Thanks for going through the release, Josh. One partial quick fix might be to exclude the trace app from both the source and binary distributions and move it to github as more of a community add-on (we have a few of these already). To be honest, I don't think it's had much community uptake - a UI it a bit outside of the scope with a different skill set than a distributed database.
We need to fix the other stuff, though. Would you mind filing some JIRAs for these, Josh. Thanks, James On Sun, Jul 17, 2016 at 9:42 PM, Andrew Purtell <andrew.purt...@gmail.com> wrote: > A partial prescription: > > - Looks like no updates to LICENSE or NOTICE were done when the trace app > GSoC project was merged, hence the issues with bootstrap and other bundled > JavaScript. Time to do a top to bottom review? > > - Prune RAT exclusions to the minimum and fix reported issues. > > - Over on HBase we also faced a big divergence in what is included in > source and binary convenience artifacts, due to the ton of extra deps that > come with upstream binaries and runtime concerns like embedded UIs. We > fixed this through maven based automated assembly of binary LICENSE and > NOTICE files using templates and velocity macros. Sean Busbey did the > lion's share of the work. Refer to > https://issues.apache.org/jira/browse/HBASE-14085 . It was a significant > effort. > > > > > On Jul 17, 2016, at 10:53 AM, Josh Elser <els...@apache.org> wrote: > > > > -1 (non-binding) from me with my Phoenix hat on (avoiding putting on the > ASF member hat for now). Lots of wrong licensing stuff in here -- as-in, > this should very definitely not go out as a release. I hope the Phoenix PMC > steps up to -1 this release on their own. > > > > *** Source release: > > > > Good: > > * MD5 and GPG sig is fine > > * KEYS is good > > * Did not find any binary files > > * Was able to build the source code > > > > Bad: > > * SHA1 xsum is wrong. It looks like complete nonsense to me, but I can't > find the appropriate xsum in that file (which was > 64208164580f3467cd2c8b51c0d9f8ac37f0c671) > > * Lots of "Copyright ASF" in Java source files which should not be there. > > * No license headers on any Apache Phoenix JS files. Looks like these > are completely ignored by the apache-rat check which is very bad. > > - All properties files are ignored. They can and should have license > headers (./phoenix-pherf/src/test/resources/pherf.test.properties is > missing headers now, and is just garbled) > > * Would be good to have the artifact name be > "apache-phoenix-$version.tar.gz" as that's the project's proper name. > > > > * NOTICE problems > > - No Apache Phoenix copyright (should be 20XX-2016) > > - Source release does not include HBase, Hadoop, or Commons, does it? > Do we have copied code from these projects in Phoenix source? > > - JUnit, SLF4j, JLine, and Antlr are not included in the source > release, they do not belong here. > > - Sqlline entry has the wrong website and doesn't belong in NOTICE > (should go in LICENSE) > > > > * LICENSE problems > > - ENTIRELY NO MENTION of tons of libraries: > > + Bootstrap (Twitter with MIT license) > > + JQuery (JQuery Foundation with MIT license) > > + AngularJS and Angular-Mocks 1.3.15 (Google, inc. with MIT license) > > + Angular-Routes 1.3.8 (Google, inc with MIT license) > > + Google Chart Api Directive Module for AngularJS (Nicolas Bouillon > with MIT) > > + angular-ui-bootstrap (http://angular-ui.github.io/bootstrap/ with > MIT) > > + Sqlline (Marc Prud'hommeaux with BSD) > > + Glyphicons (http://glyphicons.com with CC-By 3.0) > > + Fontawesome fonts (http://fontawesome.io with SIL Open Font > license -- which falls into category-b for the ASF for those playing along) > > > > > > *** Binary release: > > > > Good: > > * MD5 and GPG sig are fine > > > > Other: > > * I'm not sure how to handle the L&N for the tarball itself (since they > just contain JARs which are in themselves a "binary release"). e.g. should > the top-level L&N files contain the aggregate L&N for all JARs in the > binary tarball? > > > > Bad: > > * SHA1 is again garbled (I computed > 817b68246f8d9c9fc5317660ad1021752996d1f1) > > > > NOTICE