Hi Justin!
sorry for a belated reply -- I was on a glorious 2.5 vacation with a
total disconnect from
my email/etc (I have to admit I did Tweet a bit, but only when it came
to non-software
related things like politics or beer). And speaking of beer -- we
really owe you a big one.
I hope you're coming to ApacheCON EU!
Now, I see that HAWQ community captured the majority of your feedback with some
pretty good JIRAs (which are currently blockers for 2.0.0.0) release.
What I wanted to
do, though, is to provide some additional context so that two of us
(and the rest of the IPMC)
can be on the same page wrt. where HAWQ is coming from.
What makes HAWQ code base unique among Incubating projects is that it
contains a lot of
source code (lifted verbatim) from PostgreSQL and Greenplum Database
(the former licensed
under the BSD-derivated license and the later under the ALv2). Not a
problem in principle,
but a source of great many questions for which there's not a huge
amount of prior art in the
incubator. By the way, as an aside, I must say that given your
analysis even the inclusion
of an ASF project source code (thrift) proved to be problematic, let
alone inclusion of non-ASF
code.
This is why we're relying a great deal on RAT's exclusion file to mark
the files that came
from PG even though their license headers could look weir enough. E.g.
your [22] example
https://github.com/apache/incubator-hawq/blob/2.0.0.0-incubating/src/backend/port/qnx4/shm.c
It is true that the license header doesn't really tell you what the
license is, but since it came
from the PG 8.1.0 release:
https://github.com/postgres/postgres/blob/REL8_1_0/src/backend/port/qnx4/shm.c
we are trusting the upstream that it is available under the
BSD-derived PG license.
We're currently maintaining the exclusion list via the pom.xml:
https://github.com/apache/incubator-hawq/blob/2.0.0.0-incubating/pom.xml#L82
and thus we ask folks to run rat as:
$ mvn verify
Now, if you think we should have a more precise exclusion list (e.g.
get rid of globbing and
list individual files) I'd be comfortable with that (although it will
make the pom.xml quite
large) but if you're saying that we need to slap an ALv2 license
header on something
like shm.c -- I don't feel comfortable doing that. I remember a few
discussion in the past
where this was a recommended position on foreign code coming into ASF.
A recent example
of Kudu, also confirms that. E.g. content of:
https://github.com/apache/kudu/tree/master/src/kudu/gutil
So I think that the path forward here is to clarify licensing
(especially things like 4 clause BSD license)
but still not touch the original files. Would you agree?
Thanks,
Roman.
On Tue, Jul 26, 2016 at 8:03 PM, Justin Mclean <jus...@classsoftware.com> wrote:
> Hi,
>
> -1 (binding) binary in source release, LICENSE and NOTICE issues, ASF header
> added to files not under Apache 2.0 license, possible inclusion of GPL
> licensed software and possible Category X software included in release (BSD
> with ad clause).
>
> This is not a simple release to check and I may of missed a few things due to
> the large amount of noise.
>
> I checked:
> - release contains incubating
> - signatures and hashes good
> - I’m not sure what the intent of COPYRIGHT is. I also don't think as it has
> been suggested that this should be merged with NOTICE, NOTICE doesn’t not
> list all copyrights just those that have be relocated from source files. [1]
> - NOTICE incorrecly contains a long list of copyright statements. I would
> expect to see one or perhaps two here i.e. the original authors who donated
> the software and who copyright statements were removed from the original
> files.
> - LICENSE is missing a large number of things (see below)
> - Please use the short form of the license linking to a license files in
> LICENSE
> - Looks like there is an unexpected binary in the release [2] May be others
> given rat reports 770+ binary files
> - Impossible to say if files have correct ASF headers or not, given the large
> number of files with ASF headers (5000 odd files)
> - Failed to compile form source but likely my setup
>
> License is missing (in some cases note the different copyright owners)
> - BSD licensed code [3]
> - BSD license code [7]
> - license for this file [9]
> - license for this file [10] Are we OK this was taken form GNU C?
> - MIT license PSI [11]
> - BSD licensed code [12]
> - BSD licensed code [13] Is this regard as cryptography code? [14]
> - BSD licensed code [15][16]
> - license for this file [17]
> - license of these files [18][19]
> - license of this file [20]
> - regex license [21]
> - How are these files licensed? [22] + others copyright AEG Automation GmbH
> - How is this file licensed? [23]
> - BSD licensed libpq [24]. Is this consider crypto code and may need an
> export license?
> - pgdump [25]
> - license for this file [26]
> - license for this file [27] Look like an ASF header may of been incorrectly
> added to this.
> - This BSD licensed file [36]
> - license for these files [37][38] and others in [39]
> - This BSD licensed file [40]
> - This BSD licensed file [41]
> - BSD licensed pychecker [42]
> - licenses for all of these files [43]
> - BSD license pg800 [44]
> - how is this file licensed? [45]
> - license for this file [47]
> - Python license for this file [48]. Is this an Apache comparable license?
