Hashes and Sigs looked good. There were no binaries. However, my build failed on Mongo Tests. Aaron, I know you were having some issues with this. How did you resolve it?
-----Original Message----- From: David Lotts [mailto:dlo...@gmail.com] Sent: Monday, September 12, 2016 1:12 PM To: dev@rya.incubator.apache.org Subject: Re: [VOTE] Release Rya (Incubating) version 3.2.10 -1 (non-binding) because RYA-169 Mongo direct example is broken. This is fixed in pull request #87 The example is important and should be working in the release IMHO. david. On Mon, Sep 12, 2016 at 12:04 PM, Aaron D. Mihalik <aaron.miha...@gmail.com> wrote: > Thanks Josh! This list is great. > > I'll add the RC-X to the "Vote" email for the next RC. I also updated > the release docs to include that note. > > I added these tasks to track: > > (Blocker) RYA-177 - Review License on Rya Dependencies > RYA-178 Review RAT Exclusions > RYA-179 - Review License / Copyright notices on Rya Artifacts > RYA-180 - Review Licensing of Shaded/War'd Rya Artifacts > RYA-182 - Review SCM Tag in Parent POM > > Is RYA-180 subsumed by RYA-177? If we verify that all of the Rya > Dependencies are not "Category X", are there additional concerns about > what we war/shade up? > > --Aaron > > On Mon, Sep 12, 2016 at 11:35 AM Josh Elser <els...@apache.org> wrote: > > > (thanks for the extension, I started looking at this and then forgot > > about it) > > > > -1 (binding) > > > > First off, please include some sort of "RC-X" identifier in the vote > > subject so that we can differentiate them in the archives. > > > > - The good > > > > * xsums+sigs match > > * Can build from source > > * Ran all unit tests (as invoked during `mvn package`) > > * Found no binary files > > > > - Things that must be fixed > > > > * > > https://urldefense.proofpoint.com/v2/url?u=https-3A__dist.apache.org > > _repos_dist_release_incubator_rya&d=CwIBaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH > > 54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m > > =WvEm7PukqYvhHT2u1O_8y5VbUPPX7Ue86qJEHI1_8tQ&s=F3WPgOX6zPtR2bvpRLans > > MRSIsYEct6fZGxgd_skh2Q&e= and > > https://urldefense.proofpoint.com/v2/url?u=https-3A__dist.apache.org > > _repos_dist_dev_incubator_rya&d=CwIBaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54jo > > YF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=WvE > > m7PukqYvhHT2u1O_8y5VbUPPX7Ue86qJEHI1_8tQ&s=as_NA5OQgeiTjH3JrcmQNFOa- > > KmvrhG9jIefFwIktG4&e= don't exist. You must have the former created > > with a KEYS file that contains the GPG public keys for those > > creating Rya release notes. Typically, you should use > > dist.a.o/repos/dist/dev/incubator/rya to stage your release > > artifacts, although policy on whether using the staging repo alone > > is sufficient is not clear to me. (were it not for the licensing > > issues below, we could just fix this) > > * jgridshift:jgridshift appears to be LGPL licensed > > (https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_flo > > scher_jGridShift_blob_master_LICENSE&d=CwIBaQ&c=Nwf-pp4xtYRe0sCRVM8_ > > LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo > > 8&m=WvEm7PukqYvhHT2u1O_8y5VbUPPX7Ue86qJEHI1_8tQ&s=C8fr3StPTh4auFWZk1DW-ME5lQwth3thFnyZJiogWj0&e= > > ). You may not use this software. It looks like it was not appropriately > > marked in its pom which is why the configuration from Rya's parent > > apache.pom did not catch it. This is brought in via > > org.geotools.xsd:gt-xsd-gml3. > > * colt > > (https://urldefense.proofpoint.com/v2/url?u=http-3A__dst.lbl.gov_ACS > > Software_colt_&d=CwIBaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq1 > > 0&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=WvEm7PukqYvhHT2u1O > > _8y5VbUPPX7Ue86qJEHI1_8tQ&s=pWVOQlS2iaxs9lhkvDYXRq9qKdjO7f-hfWpYwdJc > > imM&e= ) appears to be another brought in by > > com.tinkerpop.blueprints:blueprints-core > > * com.google.code.findbugs:jsr305 is another example of GPL licensing. > > While the artifact appears to have the ASL tagged on the pom, all > > Findbugs documentation states that the project is GPL. > > > > I would recommend to make a pass over your dependencies to verify > > that you aren't depending on any projects which are