> click BSD-3 > jsonschema MIT > python-dateutil Dual License (Apache 2) > python-dotenv Bsd 3 > python-geohash Apache 2 > python3-openid Apache 2
Verstuurd vanaf mijn iPad > Op 23 mei 2019 om 00:03 heeft Alan Gates <alanfga...@gmail.com> het volgende > geschreven: > > +1 with caveats, see below. I looked at the LICENSE, NOTICE, and > DISCLAIMER files, checked for any binary files (executables, there's plenty > of image files in the distribution), and looked over the licenses of the > dependencies. > > More information on the dependencies: > I found https://pypi.org/project/pip-licenses/ which explains how to check > licenses, very useful. > > The licenses of modules that will be pulled in when a system is compiled or > run matter, as the system won't run without them. So it isn't ok to have a > GPL licensed library that's necessarily pulled in at compile/runtime, as to > run the product you'll still be pulling in the GPL which will basically > turn the whole thing GPL. (Optional or contrib components are different, > as users can choose not to run with them if they aren't ok with the license > of the optional component.) > > Running the above on the modules in setup.py, I see that the vast majority > are BSD, MIT, Apache, or PSFL, all of which are fine. The ones that aren't > in that category are: > certifi MPL-2.0: This is ok, as it's binary > chardet LGPL Not Ok > click UNKNOWN > jsonschema UNKNOWN > python-dateutil Dual License > python-dotenv UNKNOWN > python-geohash UNKNOWN > python3-openid UNKNOWN > > The MPL one is fine since it's included in binary form. The unknown and > dual license need some digging to determine what they are. chardet, the > LGPL one, is not ok. > > Since this is an incubating release I am still voting +1, with the caveat > that the unknown licenses need to be figured out before the next release, > and the LGPL dependency will have to be removed. Right now I think getting > a release out is more important than fixing these issues. > > Alan. > > On Wed, May 22, 2019 at 2:01 PM Maxime Beauchemin < > maximebeauche...@gmail.com> wrote: > >> Oh actually the commands above just shows the dep tree. >> >> For deps in python there's >> https://github.com/dhatim/python-license-check >> >> On the JS side I did some work here to attempt building the LICENSE file >> dynamically as the dep tree evolves >> https://github.com/apache/incubator-superset/pull/5801 >> >> I thought validating the licenses of deps wasn't necessary for source >> releases though. We may want to start the conversation on convenience >> releases. To me having solid docker images (or just dockerfiles if images >> are troublesome) (that are lean and optimized to build fast) would be >> ideal, especially if they are used in CI. >> >> Max >> >> On Wed, May 22, 2019 at 1:52 PM Maxime Beauchemin < >> maximebeauche...@gmail.com> wrote: >> >>> Python: >>> pip install pipdeptree && pipdeptree >>> >>> NPM: >>> cd superset/assets && npm ls >>> >>> On Wed, May 22, 2019 at 11:09 AM Alan Gates <alanfga...@gmail.com> >> wrote: >>> >>>> Yes, I checked, it works now. I just haven't yet because I'm still >>>> looking >>>> at all the dependencies it pulls in. Maven makes this super easy to do, >>>> but I need to learn enough about python setuptools to figure out how to >>>> check the licenses on those modules. >>>> >>>> Alan. >>>> >>>> On Wed, May 22, 2019 at 10:56 AM Bolke de Bruin <bdbr...@gmail.com> >>>> wrote: >>>> >>>>> Is the signature now verifiable? Otherwise it won’t pass the IPMC ... >>>>> >>>>> Verstuurd vanaf mijn iPad >>>>> >>>>>> Op 22 mei 2019 om 19:26 heeft Maxime Beauchemin < >>>>> maximebeauche...@gmail.com> het volgende geschreven: >>>>>> >>>>>> Oops, changing thread title this time around >>>>>> >>>>>> Vote passes! >>>>>> >>>>>> +3 binding votes (Max, Jeff & Abhishek) >>>>>> +1 non-binding vote (Ville) >>>>>> >>>>>> No neutral or negative votes. >>>>>> >>>>>> On Tue, May 21, 2019 at 12:31 AM Jeff Feng >>>> <jeff.f...@airbnb.com.invalid >>>>>> >>>>>> wrote: >>>>>> >>>>>>> +1 binding >>>>>>> >>>>>>> On Mon, May 20, 2019 at 3:54 PM Maxime Beauchemin < >>>>>>> maximebeauche...