Hi Bertrand, As you noted, the release process uses the Apache RAT to scan all the built TAR files and our own Scancode utility scans files at "build time" for both PR and release (master or named release) builds.
We have endeavored to document our use of these scanning utilities within the context of our release process here: - "License Compliance": https://github.com/apache/incubator-openwhisk-release/blob/master/docs/license_compliance.md On this page, we describe our usage of both RAT and Scancode as well as detailing, in great depth, all file inclusions down to every file type we have across all repos. In addition (for convenience and to prove thoroughness), we have identified all known exclusions (all in accordance with Apache policy) by repo. here: - https://github.com/apache/incubator-openwhisk-release/blob/master/docs/license_exclusions.md and you surmised correctly that the Scancode utility usage is documented where it lives in the incubator-openwhisk-utility repo. here: - description/install/build/run basics: https://github.com/apache/incubator-openwhisk-utilities - full usage: https://github.com/apache/incubator-openwhisk-utilities/blob/master/scancode/README.md Fee free to ask any question about licenses and scanning as this has been my life for the last many months... Kind regards, Matt From: Bertrand Delacretaz <bdelacre...@apache.org> To: dev@openwhisk.apache.org Date: 06/21/2018 08:08 AM Subject: Re: [VOTE] Release Apache OpenWhisk 0.9.0-incubating Hi Vincent, On Thu, Jun 21, 2018 at 2:53 PM Vincent S Hou <s...@us.ibm.com> wrote: > ...Does it mean we can try to release one of the 13 modules, like openwhisk, or openwhisk-cli, or consolidate > all the 13 projects into one for release?... The former, I would say? It's probably more convenient for your users and w.r.t release cycles? For Apache Sling, as an example which is extremely modular, we do lots of individual module releases all the time, and about once a year do a "big bang" release that includes all core module. A model like that might be good for OpenWhisk, but as this stage as mentioned for a first "training release" it's probably best to stick to one typical module to refine the process. ... > * The key can be accessed at https://dist.apache.org/repos/dist/dev/incubator/openwhisk/KEYS . You missed "dev/" in your link... Ah ok, sorry! Got it now. > ...* So far the header is not verified with RAT. We have a unitiy repo call > openwhisk-utility( https://github.com/apache/incubator-openwhisk-utilities ) to scan all the code. RAT has issues, > since I have never got it running correctly in openwhisk. The Travis build uses this openwhisk-utility to verify the > headers for every incoming commit.... Ok. The "how to I run the utility to verify the license headers" question should be answerable with a URL, maybe the docs of that utility? People will need to be able to run it standalone to do their own verifications. > * RSA private key should have some instructions. We will work on it... Great > * We do not release binary this time... Yes - I was checking for binaries that might have been leftover, saw none and that's good! > * We will look at the .scala code files... Ok. If the package name change is too disruptive it can be postponed for later during incubation, but that needs to be tracked. > * For README, let me make the build instruction more clear... Thanks! I suppose this means this vote is canceled until you have a new release candidate? -Bertrand