licensed with a > > license on this list: > > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.apache.org_legal_resolved.html-23category-2Dx&d=CwIBaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=WvEm7PukqYvhHT2u1O_8y5VbUPPX7Ue86qJEHI1_8tQ&s=USJYWYBycEbL7kQNHm05tOaWE5yZAhqOp9vb3SiQiKY&e= > > . See > > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.apache.org_licenses_GPL-2Dcompatibility.html&d=CwIBaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=WvEm7PukqYvhHT2u1O_8y5VbUPPX7Ue86qJEHI1_8tQ&s=rILTE-9eQtTB_V1pagZGMaOJTMovaWcqRFyfD6KVImg&e= > > for more details. > > The above three examples were found via a brief glance. > > > > - Things to fix later (later rc's or the next release) > > > > * Copyright year in NOTICE is wrong (2015 instead of 2016) > > * mvn apache-rat:check passes (after `rm DEPENDENCIES`) > > * A number of files which have 'Copyright (C) 2014 Rya' in the > > license header in extras/rya.merger that should not exist. Copyright > > statement should only appear in the NOTICE file (`fgrep -Ri 'copyright' > > rya-project-3.2.10 | fgrep -v 'The ASF licenses this file'`) > > * <tag>v3.2.10-RC1</tag> is incorrect in parent pom > > * I see a bunch of maven-shade-plugin uses and at least one warfile > > project: keep in mind that you should be ensuring that the generated > > artifacts by your official source-release should also be licensed > > per ASF policy. This isn't something you have to fix for this first > > release, but it would bar Rya from a +1 to graduate from me. > > * Saw some XML files in the build which were excluded from the > > apache-rat-plugin. I'd recommend minimizing the exclusions as much > > as possible. > > > > - Josh > > > > Aaron D. Mihalik wrote: > > > I am pleased to be calling this vote for the source release of > > > Apache > Rya > > > (Incubating), version 3.2.10. > > > > > > The source zip, including signatures, digests, etc. can be found at: > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__repository.apac > > he.org_content_repositories_&d=CwIBaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joY > > F7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=WvEm > > 7PukqYvhHT2u1O_8y5VbUPPX7Ue86qJEHI1_8tQ&s=7Q7vYS9YrHewxqvzuESL5YPeTM > > Kwa8tP8AQXfGnm_Iw&e= > orgapacherya-1001/org/apache/rya/rya-project/3.2.10/ > > > > > > The Git tag is v3.2.10 > > > The Git commit ID is 16196b4c658062545964602835cb5fbd2870e578 > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__git-2Dwip-2Dus. > > apache.org_repos_asf-3Fp-3Dincubator-2Drya.git-3Ba-3Dcommit-3Bh-3D&d > > =CwIBaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksV > > ZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8&m=WvEm7PukqYvhHT2u1O_8y5VbUPPX7Ue86q > > JEHI1_8tQ&s=dl6fdLrz98XTxF1tO8EZY2TCqhNewyzowzhQnKuOYLw&e= > 16196b4c658062545964602835cb5fbd2870e578 > > > > > > Checksums of rya-project-3.2.10-source-release.zip: > > > SHA1: dee4a5e4f8e74c4de614d02c7b17a5e0db132649 > > > MD5: df4a47ae1232725bc95450f5e49de95c > > > > > > Release artifacts are signed with the following key: > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__people.apache > > > .org_keys_committer_mihalik.asc&d=CwIBaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH > > > 54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8 > > > &m=WvEm7PukqYvhHT2u1O_8y5VbUPPX7Ue86qJEHI1_8tQ&s=jt9eVUPTJdL9Eu-ma > > > zTjJHyIMwLC9ATSeotIIKJzUMY&e= > > > > > > Issues that were closed/resolved for this release are here: > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.o > > rg_jira_secure_ReleaseNote.jspa-3F&d=CwIBaQ&c=Nwf-pp4xtYRe0sCRVM8_LW > > H54joYF7EKmrYIdfxIq10&r=vuVdzYC2kksVZR5STiFwDpzJ7CrMHCgeo_4WXTD0qo8& > > m=WvEm7PukqYvhHT2u1O_8y5VbUPPX7Ue86qJEHI1_8tQ&s=ZRA_JT8N_p7KD5KAXSsY > > xtx0OJOJI5fdIdM-UWFyeuw&e= > version=12334209&styleName=Html&projectId=12319020 > > > > > > The vote will be open for 72 hours. > > > Please download the release candidate and evaluate the necessary > > > items including checking hashes, signatures, build from source, and test. > Then > > > please vote: > > > > > > [ ] +1 Release this package as rya-project-3.2.10 [ ] +0 no > > > opinion [ ] -1 Do not release this package because because... > > > > > >