Thanks for the updates, Arzhan. Sorry for the delay taking a look at this - have been focusing on some other stuff.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Arzhan Kinzhalin Sent: Wednesday, May 20, 2015 9:21 AM To: [email protected] Subject: Re: [Vote] Ripple release 0.9.29 Just a brief update on the licensing issues detected. I've created two pull requests: 1. Clean up credits to packages that are not distributed: https://github.com/apache/incubator-ripple/pull/57 -- already merged by Tim. 2. There was an issue with OpenLayers license -- it did not correspond to the version we're currently using. I've changed it, added corresponding credits and updated the pointers to the repository/tag corresponding to OpenLayers v2.12 (the one we're currently using). https://github.com/apache/incubator-ripple/pull/58 -- this is pending review. Hope this helps. Thanks, Arzhan On Fri, May 15, 2015 at 2:22 AM, Tim Barham <[email protected]> wrote: > > Tim, would that be alright by you? > > Yep, go for it. I was planning on doing it this morning, but I'm > prepping for my trip to Redmond, so happy to let you take care of it. > ________________________________________ > From: [email protected] <[email protected]> on behalf of Arzhan > Kinzhalin <[email protected]> > Sent: Friday, May 15, 2015 11:47 AM > To: [email protected] > Subject: Re: [Vote] Ripple release 0.9.29 > > Well, I didn't mean to pull back the release, but it's better it > happens here than in a review. I can clean up the license file from > the credits to the bits that are not actually redistributed and roll it over > for review. > Tim, would that be alright by you? > > On Thu, May 14, 2015 at 1:46 PM, Ross Gardler (MS OPEN TECH) < > [email protected]> wrote: > > > Yes, incubator is very picky. Too damn picky in most cases (Arzhan, > > this comment is in no way targeted at you, your thorough review here > > is > entirely > > appropriate and very helpful). > > > > We need fully correct IP management in order to graduate and remove > > the incubator label. We do not need it to make an incubator release. > > An IPMC release just needs to be good enough. Having a couple of > > license notices that are not needed is hardly going to result in a > > significant legal > issue > > for anyone. > > > > At this point there is an unapproved release out there. We need to > > fix that. > > > > Tim has worked hard on this. He's been slapped back a number of > > times and each time he has taken the feedback and quietly done the work > > necessary. > As > > a mentor I want to get behind and support that excellent community > spirit. > > > > As long as the issues raised get fixed in version control then I'm > > happy to drive for this release as is (assuming nobody turns up a > > significant issue). > > > > Sent from Surface > > > > From: [email protected]<mailto:[email protected]> > > Sent: Thursday, May 14, 2015 3:28 AM > > To: [email protected]<mailto: > [email protected] > > > > > > > On Thu, May 14, 2015, at 03:12, Tim Barham wrote: > > > Thanks for taking a look Arzhan (or do I call you Kai? :) )... > > > > > > > > * I manually verified all third party licenses in node_modules. > > > > > > > > node_modules are not included in the bundle. > > > > > > Yeah, it is intentional they are not included (and my manual > verification > > > was just to confirm all dependencies were released under licenses > > > that are allowed as part of an Apache release). > > > > > > > LICENSE does not need to be include things like accounting and > > > > moment which are not actually bundled ... > > > > Dependencies which are not included in the distribution MUST NOT > > > > be > > added > > > > to LICENSE and NOTICE > > > > > > Hmmm, yeah, I knew we didn't *need* those entries, but didn't know > > > it > was > > > a MUST NOT scenario. This was a question I had asked previously > > > and didn't get a definitive answer to (and I hadn't picked up on > > > that particular bit of info on that page) :). > > > > > > Ross - do we have any flexibility on this as an incubator release, > > > or > do > > > we need to remove them? > > > > Usually Incubator folks are *very* picky. Background is, the project > > needs to learn to do releases the Apache way and so people will look > > very closely at these kind of formalities. My answer would be "no, > > you have even less flexibility because this is an incubator release". > > > > If possible, I would re-roll it. > > > > Usually people add something like -RC1 so we don't need to increase > > the version number for each of these fixes - but thats up to the team. > > > > Thanks! > > Christian > > > > > > > > > Thanks, > > > > > > Tim > > > > > > ________________________________________ > > > From: Arzhan Kinzhalin <[email protected]> on behalf of Arzhan > > > Kinzhalin <[email protected]> > > > Sent: Thursday, May 14, 2015 10:59 AM > > > To: [email protected] > > > Subject: Re: [Vote] Ripple