Hi Justin, On Tue, Nov 29, 2016 at 02:20:38PM +1100, Justin Mclean wrote: > Hi, > > Sorry but I just voted -1 on that release as it has a number of IMO > significant issues. Given teh great work done on LICENSE/NOTICE > initially I had assumed these were being kept upto date but that > doesn’t seem to be the case. > > Apologies for not catching these issues sooner but with ApacheCon and > holidays I’ve not had as much time to spend on my mentor/incubator > roles.
No need to apologize. I appreciate all the work you've done to keep us in line :). I'm sure the rest of the Mynewt community shares that sentiment. For the rest of the dev list: Justin's fundings are captured in his email here: https://lists.apache.org/thread.html/b042d83e1985281e8dd8a040ebf1817ce71019c16c5951ca9be11aef@%3Cgeneral.incubator.apache.org%3E Boiling it down, the referenced email identifies three problems: 1. Out of date LICENSE files 2. A bundled source file is not Apache compatible (LwIP; pppoe.c; four-clause BSD license) 3. A few security items missing from the Mynewt export list (tinycrypt and polarSSL). Item 1: this is the biggest issue. There is not much to say here, other than I somehow completely forgot to take care of this. All of the new third-party code was reviewed to ensure it can be included in an Apache project, and exceptions for these libraries were added to the .rat-excludes file, but the last critical step was not done. I want to apologize to everyone for missing this. Because of this mistake, we will need restart the release process, which means a new vote will be called on the dev list. Item 2: I wasn't actually aware that the four-clause BSD license is incompatible with Apache projects. In the general@ thread, Justin referred to another thread discussing this particular license: https://lists.apache.org/thread.html/557a49d678809e2c543ef465dc36b2bd02eb02fda3c484f204468e39@%3Clegal-discuss.apache.org%3E. The legal stuff is way over my head, so I will take others' word that this license is not acceptable. I am not sure what the solution is for Mynewt, but we may end up just removing this particular file from the release. Item 3: Cheking the security export list is missing from our release process (https://cwiki.apache.org/confluence/display/MYNEWT/Release+Process). We'll need to add it. For this release, I believe Aditi is looking into adding the necessary items to the export list. Once again, I am sorry to everyone for not being thorough enough with this release. When the next vote is called, it would be appreciated if you could cast another vote. The next release candidate will likely be functionally identical to the first one, with the possible exception of the removal of the pppoe.c file. I will include details in the upcoming vote email. Finally, please don't hesitate to voice any questions or concerns. Thanks, Chris