Ooof. it's always rough when this stuff gets out of sync. FWIW, as a non-binding community participant, I'd label this stuff a blocker on further releases. It's too easy to let it slip and is one of the few mandatory responsibilities we get from the board as a project.
In my prior experience, the key to avoiding this being a months-long release dry spell (as happened to HBase, Hadoop, and Avro) is managing to parallelize the work of getting things resolved. It also helps to get an idea of what the PMC considers must-do for compliance and what they consider nice-to-have. For some that has been automation and correct marking on an artifact-by-artifact basis (the strictest interpretation of the asf policy), for others it has been something manual that's sufficient to meet the requirements of all upstream licenses (the loosest interpretation of the asf policy). Perhaps a [DISCUSS] thread in parallel to Josh filing JIRAs would be helpful? Right now it looks like all but the Apache Phoenix 4.8.0-HBase-1.1 RC have sufficient votes to pass, so the separate thread might help get better PMC attention to the issue. On Sun, Jul 17, 2016 at 2:42 PM, Andrew Purtell <andrew.purt...@gmail.com> wrote: > A partial prescription: > > - Looks like no updates to LICENSE or NOTICE were done when the trace app > GSoC project was merged, hence the issues with bootstrap and other bundled > JavaScript. Time to do a top to bottom review? > > - Prune RAT exclusions to the minimum and fix reported issues. > > - Over on HBase we also faced a big divergence in what is included in source > and binary convenience artifacts, due to the ton of extra deps that come with > upstream binaries and runtime concerns like embedded UIs. We fixed this > through maven based automated assembly of binary LICENSE and NOTICE files > using templates and velocity macros. Sean Busbey did the lion's share of the > work. Refer to https://issues.apache.org/jira/browse/HBASE-14085 . It was a > significant effort. > > > >> On Jul 17, 2016, at 10:53 AM, Josh Elser <els...@apache.org> wrote: >> >> -1 (non-binding) from me with my Phoenix hat on (avoiding putting on the ASF >> member hat for now). Lots of wrong licensing stuff in here -- as-in, this >> should very definitely not go out as a release. I hope the Phoenix PMC steps >> up to -1 this release on their own. >> >> *** Source release: >> >> Good: >> * MD5 and GPG sig is fine >> * KEYS is good >> * Did not find any binary files >> * Was able to build the source code >> >> Bad: >> * SHA1 xsum is wrong. It looks like complete nonsense to me, but I can't >> find the appropriate xsum in that file (which was >> 64208164580f3467cd2c8b51c0d9f8ac37f0c671) >> * Lots of "Copyright ASF" in Java source files which should not be there. >> * No license headers on any Apache Phoenix JS files. Looks like these are >> completely ignored by the apache-rat check which is very bad. >> - All properties files are ignored. They can and should have license >> headers (./phoenix-pherf/src/test/resources/pherf.test.properties is missing >> headers now, and is just garbled) >> * Would be good to have the artifact name be >> "apache-phoenix-$version.tar.gz" as that's the project's proper name. >> >> * NOTICE problems >> - No Apache Phoenix copyright (should be 20XX-2016) >> - Source release does not include HBase, Hadoop, or Commons, does it? Do we >> have copied code from these projects in Phoenix source? >> - JUnit, SLF4j, JLine, and Antlr are not included in the source release, >> they do not belong here. >> - Sqlline entry has the wrong website and doesn't belong in NOTICE (should >> go in LICENSE) >> >> * LICENSE problems >> - ENTIRELY NO MENTION of tons of libraries: >> + Bootstrap (Twitter with MIT license) >> + JQuery (JQuery Foundation with MIT license) >> + AngularJS and Angular-Mocks 1.3.15 (Google, inc. with MIT license) >> + Angular-Routes 1.3.8 (Google, inc with MIT license) >> + Google Chart Api Directive Module for AngularJS (Nicolas Bouillon with >> MIT) >> + angular-ui-bootstrap (http://angular-ui.github.io/bootstrap/ with MIT) >> + Sqlline (Marc Prud'hommeaux with BSD) >> + Glyphicons (http://glyphicons.com with CC-By 3.0) >> + Fontawesome fonts (http://fontawesome.io with SIL Open Font license -- >> which falls into category-b for the ASF for those playing along) >> >> >> *** Binary release: >> >> Good: >> * MD5 and GPG sig are fine >> >> Other: >> * I'm not sure how to handle the L&N for the tarball itself (since they just >> contain JARs which are in themselves a "binary release"). e.g. should the >> top-level L&N files contain the aggregate L&N for all JARs in the binary >> tarball? >> >> Bad: >> * SHA1 is again garbled (I computed 817b68246f8d9c9fc5317660ad1021752996d1f1) >> >> NOTICE problems (tarball): >> - Wrong Apache Phoenix copyright (2014, not 20XX-2016) >> - Completely different sqlline copyright/license notice than in source >> release! Which one is correct?? Also, license information belongs in >> LICENSE, not in NOTICE. >> - I would strongly bet that Apache Hadoop and HBase both have information >> in their NOTICE files which requires propagation (e.g. things other than >> "Copyright ASF" which is not required). >> >> LICENSE problems (tarball): >> - See all of the same issues from the LICENSE problems in the >> source-release. >> >> For phoenix-client.jar: >> - Multiple LICENSE files lying around but nothing which seems accurate for >> the binary artifact being released -- this information should be >> self-contained in one file (commonly META-INF/{LICENSE,NOTICE}). >> - Not going to enumerate all of the issues, but I see there is at least one >> issue in HSQLDB as it's BSD license and not included in LICENSE. I'm >> guessing this is missing tons of necessary entries. >> >> For phoenix-tracing-webapp-4.8.0-HBase-1.2-runnable.jar: >> - Absolutely no mention of the bundled javascript libraries as outlined in >> the source-release. >> - (A hunch) missing a necessary entry for UnixCrypt per >> https://github.com/eclipse/jetty.project/blob/jetty-8.1.16.v20140903/NOTICE.txt. >> There's no git tag for the 8.1.7 version we use. >> >> For now, I'm going to omit going through the rest, but I have lots of fear >> over the other shaded jars being similarly inadequate. >> >> - Josh >> >> Ankit Singhal wrote: >>> Hello Everyone, >>> >>> This is a call for a vote on Apache Phoenix 4.8.0-HBase-1.2 RC0. This is >>> the next minor release of Phoenix 4, compatible with Apache HBase 1.2. >>> The release includes both a source-only release and a convenience binary >>> release. >>> >>> This release has feature parity with our other pending 4.8.0 releases and >>> includes the following improvements: >>> - Local Index improvements[1] >>> - Phoenix hive integration[2] >>> - Namespace mapping support[3] >>> - Many VIEW enhancements[4] >>> - Offset support for paging queries[5] >>> - 100+ Bugs resolved[6] >>> - Many performance enhancements(related to StatsCache, distinct, Serial >>> query with Stats etc) >>> >>> The source tarball, including signatures, digests, etc can be found at: >>> https://dist.apache.org/repos/dist/dev/phoenix/phoenix-4.8.0-HBase-1.2-rc0/src/ >>> >>> The binary artifacts can be found at: >>> https://dist.apache.org/repos/dist/dev/phoenix/phoenix-4.8.0-HBase-1.2-rc0/bin/ >>> >>> For a complete list of changes, see: >>> *https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12334393&projectId=12315120 >>> <https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12334393&projectId=12315120>* >>> >>> Release artifacts are signed with the following key: >>> *https://people.apache.org/keys/committer/ankit.asc >>> <https://people.apache.org/keys/committer/ankit.asc>* >>> >>> KEYS file available here: >>> https://dist.apache.org/repos/dist/dev/phoenix/KEYS >>> >>> The hash and tag to be voted upon: >>> *https://git-wip-us.apache.org/repos/asf?p=phoenix.git;a=commit;h=c90232fbfaaf8e847703a2be3f5d147b976e2138 >>> <https://git-wip-us.apache.org/repos/asf?p=phoenix.git;a=commit;h=c90232fbfaaf8e847703a2be3f5d147b976e2138>* >>> https://git-wip-us.apache.org/repos/asf?p=phoenix.git;a=tag;h=refs/tags/v4.8.0-HBase-1.2-rc0 >>> >>> Vote will be open until at least, Mon, Jul 18th @ 5pm PST. Please vote: >>> >>> [ ] +1 approve >>> [ ] +0 no opinion >>> [ ] -1 disapprove (and reason why) >>> >>> Thanks, >>> The Apache Phoenix Team >>> >>> [1] https://issues.apache.org/jira/browse/PHOENIX-1734 >>> [2] https://issues.apache.org/jira/browse/PHOENIX-2743 >>> [3] https://issues.apache.org/jira/browse/PHOENIX-1311 >>> [4] https://issues.apache.org/jira/browse/PHOENIX-1508 >>> [5] https://issues.apache.org/jira/browse/PHOENIX-2722 >>> [6] *https://issues.apache.org/jira/browse/filter=12337975# >>> <https://issues.apache.org/jira/browse/filter=12337975#>* >>> -- busbey