release 0.9.29 > > > > > > For what it’s worth (no vote here), I did the following: > > > > > > > * I verified build works and tests all pass. > > > > > > Yes. > > > > > > > * I verified license headers with Apache RAT (via 'jake rat’). > > > > > > Yes. > > > > > > > * I manually verified all third party licenses in node_modules. > > > > > > > > > node_modules are not included in the bundle. > > > > > > If this is intentional, then LICENSE does not need to be include > > > things like accounting and moment which are not actually bundled, > > > but just listed as dependencies in package.son. From > > > http://www.apache.org/dev/licensing-howto.html#bundled-vs-non-bund > > > led > > > <http://www.apache.org/dev/licensing-howto.html#bundled-vs-non-bun > > > dled > > > > : > > > > > > Bundled vs. Non-bundled Dependencies > > > > > > LICENSE and NOTICE must always be tailored to the content of the > specific > > > distribution they reside within. Dependencies which are not > > > included in the distribution MUST NOT be added to LICENSE and > > > NOTICE. As far as LICENSE and NOTICE are concerned, only bundled bits > > > matter. > > > > > > If the bundle should include node_modules, then there are slightly > > > more dependencies which should be given credit to. > > > > > > I used this to find them (only production are installed using “npm > > > install --production”): > > > > > > --> find . -type d -name node_modules -exec ls -1 {} \; | sort | > > > --> uniq > -c > > > 1 accounting > > > 1 async > > > 1 buffer-crc32 > > > 1 bytes > > > 1 colors > > > 1 combined-stream > > > 1 commander > > > 1 connect > > > 1 connect-xcors > > > 1 cookie > > > 1 cookie-signature > > > 1 debug > > > 1 delayed-stream > > > 1 express > > > 1 form-data > > > 1 formidable > > > 1 fresh > > > 1 methods > > > 2 mime > > > 1 mkdirp > > > 1 moment > > > 1 ms > > > 1 open > > > 1 pause > > > 1 qs > > > 1 range-parser > > > 1 request > > > 1 send > > > > > > There 28 of them. Deep dependencies should be listed as well if > > > they > are > > > included in the distribution. From > > > http://www.apache.org/dev/licensing-howto.html#deps-of-deps > > > <http://www.apache.org/dev/licensing-howto.html#deps-of-deps> : > > > > > > Dependencies of Dependencies > > > > > > Dependencies of dependencies (including so-called "transitive > > > dependencies") are no different from first-order dependencies for > > > the purposes of assembling LICENSE and NOTICE: LICENSE and NOTICE > > > need only be modified to accommodate them if and only if their bits are > > > bundled. > > > > > > > > > Please let me know if I can help in any way to resolve this (if > > > this needs a resolution). > > > > > > -- > > > // kai > > > > > > > On May 13, 2015, at 18:52, Tim Barham <[email protected]> > > wrote: > > > > > > > > [Once more, with feeling :) ] > > > > ? > > > > Please review and vote on the release of Ripple 0.9.29. > > > > > > > > The package you are voting on is available for review at > > http://1drv.ms/1J7SY3v. It was published from its corresponding git tag: > > > > incubator-ripple: 0.9.29 (9737ec47f5) > > > > > > > > Since this will be an official Apache release of Ripple (another > > attempt at our first official release!), we must be particularly > > careful that it complies with all Apache guidelines for an incubator > > release. As such, before voting +1, please refer to and verify > > compliance with the checklist at > > http://incubator.apache.org/guides/releasemanagement.html#check-list. > > > > > > > > If anyone has concerns that we don't meet any of these > > > > requirements, > > please don't hesitate to raise them here so we can discuss and make > changes > > if necessary. > > > > > > > > If you do give a +1 vote, please include what steps you took in > > > > order > > to be confident in the release. > > > > > > > > Please also note from Ross's recent email: > > > > > > > >> What we need is three +1 "binding" votes, in reality that means > three > > IPMC > > > >> members. Once a project graduates it means three project > > > >> management > > committee > > > >> members. However, as a mentor (therefore having a binding vote) > > > >> I > > look to the > > > >> project participants to indicate their preference and (assuming > > > >> no > > blocking > > > >> issues on an IP check) I'll always vote in support of the > communities > > non- > > > >> binding votes. > > > > > > > > So please, even though your vote may not be binding, take some > > > > time > to > > review the release and vote! > > > > > > > > Upon a successful vote, we will arrange for the archive to be > uploaded > > to dist/incubator/ and publish it to NPM. > > > > > > > > I vote +1: > > > > * I verified build works and tests all pass. > > > > * I verified license headers with Apache RAT (via 'jake rat'). > > > > * I manually verified all third party licenses in node_modules. > > > > > > > > Thanks, > > > > > > > > Tim > > > > > >
