1. Yes … most of the invalid license headers (Or missing ones) refer to test and documentation, however in my understanding these files too should have the headers in place. Having a look at the amhello.tar.gz again. The “compile” script has this header text: # Copyright (C) 1999-2014 Free Software Foundation, Inc. # Written by Tom Tromey <[email protected]>. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. So, what I wanted to point out, is that we generally expect people, especially those with binding votes (members of the PMC), to do these checks, that I did. Chris From: Sander Striker <[email protected]> Date: Sunday, 6. November 2022 at 14:50 To: [email protected] <[email protected]> Subject: Re: [VOTE] Release buildstream / plugins 1.95.4 as 2.0 Hi Chris, On Sun, Nov 6, 2022 at 11:15 AM Christofer Dutz <[email protected]> wrote: > Sorry I must do this … but … > > -1 (Chirs) > To avoid confusion, posting your feedback in the future without adding a "-1" is more helpful and appropriate such that it is not misconstrued as an actual vote. > [MINOR] Download all staged artifacts under the url specified in the > release vote email. > > * Generally, we like our download artifacts to be prefixed with > “apache-“ > https://dist.apache.org/repos/dist/release/httpd/ as a counter example. That said, I actually see a benefit to the apache- prefix here, given the non ASF maintenance releases. It will make it easier to distinguish. > * Most projects generally use a {version}/{rc}/ directory structure > with a KEYS file in the projects root > [FAILED] Verify the signature is correct. > I'm expecting us to put a KEYS file here https://dist.apache.org/repos/dist/release/buildstream/. > * No KEYS file containing the public signatures of the release-manager > used to sign the release > * Couldn’t find key on any public servers I searched [OK] Check if the signature references an Apache email address. > [OK] Verify the SHA512 hashes. > > * Both Hashes match > [OK] Unpack the archive. > [OK] Verify the existence of LICENSE, NOTICE files in the extracted source > bundle. > [MINOR] Verify the content of LICENSE, NOTICE files in the extracted > source bundle. > > * The NOTICE file of the plugins archive references 2021 > [FAILED] [RM] Run RAT externally to ensure there are no surprises. > > * Main bundle: > * 1924 Unknown Licenses for the main bundle (Attached as rat.txt) > The bulk seems to be tests and docs? The docs should be more easily addressable. > * Some sources seem to be GPL licensed: > * > BuildStream-1.95.4.dev0/src/buildstream/_scheduler/queues/cachequeryqueue.py > That's a good catch - this one seems to have slipped through the cracks back when the changes landed in January after iterating on them from September 2021. > * Some sources don’t seem to be having any header: > * BuildStream-1.95.4.dev0/src/buildstream/_scheduler/resources.py > I can see how this one happened, it didn't have a header since it was introduced in a refactoring in 2018. Good catch as well. > * Tests/integration/project/files/amhello.tar.gz (all other copies > of this file too) is a binary file (which is generally not allowed) and > contains GPL licensed content and is infringing that license by not > distributing the license with it (which is even less allowed). > Note that these files all note "This program is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it.", in line with generated autotools files. That said, we could have it not be in a tarball, and also given it is a test, we may be able to download it at test time. > * Admittedly I stopped a detailed analysis of other problems as > this is already enough for a -1 > Your input is appreciated. > * Plugin bundle: > * Rat reports: 17 Unknown Licenses for the plugin bundle (Attached > as rat-plugin.txt) > [OK] Search for Copyright references, and if they are in headers, make > sure these files containing them are mentioned in the LICENSE file. > I see an .asf.yaml file which we don't need to distribute. There's 2 empty __init__.py files, 3 *_requirements.txt files. The egg-info directories are generated. The setup.cfg file seems to have lost its header in the packaging process, as it is there in the source repo. The PKG-INFO file actually needs its Authors reference updated. > I’ve uploaded the rat.log and rat-plugin.log here: > https://drive.google.com/drive/folders/1FaQj8TZbH3XMXxEvpEPazOGFd9L0rL4z?usp=sharing Thanks again. Cheers, Sander From: Benjamin Schubert <[email protected]> > Date: Saturday, 5. November 2022 at 16:26 > To: [email protected] <[email protected]> > Subject: Re: [VOTE] Release buildstream / plugins 1.95.4 as 2.0 > Hey everyone, > > > Le mer. 26 oct. 2022 à 15:55, Tristan Van Berkom > > [email protected] a écrit : > > > > > buildstream-plugins-1.95.3.tar.gz > > > --------------------------------- > > > sha256: > 2d33ed4cba762ccc09bbea060e089db08da5ce6150f903a03928da004dcaa387 > > > sha512: > ee22235884e7dfa54f40bd2baa2df1c26284ce19b4393310cd54dbf60b9789dd075eadacb3189b2002b3254025ed02129fc2e451cadd48ce9ff4da4e8de8a92d > > > > > > BuildStream-1.95.4.dev0.tar.gz > > > ------------------------------ > > > sha256: > 77f3aafa1268e4128108ac54fd6231cd5b548b0f2b00d84c9c83fc19f7095f60 > > > sha512: > 7cb335cc837cc70022ac398055e64c691863898daa2a9d0ae89270796b576e2ae692a2583c1a798cc34ba4769f73b92ff98ed26965f2ea2108df2c7ec490bc90 > > > > -0 > > I believe https://github.com/apache/buildstream/issues/1787 should be a > blocker for this release, as it would otherwise negatively impact the first > experience with it. >