problems (tarball): > > - Wrong Apache Phoenix copyright (2014, not 20XX-2016) > > - Completely different sqlline copyright/license notice than in source > release! Which one is correct?? Also, license information belongs in > LICENSE, not in NOTICE. > > - I would strongly bet that Apache Hadoop and HBase both have > information in their NOTICE files which requires propagation (e.g. things > other than "Copyright ASF" which is not required). > > > > LICENSE problems (tarball): > > - See all of the same issues from the LICENSE problems in the > source-release. > > > > For phoenix-client.jar: > > - Multiple LICENSE files lying around but nothing which seems accurate > for the binary artifact being released -- this information should be > self-contained in one file (commonly META-INF/{LICENSE,NOTICE}). > > - Not going to enumerate all of the issues, but I see there is at least > one issue in HSQLDB as it's BSD license and not included in LICENSE. I'm > guessing this is missing tons of necessary entries. > > > > For phoenix-tracing-webapp-4.8.0-HBase-1.2-runnable.jar: > > - Absolutely no mention of the bundled javascript libraries as outlined > in the source-release. > > - (A hunch) missing a necessary entry for UnixCrypt per > https://github.com/eclipse/jetty.project/blob/jetty-8.1.16.v20140903/NOTICE.txt. > There's no git tag for the 8.1.7 version we use. > > > > For now, I'm going to omit going through the rest, but I have lots of > fear over the other shaded jars being similarly inadequate. > > > > - Josh > > > > Ankit Singhal wrote: > >> Hello Everyone, > >> > >> This is a call for a vote on Apache Phoenix 4.8.0-HBase-1.2 RC0. This is > >> the next minor release of Phoenix 4, compatible with Apache HBase 1.2. > >> The release includes both a source-only release and a convenience binary > >> release. > >> > >> This release has feature parity with our other pending 4.8.0 releases > and > >> includes the following improvements: > >> - Local Index improvements[1] > >> - Phoenix hive integration[2] > >> - Namespace mapping support[3] > >> - Many VIEW enhancements[4] > >> - Offset support for paging queries[5] > >> - 100+ Bugs resolved[6] > >> - Many performance enhancements(related to StatsCache, distinct, Serial > >> query with Stats etc) > >> > >> The source tarball, including signatures, digests, etc can be found at: > >> > https://dist.apache.org/repos/dist/dev/phoenix/phoenix-4.8.0-HBase-1.2-rc0/src/ > >> > >> The binary artifacts can be found at: > >> > https://dist.apache.org/repos/dist/dev/phoenix/phoenix-4.8.0-HBase-1.2-rc0/bin/ > >> > >> For a complete list of changes, see: > >> * > https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12334393&projectId=12315120 > >> < > https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12334393&projectId=12315120 > >* > >> > >> Release artifacts are signed with the following key: > >> *https://people.apache.org/keys/committer/ankit.asc > >> <https://people.apache.org/keys/committer/ankit.asc>* > >> > >> KEYS file available here: > >> https://dist.apache.org/repos/dist/dev/phoenix/KEYS > >> > >> The hash and tag to be voted upon: > >> * > https://git-wip-us.apache.org/repos/asf?p=phoenix.git;a=commit;h=c90232fbfaaf8e847703a2be3f5d147b976e2138 > >> < > https://git-wip-us.apache.org/repos/asf?p=phoenix.git;a=commit;h=c90232fbfaaf8e847703a2be3f5d147b976e2138 > >* > >> > https://git-wip-us.apache.org/repos/asf?p=phoenix.git;a=tag;h=refs/tags/v4.8.0-HBase-1.2-rc0 > >> > >> Vote will be open until at least, Mon, Jul 18th @ 5pm PST. Please vote: > >> > >> [ ] +1 approve > >> [ ] +0 no opinion > >> [ ] -1 disapprove (and reason why) > >> > >> Thanks, > >> The Apache Phoenix Team > >> > >> [1] https://issues.apache.org/jira/browse/PHOENIX-1734 > >> [2] https://issues.apache.org/jira/browse/PHOENIX-2743 > >> [3] https://issues.apache.org/jira/browse/PHOENIX-1311 > >> [4] https://issues.apache.org/jira/browse/PHOENIX-1508 > >> [5] https://issues.apache.org/jira/browse/PHOENIX-2722 > >> [6] *https://issues.apache.org/jira/browse/filter=12337975# > >> <https://issues.apache.org/jira/browse/filter=12337975#>* > >> >
