Steve, Thank you so much for taking the time to review v1.4.1-rc1 and share your feedback. VS Code extension dev team will look into your findings and follow up with clarifications and 1.4.1-rc2 candidate.
Thanks, -----Original Message----- From: Steve Lawrence <slawre...@apache.org> Sent: Monday, June 2, 2025 1:10 PM To: dev@daffodil.apache.org Subject: Re: [VOTE] Apache Daffodil™ Extension for Visual Studio Code 1.4.1-rc1 -1 (binding) My -1 is because of the things that I marked as FAILED, but I wasn't sure what they were about. If these are expected and not a concern I can downgrade them to MINOR. I'm fine with things marked as MINOR being fixed in the next release. I checked: [OK] hashes and signatures of source and helper binaries are correct [OK] source compiles using yarn package [OK] tests pass using yarn test [FAILED] All nightly tests pass - Nightly tests currently fail, looks to be macOS issues, is this expected? [MINOR] source and helper binaries are 100% reproducible - The Content_Type.xml file inside the .vsix file is non-deterministic, causing the .vsix file to not be reproducible. This is a known issue with vsce. I confirmed all other files in the .vsix are exactly the same when built locally. Hopefully a version of vcse that fixes this can be used for the next release. [OK] signature of git tag verifies [OK] source release matches git tag [MINOR] source and helper binary include correct LICENSE/NOTICE - The NOTICE file copyright still says 2023, but more importantly there are about 30 transitive or direct dependencies (listed via yarn licenses --prod) that I do not see listed in any of the LICENSE/NOTICE/NONOTICE files. They all look to be ASF compatible so I won't block the release over this, but it is an ASF requirement that these files be accurate--I will give a -1 to future release candidates that don't have correct license files. I understand the npm package ecosystem is pretty insane when it comes to dependencies, but we can't use that as an excuse to not thoroughly vet dependencies and document them according to ASF requirements--if anything, the dependency insanity is even more of a reason carefully inspect all transitive dependencies to avoid potential supply chain attacks. [OK] RAT check passes [OK] no unexpected binaries in source [MINOR] vsix installs and runs with run with basic usage - I did notice each time I ran the debugger it wrote a daffodil-debugger-1234.log file to my home directory. Is this expected behavior? Seems like something we shouldn't do. - Note, I did very basic usage. I'm not familiar enough with VS Code to thoroughly test things [FAILED] no open CVEs found using sbt dependencyCheck and yarn audit - yarn audit shows 5 moderate CVE's, with svelte, nanoid, serialize-javascript, and babel [FAILED] Page for release candidate published on website - Missing download page on daffodil.apache.org, required by ASF [MINOR] no closed issues without a milestone - There are a number of issues that have been closed but have not been assigned a milestone: https://github.com/apache/daffodil-vscode/issues?q=is%3Aissue%20state%3Aclosed%20no%3Amilestone Were they closed as part of 1.4.1? Can they be added to this milestone or a previous milestone so there's a record of what release fixed these issue? On 2025-05-22 02:25 PM, Shane Dell wrote: > Hello all, > > I'd like to call a vote to release Apache Daffodil™ Extension for > Visual Studio Code 1.4.1-rc1. > > All distribution packages, including signatures, digests, etc. can be > found at: > https://dis/ > t.apache.org%2Frepos%2Fdist%2Fdev%2Fdaffodil%2Fdaffodil-vscode%2F1.4.1 > -rc1&data=05%7C02%7Chitesh.dalsania%40nteligen.com%7C4c9590eefd304bdd9 > 91008dda1f84a39%7C379c214c5c944e86a6062d047675f02a%7C0%7C0%7C638844809 > 952777712%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAu > MDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C& > sdata=VgN9NlGzn95EeD7xzrKqTDDEb8IwPRLHjOmZb0%2BNC%2BY%3D&reserved=0 > > This release has been signed with PGP key > 86DDE7B41291E380237934F007570D3ADC76D51B, corresponding to > shaned...@apache.org, which is included in the KEYS file here: > https://dow/ > nloads.apache.org%2Fdaffodil%2FKEYS&data=05%7C02%7Chitesh.dalsania%40n > teligen.com%7C4c9590eefd304bdd991008dda1f84a39%7C379c214c5c944e86a6062 > d047675f02a%7C0%7C0%7C638844809952786570%7CUnknown%7CTWFpbGZsb3d8eyJFb > XB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCI > sIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=uugc%2B%2FGrGsKz0%2Bj256zKL%2BFv4 > o%2BS5NkYozf4qzrdx3o%3D&reserved=0 > > The release candidate has been tagged in git with 1.4.1-rc1. > > For reference, here is a list of all closed GitHub issues tagged with 1.4.1: > https://git/ > hub.com%2Fapache%2Fdaffodil-vscode%2Fmilestone%2F11%3Fclosed%3D1&data= > 05%7C02%7Chitesh.dalsania%40nteligen.com%7C4c9590eefd304bdd991008dda1f > 84a39%7C379c214c5c944e86a6062d047675f02a%7C0%7C0%7C638844809952795450% > 7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIl > AiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=TP0P > vYeVpc9MbTtzQ%2B5BAZMgokz9wSdn%2Bffx%2FAUqY8o%3D&reserved=0 > > Please review and vote. The vote will be open for at least 72 hours > (Wednesday, 28 May 2025, 2:30pm EST) (Not including Monday since its > Memorial Day). > > [ ] +1 approve > [ ] +0 no opinion > [ ] -1 disapprove (and reason why) > > Documentation for 1.4.1 can be found here > https://github.com/apache/daffodil-vscode/wiki/Apache-Daffodil%E2%84%A2-Extension-for-Visual-Studio-Code:-v1.4.1. > > Thank you, > > - Shane Dell >