@gmail.com> wrote: >>>>>>> >>>>>>>> @Alan, looks like I messed up the signature somehow. I got tangled >>>> into >>>>>>>> adding a new entry (moving from my gmail to my apache.org >> address), >>>>>>>> deleting the old one and my svn kungfu is beyond rusty... >>>>>>>> >>>>>>>> Oh I think I just forgot to run "svn commit" (maybe i ran "svn >>>> update" >>>>>>>> instead?), so you should just have to import that new KEYS file >> and >>>> it >>>>>>>> should work. >>>>>>>> >>>>>>>> Sorry about the confusion. All of this is pretty error-prone, >>>>> especially >>>>>>>> the [few] first time[s] around. >>>>>>>> >>>>>>>> Max >>>>>>>> >>>>>>>> On Mon, May 20, 2019 at 11:29 AM Abhishek Sharma < >>>>>>>> abhioncbr.apa...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> +1 binding. >>>>>>>>> >>>>>>>>> Newly built docker image >>>>>>>>> < >>>>>>>>> >>>>>>>> >>>>>>> >>>>> >>>> >> https://cloud.docker.com/u/abhioncbr/repository/docker/abhioncbr/docker-superset >>>>>>>>>> >>>>>>>>> working fine. >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> Abhishek >>>>>>>>> >>>>>>>>> On Mon, May 20, 2019 at 2:03 PM Alan Gates <alanfga...@gmail.com >>> >>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Max, when I check the signature (gpg --verify ) it tells me: >>>>>>>>>> gpg: Signature made Sat May 18 15:36:55 2019 PDT >>>>>>>>>> gpg: using RSA key >>>>>>>>> 8CA186C4568E92301E5F2491A3B3BE2CCC1BB7E4 >>>>>>>>>> gpg: Can't check signature: No public key >>>>>>>>>> >>>>>>>>>> I imported the KEYS file referenced in your message, but it >>>> doesn't >>>>>>>>> appear >>>>>>>>>> to contain that key. I think you need to either generate a new >>>>>>>> signature >>>>>>>>>> with the key in the file and upload that .asc file to the dist >>>> site >>>>>>> (no >>>>>>>>>> need to rerole the release itself) or place the key you used >> into >>>> the >>>>>>>>> KEYS >>>>>>>>>> file. >>>>>>>>>> >>>>>>>>>> Alan. >>>>>>>>>> >>>>>>>>>> On Sat, May 18, 2019 at 4:01 PM Maxime Beauchemin < >>>>>>>>>> maximebeauche...@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Dear all, >>>>>>>>>>> >>>>>>>>>>> The source release 0.33.0 RC1 for Apache Superset is baked and >>>>>>>>> available >>>>>>>>>>> at: >>>>>>>>>>> https://dist.apache.org/repos/dist/dev/incubator/superset/, >>>> public >>>>>>>>>>> keys are available >>>>>>>>>>> at >>>>>>>> >> https://dist.apache.org/repos/dist/release/incubator/superset/KEYS >>>>>>>>>>> >>>>>>>>>>> We're now attempting to use 0.33 as the base for the first >>>> release >>>>>>> as >>>>>>>>>>> opposed to 0.32 in previous attempts. Many license-related >> issues >>>>>>> had >>>>>>>>>> been >>>>>>>>>>> solved by the process shipping visualizations as plugins, and >>>> that >>>>>>>>>>> migration wasn't completed on 0.32. This is the third ASF >> release >>>>>>>>>> candidate >>>>>>>>>>> of Superset *We're still ironing out our release process, so >>>> please >>>>>>>>> bear >>>>>>>>>>> with us and help if you can*. >>>>>>>>>>> >>>>>>>>>>> As I went along, I documented the process in [yet-to-be-merged] >>>>>>>>>>> RELEASING/README.md in the repo, latest edits here >>>>>>>>>>> https://github.com/apache/incubator-superset/pull/7539 . As >> part >>>>>>> of >>>>>>>>>>> `RELEASING/`, we ship docker files to help package and test >>>>>>> releases. >>>>>>>>>>> >>>>>>>>>>> For context the `0.33` release branch was cut at SHA 51068f007, >>>>>>> that >>>>>>>>> was >>>>>>>>>>> merged on master on Apr 17th. From that common ancestor, the >>>>>>>> following >>>>>>>>>> list >>>>>>>>>>> of commit was added as cherry-picks. The SHAs in the list >> bellow >>>>>>>>>> reference >>>>>>>>>>> the cherries on the release branch, PR number are available to >>>> get >>>>>>>> more >>>>>>>>>>> details. >>>>>>>>>>> >>>>>>>>>>> 7591a709 (tag: 0.33.0rc1, apache/release--0.33) 0.33.0rc1 >>>>>>>>>>> b7ffdb8b Improve instructions >>>>>>>>>>> 4bbd68c6 Change babytux to open image in birth dashboard >>>>>>>>>>> eaa679e8 remove unused LICENSE entries >>>>>>>>>>> 42d50f9d Add Roboto font to LICENSE, remove glyphicons files >>>>>>>>>>> 5ae2836b Address COPYRIGHT + LICENSE issues >>>>>>>>>>> ea807f20 [WiP] Improvements related to ASF release process >>>>>>>>>>> c57ef5dc 0.31.0rc1.dev1 >>>>>>>>>>> 51068f00 Adding permission for can_only_access_owned_queries >>>>>>> (#7234) >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Jeff Feng* >>>>>>> Product Lead >>>>>>> m: (949)-610-5108 >>>>>>> twitter: @jtfeng >>>>>>> >>>>> >>>> >>> >>
