I downloaded the helper binaries for each new dependency (except xmlresolver on which I'd already done due diligence as a direct dependency of Saxon-HE - the rest of those dependencies are dependencies of xmlresolver itself so I'd missed them) and checked LICENSE/NOTICE files. What is the rule we follow for incorporating such doubly indirect transitive dependencies' NOTICE files into our NOTICE file? Is the rule "If you find a NOTICE file, you must include it in its entirety into your NOTICE file"? If that is the rule, do people think we need to cancel the vote and generate a second release candidate with these NOTICE files added to our NOTICE file, or do it as a bug fix after releasing 3.3.0?
I also noticed that xmlresolver is not using the latest versions of each and every dependency (oh well). Here's commons-codec-1.11/NOTICE.txt (the most recent version is 1.15): --- Apache Commons Codec Copyright 2002-2017 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java contains test data from http://aspell.net/test/orig/batch0.tab. Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org) =============================================================================== The content of package org.apache.commons.codec.language.bm has been translated from the original php source code available at http://stevemorse.org/phoneticinfo.htm with permission from the original authors. Original source copyright: Copyright (c) 2008 Alexander Beider & Stephen P. Morse. --- Here's commons-logging-1.2/NOTICE.txt: --- Apache Commons Logging Copyright 2003-2014 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). --- Here is httpcomponents-client-4.5.13/NOTICE.txt (the most recent version is 5.1.3): --- Apache HttpComponents Client Copyright 1999-2020 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). --- Here is httpcomponents-core-4.4.15/NOTICE.txt (the most recent version is 5.1.3): --- Apache HttpComponents Core Copyright 2005-2020 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). --- All LICENSES are Apache 2.0. John -----Original Message----- From: Steve Lawrence <slawre...@apache.org> Sent: Monday, March 21, 2022 9:06 AM To: dev@daffodil.apache.org Subject: EXT: Re: [VOTE] Release Apache Daffodil 3.3.0-rc1 WARNING: This email originated from outside of GE. Please validate the sender's email address before clicking on links or attachments as they may not be safe. Hmm, I missed those new dependencies. Do we need to update our LICENSE/NOTICE files in daffodil-cli? Looks like we already have xmlresolver mentioned, but we have nothing for the other dependencies? On 3/21/22 12:00 PM, Interrante, John A (GE Research, US) wrote: > +1 > > FYI, apache-daffodil-3.3.0-bin/lib has 6 new jars in it. Those new > jars are new transitive dependencies added by the bump of Saxon-HE > from 10.6 to 11.2. Their names are: > > commons-codec.commons-codec-1.11.jar > commons-logging.commons-logging-1.2.jar > org.apache.httpcomponents.httpclient-4.5.13.jar > org.apache.httpcomponents.httpcore-4.4.13.jar > org.xmlresolver.xmlresolver-4.2.0-data.jar > org.xmlresolver.xmlresolver-4.2.0.jar > > Otherwise, the helper binaries look normal. > > I checked the following: > > [OK] verified signature of git tag > [OK] verified signatures of source and helper binaries > [OK] verified signatures use key in KEYS with apache email address > [OK] verified source has no unexpected binary files > [OK] verified source and git tag are same minus KEYS file > [OK] verified source and helper binaries include LICENSE/NOTICE/README > [OK] verified LICENSE/NOTICE/README look correct > [OK] verified online JavaDoc and ScalaDoc docs look correct > [OK] compiled source and ran all tests & ratCheck > [OK] verified jars built from source have same content as helper binary jars > > John > > -----Original Message----- > From: Interrante, John A (GE Research, US) <john.interra...@ge.com> > Sent: Friday, March 18, 2022 9:07 AM > To: dev@daffodil.apache.org > Subject: EXT: [VOTE] Release Apache Daffodil 3.3.0-rc1 > > Hi PMC members, > > I'd like to call a vote to release Apache Daffodil 3.3.0-rc1. > > All distribution packages, including signatures, digests, etc. can be found > at: > > https://dist.apache.org/repos/dist/dev/daffodil/3.3.0-rc1/ > > Staging artifacts can be found at: > > https://repository.apache.org/content/repositories/orgapachedaffodil-1029/ > > This release has been signed with PGP key 04A735FC1A36AE84, corresponding to > jinterra...@apache.org, which is included in the KEYS file here: > > https://downloads.apache.org/daffodil/KEYS > > The release candidate has been tagged in git with v3.3.0-rc1. > > For reference, here is a list of all closed JIRAs tagged with 3.3.0: > > https://s.apache.org/daffodil-issues-3.3.0 > > For a summary of the changes in this release, see: > > https://daffodil.apache.org/releases/3.3.0/ > > Please review and vote. The vote will be open for at least 72 hours (Monday, > March 21 2022, 12 Noon EST). > > [ ] +1 approve > [ ] +0 no opinion > [ ] -1 disapprove (and reason why) > > Thanks, > John