One point I forgot - There is certainly mixed practice with regard to whether the KEYS file should be checked into the source repo. Some projects place it just on dist.apache.org/repos/dist/release. That way there is a single point of truth. Right now the one in the source repo is out of sync with the dist.apache.org one.
Cheers, Paul. On Sat, Oct 24, 2020 at 12:11 PM Paul King <[email protected]> wrote: > +1 > > Checked hashes and signatures. > "mvn clean verify" passes > "mvn apache-rat:rat" passes > incubating in name > DISCLAIMER exists > NOTICE seems okay > LICENSE seems okay > no unexpected binary files > > Mentoring notes: > * You should minimise changes to KEYS since ideally each release manager > would attend a key-signing party and have their key spread amongst other > trusted parties. Then verifiers could verify that the release has been > signed not only with a valid key but also from a trusted source. Key > signing would need to be repeated each time a release manager's key > changes. Key signing isn't mandatory, just highly recommended, but isn't > easy to do right now due to COVID. > * For files like NCBlowfishHasher.java, (correctly mentioned in LICENSE > and NOTICE, thanks) if the statement "Code almost entirely based on work of > ..." is indeed true, then I believe it is usually clearer to leave the > original license header in the source file and perhaps amend with > "Subsequent changes Copyright by the NLPCraft team and made under the > ASLv2..." but what you have is possibly okay - just not as clear. IANAL, > but my understanding is that you have the obligation to make it clear that > the requirements the original author requested for use of that file in > source form etc. are still in play and aren't overwritten by slapping the > ASLv2 header at the front of the file. > > Cheers, Paul. > > > On Thu, Oct 22, 2020 at 2:35 AM Aaron Radzinski <[email protected]> > wrote: > >> NLPCraft-ers, >> This is a call for a vote to release Apache NLPCraft (incubating) version >> 0.7.1. This release includes bug fixes and incremental improvements for >> NLPCraft 0.7.0 release. >> >> Release information: >> 1. Release location: >> https://dist.apache.org/repos/dist/dev/incubator/nlpcraft/nlpcraft/0.7.1/ >> 3. Git tag: https://github.com/apache/incubator-nlpcraft/tree/v0.7.1 >> 4. JIRA issues fixed in release: >> https://issues.apache.org/jira/projects/NLPCRAFT/versions/12347777 >> 5. KEYS file: >> https://dist.apache.org/repos/dist/release/incubator/nlpcraft/KEYS >> >> The vote will be open for at least 72 hours or until a necessary number of >> votes are reached. >> >> Please vote accordingly: >> [ ] +1 approve >> [ ] +0 no opinion >> [ ] -1 disapprove with the reason >> >> Thank you, >> Aaron (NLPCraft community). >> >
