@Josh, bq. Bad:
* SHA1 xsum is wrong. It looks like complete nonsense to me, but I
can't find the appropriate xsum in that file (which was
64208164580f3467cd2c8b51c0d9f8ac37f0c671)
---- In Phoenix , we don't use SHA1 , SHA files has only SHA-512 and
SHA-256 hashes, so you can use shasum to validate them.
Now we have three options to go forward with 4.8 release (or whether to
include licenses and notices for the dependency used now or later):-
*Option 1:- Go with this RC0 for 4.8 release.*
-- As the build is functionally good and stable.
-- It has been delayed already and there are some project which are
relying on this(as 4.8 works with HBase 1.2)
-- We have been releasing like this from past few releases.
-- RC has binding votes required for go head.
-- Fix license and notice issue in future releases.
*Option 2:- If necessary , Quick fix only the major issues with licenses
for now and do RC1.*
-- like removing tracing app from distribution
-- Do the rat-check thoroughly , remove exclusions if there are and
fix the reported issue.
-- Use License headers for all files(including JS and properties)
-- Suffix with artifact name with "*apache*
"-(<project_name>-$version.tar.gz)
-- etc.
*Option 3:- Wait to fix all the LICENSE and NOTICE issues *
-- I ported the great work done by Sean (for HBase on HBASE-14085
<https://issues.apache.org/jira/browse/HBASE-14085> ) into Phoenix. Need to
add more licenses(for direct and transitive dependencies) as supplement in
supplement-model.xml but resolving all may take time as experienced by
people worked on it already
-- Top to bottom analysis of licenses and notice for dependencies
with some review cycles.
-- Delay release till ported automation discussed above is in
place.
Regards,
Ankit Singhal
I tried porting the great work done by Sean on HBASE-14085
<https://issues.apache.org/jira/browse/HBASE-14085> to fix LICENSE and
NOTICE issue in Phoenix but there are many dependencies(direct or
transitive) which requires proper licensing details to be added
On Mon, Jul 18, 2016 at 8:31 PM, Josh Elser <josh.el...@gmail.com> wrote:
> Filed https://issues.apache.org/jira/browse/PHOENIX-3084 for the source
> release and https://issues.apache.org/jira/browse/PHOENIX-3091 for the
> binary release.
>
> I tried to give a general overview on what needs to happen in the parent
> issue. I am also happy to help fix this, explain in greater details why
> it's presently wrong, and/or help others understand how to fix it
> themselves.
>
>
> Sean Busbey wrote:
>
>> Ooof. it's always rough when this stuff gets out of sync. FWIW, as a
>> non-binding community participant, I'd label this stuff a blocker on
>> further releases. It's too easy to let it slip and is one of the few
>> mandatory responsibilities we get from the board as a project.
>>
>> In my prior experience, the key to avoiding this being a months-long
>> release dry spell (as happened to HBase, Hadoop, and Avro) is managing
>> to parallelize the work of getting things resolved. It also helps to
>> get an idea of what the PMC considers must-do for compliance and what
>> they consider nice-to-have. For some that has been automation and
>> correct marking on an artifact-by-artifact basis (the strictest
>> interpretation of the asf policy), for others it has been something
>> manual that's sufficient to meet the requirements of all upstream
>> licenses (the loosest interpretation of the asf policy).
>>
>> Perhaps a [DISCUSS] thread in parallel to Josh filing JIRAs would be
>> helpful? Right now it looks like all but the Apache Phoenix
>> 4.8.0-HBase-1.1 RC have sufficient votes to pass, so the separate
>> thread might help get better PMC attention to the issue.
>>
>> On Sun, Jul 17, 2016 at 2:42 PM, Andrew Purtell
>> <andrew.purt...@gmail.com> wrote:
>>
>>> A partial prescription:
>>>
>>> - Looks like no updates to LICENSE or NOTICE were done when the trace
>>> app GSoC project was merged, hence the issues with bootstrap and other
>>> bundled JavaScript. Time to do a top to bottom review?
>>>
>>> - Prune RAT exclusions to the minimum and fix reported issues.
>>>
>>> - Over on HBase we also faced a big divergence in what is included in
>>> source and binary convenience artifacts, due to the ton of extra deps that
>>> come with upstream binaries and runtime concerns like embedded UIs. We
>>> fixed this through maven based automated assembly of binary LICENSE and
>>> NOTICE files using templates and velocity macros. Sean Busbey did the
>>> lion's share of the work. Refer to
>>> https://issues.apache.org/jira/browse/HBASE-14085 . It was a
>>> significant effort.
