A partial prescription:
- Looks like no updates to LICENSE or NOTICE were done when the trace app
GSoC project was merged, hence the issues with bootstrap and other bundled
JavaScript. Time to do a top to bottom review?
- Prune RAT exclusions to the minimum and fix reported issues.
- Over on HBase we also faced a big divergence in what is included in
source and binary convenience artifacts, due to the ton of extra deps that
come with upstream binaries and runtime concerns like embedded UIs. We
fixed this through maven based automated assembly of binary LICENSE and
NOTICE files using templates and velocity macros. Sean Busbey did the
lion's share of the work. Refer to
https://issues.apache.org/jira/browse/HBASE-14085 . It was a significant
effort.
On Jul 17, 2016, at 10:53 AM, Josh Elser<els...@apache.org> wrote:
-1 (non-binding) from me with my Phoenix hat on (avoiding putting on the
ASF member hat for now). Lots of wrong licensing stuff in here -- as-in,
this should very definitely not go out as a release. I hope the Phoenix PMC
steps up to -1 this release on their own.
*** Source release:
Good:
* MD5 and GPG sig is fine
* KEYS is good
* Did not find any binary files
* Was able to build the source code
Bad:
* SHA1 xsum is wrong. It looks like complete nonsense to me, but I can't
find the appropriate xsum in that file (which was
64208164580f3467cd2c8b51c0d9f8ac37f0c671)
* Lots of "Copyright ASF" in Java source files which should not be there.
* No license headers on any Apache Phoenix JS files. Looks like these
are completely ignored by the apache-rat check which is very bad.
- All properties files are ignored. They can and should have license
headers (./phoenix-pherf/src/test/resources/pherf.test.properties is
missing headers now, and is just garbled)
* Would be good to have the artifact name be
"apache-phoenix-$version.tar.gz" as that's the project's proper name.
* NOTICE problems
- No Apache Phoenix copyright (should be 20XX-2016)
- Source release does not include HBase, Hadoop, or Commons, does it?
Do we have copied code from these projects in Phoenix source?
- JUnit, SLF4j, JLine, and Antlr are not included in the source
release, they do not belong here.
- Sqlline entry has the wrong website and doesn't belong in NOTICE
(should go in LICENSE)
* LICENSE problems
- ENTIRELY NO MENTION of tons of libraries:
+ Bootstrap (Twitter with MIT license)
+ JQuery (JQuery Foundation with MIT license)
+ AngularJS and Angular-Mocks 1.3.15 (Google, inc. with MIT license)
+ Angular-Routes 1.3.8 (Google, inc with MIT license)
+ Google Chart Api Directive Module for AngularJS (Nicolas Bouillon
with MIT)
+ angular-ui-bootstrap (http://angular-ui.github.io/bootstrap/ with
MIT)
+ Sqlline (Marc Prud'hommeaux with BSD)
+ Glyphicons (http://glyphicons.com with CC-By 3.0)
+ Fontawesome fonts (http://fontawesome.io with SIL Open Font
license -- which falls into category-b for the ASF for those playing along)
*** Binary release:
Good:
* MD5 and GPG sig are fine
Other:
* I'm not sure how to handle the L&N for the tarball itself (since they
just contain JARs which are in themselves a "binary release"). e.g. should
the top-level L&N files contain the aggregate L&N for all JARs in the
binary tarball?
Bad:
* SHA1 is again garbled (I computed
817b68246f8d9c9fc5317660ad1021752996d1f1)
NOTICE problems (tarball):
- Wrong Apache Phoenix copyright (2014, not 20XX-2016)
- Completely different sqlline copyright/license notice than in source
release! Which one is correct?? Also, license information belongs in
LICENSE, not in NOTICE.
- I would strongly bet that Apache Hadoop and HBase both have
information in their NOTICE files which requires propagation (e.g. things
other than "Copyright ASF" which is not required).
LICENSE problems (tarball):
- See all of the same issues from the LICENSE problems in the
source-release.
For phoenix-client.jar:
- Multiple LICENSE files lying around but nothing which seems accurate
for the binary artifact being released -- this information should be
self-contained in one file (commonly META-INF/{LICENSE,NOTICE}).
- Not going to enumerate all of the issues, but I see there is at least
one issue in HSQLDB as it's BSD license and not included in LICENSE. I'm
guessing this is missing tons of necessary entries.
For phoenix-tracing-webapp-4.8.0-HBase-1.2-runnable.jar:
- Absolutely no mention of the bundled javascript libraries as outlined
in the source-release.
- (A hunch) missing a necessary entry for UnixCrypt per
https://github.com/eclipse/jetty.project/blob/jetty-8.1.16.v20140903/NOTICE.txt.
There's no git tag for the 8.1.7 version we use.
For now, I'm going to omit going through the rest, but I have lots of
fear over the other shaded jars being similarly inadequate.
- Josh
Ankit Singhal wrote:
Hello Everyone,
This is a call for a vote on Apache Phoenix 4.8.0-HBase-1.2 RC0. This is
the next minor release of Phoenix 4, compatible with Apache HBase 1.2.
The release includes both a source-only release and a convenience binary
release.
This release has feature parity with our other pending 4.8.0 releases
and
includes the following improvements:
- Local Index improvements[1]
- Phoenix hive integration[2]
- Namespace mapping support[3]
- Many VIEW enhancements[4]
- Offset support for paging queries[5]
- 100+ Bugs resolved[6]
- Many performance enhancements(related to StatsCache, distinct, Serial
query with Stats etc)
The source tarball, including signatures, digests, etc can be found at:
https://dist.apache.org/repos/dist/dev/phoenix/phoenix-4.8.0-HBase-1.2-rc0/src/
The binary artifacts can be found at:
https://dist.apache.org/repos/dist/dev/phoenix/phoenix-4.8.0-HBase-1.2-rc0/bin/
For a complete list of changes, see:
*
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12334393&projectId=12315120
<
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12334393&projectId=12315120
*
Release artifacts are signed with the following key:
*https://people.apache.org/keys/committer/ankit.asc
<https://people.apache.org/keys/committer/ankit.asc>*
KEYS file available here:
https://dist.apache.org/repos/dist/dev/phoenix/KEYS
The hash and tag to be voted upon:
*
https://git-wip-us.apache.org/repos/asf?p=phoenix.git;a=commit;h=c90232fbfaaf8e847703a2be3f5d147b976e2138
<
https://git-wip-us.apache.org/repos/asf?p=phoenix.git;a=commit;h=c90232fbfaaf8e847703a2be3f5d147b976e2138
*
https://git-wip-us.apache.org/repos/asf?p=phoenix.git;a=tag;h=refs/tags/v4.8.0-HBase-1.2-rc0
Vote will be open until at least, Mon, Jul 18th @ 5pm PST. Please vote:
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove (and reason why)
Thanks,
The Apache Phoenix Team
[1] https://issues.apache.org/jira/browse/PHOENIX-1734
[2] https://issues.apache.org/jira/browse/PHOENIX-2743
[3] https://issues.apache.org/jira/browse/PHOENIX-1311
[4] https://issues.apache.org/jira/browse/PHOENIX-1508
[5] https://issues.apache.org/jira/browse/PHOENIX-2722
[6] *https://issues.apache.org/jira/browse/filter=12337975#
<https://issues.apache.org/jira/browse/filter=12337975#>*
