Oh actually the commands above just shows the dep tree. For deps in python there's https://github.com/dhatim/python-license-check
On the JS side I did some work here to attempt building the LICENSE file dynamically as the dep tree evolves https://github.com/apache/incubator-superset/pull/5801 I thought validating the licenses of deps wasn't necessary for source releases though. We may want to start the conversation on convenience releases. To me having solid docker images (or just dockerfiles if images are troublesome) (that are lean and optimized to build fast) would be ideal, especially if they are used in CI. Max On Wed, May 22, 2019 at 1:52 PM Maxime Beauchemin < maximebeauche...@gmail.com> wrote: > Python: > pip install pipdeptree && pipdeptree > > NPM: > cd superset/assets && npm ls > > On Wed, May 22, 2019 at 11:09 AM Alan Gates <alanfga...@gmail.com> wrote: > >> Yes, I checked, it works now. I just haven't yet because I'm still >> looking >> at all the dependencies it pulls in. Maven makes this super easy to do, >> but I need to learn enough about python setuptools to figure out how to >> check the licenses on those modules. >> >> Alan. >> >> On Wed, May 22, 2019 at 10:56 AM Bolke de Bruin <bdbr...@gmail.com> >> wrote: >> >> > Is the signature now verifiable? Otherwise it won’t pass the IPMC ... >> > >> > Verstuurd vanaf mijn iPad >> > >> > > Op 22 mei 2019 om 19:26 heeft Maxime Beauchemin < >> > maximebeauche...@gmail.com> het volgende geschreven: >> > > >> > > Oops, changing thread title this time around >> > > >> > > Vote passes! >> > > >> > > +3 binding votes (Max, Jeff & Abhishek) >> > > +1 non-binding vote (Ville) >> > > >> > > No neutral or negative votes. >> > > >> > > On Tue, May 21, 2019 at 12:31 AM Jeff Feng >> <jeff.f...@airbnb.com.invalid >> > > >> > > wrote: >> > > >> > >> +1 binding >> > >> >> > >> On Mon, May 20, 2019 at 3:54 PM Maxime Beauchemin < >> > >> maximebeauche...@gmail.com> wrote: >> > >> >> > >>> @Alan, looks like I messed up the signature somehow. I got tangled >> into >> > >>> adding a new entry (moving from my gmail to my apache.org address), >> > >>> deleting the old one and my svn kungfu is beyond rusty... >> > >>> >> > >>> Oh I think I just forgot to run "svn commit" (maybe i ran "svn >> update" >> > >>> instead?), so you should just have to import that new KEYS file and >> it >> > >>> should work. >> > >>> >> > >>> Sorry about the confusion. All of this is pretty error-prone, >> > especially >> > >>> the [few] first time[s] around. >> > >>> >> > >>> Max >> > >>> >> > >>> On Mon, May 20, 2019 at 11:29 AM Abhishek Sharma < >> > >>> abhioncbr.apa...@gmail.com> >> > >>> wrote: >> > >>> >> > >>>> +1 binding. >> > >>>> >> > >>>> Newly built docker image >> > >>>> < >> > >>>> >> > >>> >> > >> >> > >> https://cloud.docker.com/u/abhioncbr/repository/docker/abhioncbr/docker-superset >> > >>>>> >> > >>>> working fine. >> > >>>> >> > >>>> Thanks >> > >>>> Abhishek >> > >>>> >> > >>>> On Mon, May 20, 2019 at 2:03 PM Alan Gates <alanfga...@gmail.com> >> > >> wrote: >> > >>>> >> > >>>>> Max, when I check the signature (gpg --verify ) it tells me: >> > >>>>> gpg: Signature made Sat May 18 15:36:55 2019 PDT >> > >>>>> gpg: using RSA key >> > >>>> 8CA186C4568E92301E5F2491A3B3BE2CCC1BB7E4 >> > >>>>> gpg: Can't check signature: No public key >> > >>>>> >> > >>>>> I imported the KEYS file referenced in your message, but it >> doesn't >> > >>>> appear >> > >>>>> to contain that key. I think you need to either generate a new >> > >>> signature >> > >>>>> with the key in the file and upload that .asc file to the dist >> site >> > >> (no >> > >>>>> need to rerole the release itself) or place the key you used into >> the >> > >>>> KEYS >> > >>>>> file. >> > >>>>> >> > >>>>> Alan. >> > >>>>> >> > >>>>> On Sat, May 18, 2019 at 4:01 PM Maxime Beauchemin < >> > >>>>> maximebeauche...@gmail.com> wrote: >> > >>>>> >> > >>>>>> Dear all, >> > >>>>>> >> > >>>>>> The source release 0.33.0 RC1 for Apache Superset is baked and >> > >>>> available >> > >>>>>> at: >> > >>>>>> https://dist.apache.org/repos/dist/dev/incubator/superset/, >> public >> > >>>>>> keys are available >> > >>>>>> at >> > >>> https://dist.apache.org/repos/dist/release/incubator/superset/KEYS >> > >>>>>> >> > >>>>>> We're now attempting to use 0.33 as the base for the first >> release >> > >> as >> > >>>>>> opposed to 0.32 in previous attempts. Many license-related issues >> > >> had >> > >>>>> been >> > >>>>>> solved by the process shipping visualizations as plugins, and >> that >> > >>>>>> migration wasn't completed on 0.32. This is the third ASF release >> > >>>>> candidate >> > >>>>>> of Superset *We're still ironing out our release process, so >> please >> > >>>> bear >> > >>>>>> with us and help if you can*. >> > >>>>>> >> > >>>>>> As I went along, I documented the process in [yet-to-be-merged] >> > >>>>>> RELEASING/README.md in the repo, latest edits here >> > >>>>>> https://github.com/apache/incubator-superset/pull/7539 . As part >> > >> of >> > >>>>>> `RELEASING/`, we ship docker files to help package and test >> > >> releases. >> > >>>>>> >> > >>>>>> For context the `0.33` release branch was cut at SHA 51068f007, >> > >> that >> > >>>> was >> > >>>>>> merged on master on Apr 17th. From that common ancestor, the >> > >>> following >> > >>>>> list >> > >>>>>> of commit was added as cherry-picks. The SHAs in the list bellow >> > >>>>> reference >> > >>>>>> the cherries on the release branch, PR number are available to >> get >> > >>> more >> > >>>>>> details. >> > >>>>>> >> > >>>>>> 7591a709 (tag: 0.33.0rc1, apache/release--0.33) 0.33.0rc1 >> > >>>>>> b7ffdb8b Improve instructions >> > >>>>>> 4bbd68c6 Change babytux to open image in birth dashboard >> > >>>>>> eaa679e8 remove unused LICENSE entries >> > >>>>>> 42d50f9d Add Roboto font to LICENSE, remove glyphicons files >> > >>>>>> 5ae2836b Address COPYRIGHT + LICENSE issues >> > >>>>>> ea807f20 [WiP] Improvements related to ASF release process >> > >>>>>> c57ef5dc 0.31.0rc1.dev1 >> > >>>>>> 51068f00 Adding permission for can_only_access_owned_queries >> > >> (#7234) >> > >>>>>> >> > >>>>> >> > >>>> >> > >>> >> > >> >> > >> >> > >> -- >> > >> >> > >> *Jeff Feng* >> > >> Product Lead >> > >> m: (949)-610-5108 >> > >> twitter: @jtfeng >> > >> >> > >> >
