On Sun, Sep 08, 2013 at 01:17:45PM -0700, Ted Dunning wrote: > I have asked Grant and Isabel to take a peek and help us get a more > complete view of what is needed as well. I may ask somebody else from the > incubator crew to give us a hand, especially if Grant and Isabel are tied > up.
>From a first glance at the release (some points already mentioned by Ted and Grant): As mentioned earlier there are many source files with missing license headers - RAT is a good way for finding those. You might want to check out the Maven Enforcer Plugin or checkstyle for missing license headers, during each build. In addition there's a maven plugin called maven-license-plugin that can automatically add a pre-defined header to all source files at build time (not too sure how well maintained that is right now though). There's some detailed explanation online which files require license header: <http://www.apache.org/legal/src-headers.html> or the incubator version over at <http://incubator.apache.org/guides/releasemanagement.html#best-practice> As for the licenses of software the project depends on: Over at Mahout we list which packages we depend on in the NOTICE file. This can be automated via the maven-remote-resources plugin. Note: This information is in the NOTICE file even for the source only release. Maven itself seems to be doing this a little different, listing only brief summaries of the dependencies in the NOTICE file and a detailed list in a file named DEPENDENCIES. It looks like the release naming is not quite right - it should contain "incubating" somewhere in the version. See "Naming" section of the incubator release management best practices. Also the release should contain the incubator disclaimer e.g. in the README, Release notes or similar - see "The incubator disclaimer" in the above release management best practices. According to <https://www.apache.org/dev/release-signing> there's also a requirement for an MD5 checksum and a should for a SHA checksum. I'm not quite sure though how this plays together with releasing to the Apache nexus with Maven. You might want to dig deeper there: <http://www.apache.org/dev/publishing-maven-artifacts.html> When verifying the signature for the source artifact I noticed that the names of the signature and the actual artifact do not quite match. Having them exactly the same exact for the ".asc" suffix makes verification easier/ automatic. The maven gpg plugin that is configured in the Apache parent pom should do this automatically though. How were the signatures generated? One minor nitpick - you might want to make sure that over time the drill release managers get their gpg keys signed by other Apache people. So overall -1 from my side. Isabel