>>>
>>>
>>>
>>> On Jul 17, 2016, at 10:53 AM, Josh Elser<els...@apache.org> wrote:
>>>>
>>>> -1 (non-binding) from me with my Phoenix hat on (avoiding putting on
>>>> the ASF member hat for now). Lots of wrong licensing stuff in here --
>>>> as-in, this should very definitely not go out as a release. I hope the
>>>> Phoenix PMC steps up to -1 this release on their own.
>>>>
>>>> *** Source release:
>>>>
>>>> Good:
>>>> * MD5 and GPG sig is fine
>>>> * KEYS is good
>>>> * Did not find any binary files
>>>> * Was able to build the source code
>>>>
>>>> Bad:
>>>> * SHA1 xsum is wrong. It looks like complete nonsense to me, but I
>>>> can't find the appropriate xsum in that file (which was
>>>> 64208164580f3467cd2c8b51c0d9f8ac37f0c671)
>>>> * Lots of "Copyright ASF" in Java source files which should not be
>>>> there.
>>>> * No license headers on any Apache Phoenix JS files. Looks like these
>>>> are completely ignored by the apache-rat check which is very bad.
>>>> - All properties files are ignored. They can and should have license
>>>> headers (./phoenix-pherf/src/test/resources/pherf.test.properties is
>>>> missing headers now, and is just garbled)
>>>> * Would be good to have the artifact name be
>>>> "apache-phoenix-$version.tar.gz" as that's the project's proper name.
>>>>
>>>> * NOTICE problems
>>>> - No Apache Phoenix copyright (should be 20XX-2016)
>>>> - Source release does not include HBase, Hadoop, or Commons, does it?
>>>> Do we have copied code from these projects in Phoenix source?
>>>> - JUnit, SLF4j, JLine, and Antlr are not included in the source
>>>> release, they do not belong here.
>>>> - Sqlline entry has the wrong website and doesn't belong in NOTICE
>>>> (should go in LICENSE)
>>>>
>>>> * LICENSE problems
>>>> - ENTIRELY NO MENTION of tons of libraries:
>>>> + Bootstrap (Twitter with MIT license)
>>>> + JQuery (JQuery Foundation with MIT license)
>>>> + AngularJS and Angular-Mocks 1.3.15 (Google, inc. with MIT
>>>> license)
>>>> + Angular-Routes 1.3.8 (Google, inc with MIT license)
>>>> + Google Chart Api Directive Module for AngularJS (Nicolas
>>>> Bouillon with MIT)
>>>> + angular-ui-bootstrap (http://angular-ui.github.io/bootstrap/
>>>> with MIT)
>>>> + Sqlline (Marc Prud'hommeaux with BSD)
>>>> + Glyphicons (http://glyphicons.com with CC-By 3.0)
>>>> + Fontawesome fonts (http://fontawesome.io with SIL Open Font
>>>> license -- which falls into category-b for the ASF for those playing along)
>>>>
>>>>
>>>> *** Binary release:
>>>>
>>>> Good:
>>>> * MD5 and GPG sig are fine
>>>>
>>>> Other:
>>>> * I'm not sure how to handle the L&N for the tarball itself (since they
>>>> just contain JARs which are in themselves a "binary release"). e.g. should
>>>> the top-level L&N files contain the aggregate L&N for all JARs in the
>>>> binary tarball?
>>>>
>>>> Bad:
>>>> * SHA1 is again garbled (I computed
>>>> 817b68246f8d9c9fc5317660ad1021752996d1f1)
>>>>
>>>> NOTICE problems (tarball):
>>>> - Wrong Apache Phoenix copyright (2014, not 20XX-2016)
>>>> - Completely different sqlline copyright/license notice than in
>>>> source release! Which one is correct?? Also, license information belongs in
>>>> LICENSE, not in NOTICE.
>>>> - I would strongly bet that Apache Hadoop and HBase both have
>>>> information in their NOTICE files which requires propagation (e.g. things
>>>> other than "Copyright ASF" which is not required).
>>>>
>>>> LICENSE problems (tarball):
>>>> - See all of the same issues from the LICENSE problems in the
>>>> source-release.
>>>>
>>>> For phoenix-client.jar:
>>>> - Multiple LICENSE files lying around but nothing which seems
>>>> accurate for the binary artifact being released -- this information should
>>>> be self-contained in one file (commonly META-INF/{LICENSE,NOTICE}).
