-1 (binding)
My -1 is because of the things that I marked as FAILED, but I wasn't sure what
they were about. If these are expected and not a concern I can downgrade them to
MINOR.
I'm fine with things marked as MINOR being fixed in the next release.
I checked:
[OK] hashes and signatures of source and helper binaries are correct
[OK] source compiles using yarn package
[OK] tests pass using yarn test
[FAILED] All nightly tests pass
- Nightly tests currently fail, looks to be macOS issues, is this expected?
[MINOR] source and helper binaries are 100% reproducible
- The Content_Type.xml file inside the .vsix file is non-deterministic, causing
the .vsix file to not be reproducible. This is a known issue with vsce. I
confirmed all other files in the .vsix are exactly the same when built
locally. Hopefully a version of vcse that fixes this can be used for the next
release.
[OK] signature of git tag verifies
[OK] source release matches git tag
[MINOR] source and helper binary include correct LICENSE/NOTICE
- The NOTICE file copyright still says 2023, but more importantly there are
about 30 transitive or direct dependencies (listed via yarn licenses --prod)
that I do not see listed in any of the LICENSE/NOTICE/NONOTICE files. They
all look to be ASF compatible so I won't block the release over this, but it
is an ASF requirement that these files be accurate--I will give a -1 to
future release candidates that don't have correct license files. I understand
the npm package ecosystem is pretty insane when it comes to dependencies, but
we can't use that as an excuse to not thoroughly vet dependencies and
document them according to ASF requirements--if anything, the dependency
insanity is even more of a reason carefully inspect all transitive
dependencies to avoid potential supply chain attacks.
[OK] RAT check passes
[OK] no unexpected binaries in source
[MINOR] vsix installs and runs with run with basic usage
- I did notice each time I ran the debugger it wrote a
daffodil-debugger-1234.log file to my home directory. Is this expected
behavior? Seems like something we shouldn't do.
- Note, I did very basic usage. I'm not familiar enough with VS Code to
thoroughly test things
[FAILED] no open CVEs found using sbt dependencyCheck and yarn audit
- yarn audit shows 5 moderate CVE's, with svelte, nanoid, serialize-javascript,
and babel
[FAILED] Page for release candidate published on website
- Missing download page on daffodil.apache.org, required by ASF
[MINOR] no closed issues without a milestone
- There are a number of issues that have been closed but have not been
assigned a milestone:
https://github.com/apache/daffodil-vscode/issues?q=is%3Aissue%20state%3Aclosed%20no%3Amilestone
Were they closed as part of 1.4.1? Can they be added to this milestone or a
previous milestone so there's a record of what release fixed these issue?
On 2025-05-22 02:25 PM, Shane Dell wrote:
Hello all,
I'd like to call a vote to release Apache Daffodil™ Extension for Visual
Studio Code 1.4.1-rc1.
All distribution packages, including signatures, digests, etc. can be
found at:
https://dist.apache.org/repos/dist/dev/daffodil/daffodil-vscode/1.4.1-rc1
This release has been signed with PGP key
86DDE7B41291E380237934F007570D3ADC76D51B, corresponding
to shaned...@apache.org, which is included in the KEYS file here:
https://downloads.apache.org/daffodil/KEYS
The release candidate has been tagged in git with 1.4.1-rc1.
For reference, here is a list of all closed GitHub issues tagged with 1.4.1:
https://github.com/apache/daffodil-vscode/milestone/11?closed=1
Please review and vote. The vote will be open for at least 72 hours
(Wednesday, 28 May 2025, 2:30pm EST) (Not including Monday since its
Memorial Day).
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove (and reason why)
Documentation for 1.4.1 can be found here
https://github.com/apache/daffodil-vscode/wiki/Apache-Daffodil%E2%84%A2-Extension-for-Visual-Studio-Code:-v1.4.1.
Thank you,
- Shane Dell