>>>> - Not going to enumerate all of the issues, but I see there is at
>>>> least one issue in HSQLDB as it's BSD license and not included in LICENSE.
>>>> I'm guessing this is missing tons of necessary entries.
>>>>
>>>> For phoenix-tracing-webapp-4.8.0-HBase-1.2-runnable.jar:
>>>> - Absolutely no mention of the bundled javascript libraries as
>>>> outlined in the source-release.
>>>> - (A hunch) missing a necessary entry for UnixCrypt per
>>>> https://github.com/eclipse/jetty.project/blob/jetty-8.1.16.v20140903/NOTICE.txt.
>>>> There's no git tag for the 8.1.7 version we use.
>>>>
>>>> For now, I'm going to omit going through the rest, but I have lots of
>>>> fear over the other shaded jars being similarly inadequate.
>>>>
>>>> - Josh
>>>>
>>>> Ankit Singhal wrote:
>>>>
>>>>> Hello Everyone,
>>>>>
>>>>> This is a call for a vote on Apache Phoenix 4.8.0-HBase-1.2 RC0. This
>>>>> is
>>>>> the next minor release of Phoenix 4, compatible with Apache HBase 1.2.
>>>>> The release includes both a source-only release and a convenience
>>>>> binary
>>>>> release.
>>>>>
>>>>> This release has feature parity with our other pending 4.8.0 releases
>>>>> and
>>>>> includes the following improvements:
>>>>> - Local Index improvements[1]
>>>>> - Phoenix hive integration[2]
>>>>> - Namespace mapping support[3]
>>>>> - Many VIEW enhancements[4]
>>>>> - Offset support for paging queries[5]
>>>>> - 100+ Bugs resolved[6]
>>>>> - Many performance enhancements(related to StatsCache, distinct, Serial
>>>>> query with Stats etc)
>>>>>
>>>>> The source tarball, including signatures, digests, etc can be found at:
>>>>>
>>>>> https://dist.apache.org/repos/dist/dev/phoenix/phoenix-4.8.0-HBase-1.2-rc0/src/
>>>>>
>>>>> The binary artifacts can be found at:
>>>>>
>>>>> https://dist.apache.org/repos/dist/dev/phoenix/phoenix-4.8.0-HBase-1.2-rc0/bin/
>>>>>
>>>>> For a complete list of changes, see:
>>>>> *
>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12334393&projectId=12315120
>>>>> <
>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12334393&projectId=12315120
>>>>> >*
>>>>>
>>>>> Release artifacts are signed with the following key:
>>>>> *https://people.apache.org/keys/committer/ankit.asc
>>>>> <https://people.apache.org/keys/committer/ankit.asc>*
>>>>>
>>>>> KEYS file available here:
>>>>> https://dist.apache.org/repos/dist/dev/phoenix/KEYS
>>>>>
>>>>> The hash and tag to be voted upon:
>>>>> *
>>>>> https://git-wip-us.apache.org/repos/asf?p=phoenix.git;a=commit;h=c90232fbfaaf8e847703a2be3f5d147b976e2138
>>>>> <
>>>>> https://git-wip-us.apache.org/repos/asf?p=phoenix.git;a=commit;h=c90232fbfaaf8e847703a2be3f5d147b976e2138
>>>>> >*
>>>>>
>>>>> https://git-wip-us.apache.org/repos/asf?p=phoenix.git;a=tag;h=refs/tags/v4.8.0-HBase-1.2-rc0
>>>>>
>>>>> Vote will be open until at least, Mon, Jul 18th @ 5pm PST. Please vote:
>>>>>
>>>>> [ ] +1 approve
>>>>> [ ] +0 no opinion
>>>>> [ ] -1 disapprove (and reason why)
>>>>>
>>>>> Thanks,
>>>>> The Apache Phoenix Team
>>>>>
>>>>> [1] https://issues.apache.org/jira/browse/PHOENIX-1734
>>>>> [2] https://issues.apache.org/jira/browse/PHOENIX-2743
>>>>> [3] https://issues.apache.org/jira/browse/PHOENIX-1311
>>>>> [4] https://issues.apache.org/jira/browse/PHOENIX-1508
>>>>> [5] https://issues.apache.org/jira/browse/PHOENIX-2722
>>>>> [6] *https://issues.apache.org/jira/browse/filter=12337975#
>>>>> <https://issues.apache.org/jira/browse/filter=12337975#>*
>>>>>
>>>>>
>>
>>
>>