> - How are these files licensed? [49] Note multiple copyright owners and
> missing headers.
> - BSD licensed fig leaf. [50] Note that files incorrectly has had ASF headers
> applied.
> - This BSD licensed file [51]
> - This public domain style sheet [52]
> - This file [53]
> - License for unit test2 [54]
> - MIT licensed lock file [55]
> - JSON code here [56]
> - License for this file [57]
>
> And I may of missed some, as I wasn't doing a full review - that would likely
> take many many hours.
>
> Looks like GPL/LPGL licensed code may be included [4][5][6] in the release.
>
> This file [8] and others(?) may incorrectly have an ASF headers on it. Also
> why does this file have an ASF header with copyright line? [46]
>
> Code includes code licensed under the 4 clause BSD license which is not
> compatible with the Apache 2.0 license. [28][29][30][31][32][33] It may be
> that this clause has been rescinded [35] and it OK to include but that needs
> to be checked.
>
> I’d suggest that build instructions are included in the release rather than
> a link to them. If the instructions at the URL change in the future how do I
> know how to build this release?
>
> Also some one owes me a beer!
>
> Thanks,
> Justin
>
> 1. http://www.apache.org/legal/src-headers.html#headers
> 2. depends/thirdparty/thrift/lib/erl/rebar
> 3. ./tools/bin/pythonSrc/unittest2-0.5.1/setup.py
> 4. ./depends/thirdparty/thrift/debian/copyright (end of file)
> 5. ./depends/thirdparty/thrift/doc/licenses/lgpl-2.1.txt
> 6. ./tools/bin/gppylib/operations/test/test_package.py
> 7. ./depends/thirdparty/thrift/compiler/cpp/src/md5.?
> 8. ./tools/sbin/hawqstandbywatch.py
> 9. ./src/backend/port/dynloader/ultrix4.h
> 10. ./src/port/inet_aton.c
> 11. ./tools/bin/pythonSrc/PSI-0.3b2_gp/
> 12. ./src/port/snprintf.c
> 13 ./src/port/crypt.c
> 14. http://www.apache.org/dev/crypto.html
> 15. ./src/port/memcmp.c
> 16. ./src/backend/utils/mb/wstrcmp.c
> 17. ./src/port/rand.c
> 18. ./src/backend/utils/adt/inet_net_ntop.c
> 19. ./src/backend/utils/adt/inet_net_pton.c
> 20 ./src/port/strlcpy.c
> 21. ./src/backend/regex/COPYRIGHT
> 22. ./src/backend/port/qnx4/shm.c
> 23. ./src/backend/port/beos/shm.c
> 24. ./src/backend/libpq/sha2.?
> 25. ./src/bin/pg_dump/
> 26. ./src/port/gettimeofday.c
> 27. ./depends/thirdparty/thrift/lib/cpp/src/thrift/windows/SocketPair.cpp
> 28. ./src/backend/port/dynloader/freebsd.c
> 29. ./src/backend/port/dynloader/netbsd.c
> 30. ./src/backend/port/dynloader/openbsd.c
> 31. ./src/bin/gpfdist/src/gpfdist/glob.c
> 32. ./src/bin/gpfdist/src/gpfdist/include/glob.h
> 33. ./src/include/port/win32_msvc/glob.h
> 34. ./src/port/glob.c
> 35. ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
> 36. ./src/bin/pg_controldata/pg_controldata.c
> 37. ./depends/thirdparty/thrift/aclocal/ax_cxx_compile_stdcxx_11.m4
> 38. ./depends/thirdparty/thrift/aclocal/ax_boost_base.m4
> 39. ./depends/thirdparty/thrift/aclocal
> 40. ./depends/thirdparty/thrift/build/cmake/FindGLIB.cmake
> 41. ./tools/bin/pythonSrc/unittest2-0.5.1/setup.py
> 42. ./tools/bin/pythonSrc/pychecker-0.8.18/
> 43. ./src/interfaces/libpq/po/*.po
> 44. ./tools/bin/ext/pg8000/*
> 45. ./src/backend/utils/mb/Unicode/UCS_to_GB18030.pl
> 46.
> ./contrib/hawq-hadoop/hawq-mapreduce-tool/src/test/resources/log4j.properties
> 47 ./tools/bin/pythonSrc/lockfile-0.9.1/lockfile/pidlockfile.py
> 48 ./tools/bin/pythonSrc/pychecker-0.8.18/pychecker2/symbols.py
> 49. ./src/backend/utils/mb/Unicode/*
> 50. ./tools/bin/ext/figleaf/*
> 51. ./depends/thirdparty/thrift/lib/py/compat/win32/stdint.h
> 52. ./tools/bin/pythonSrc/PyGreSQL-4.0/docs/default.css
> 53. ./src/test/locale/test-ctype.c
> 54 ./tools/bin/pythonSrc/unittest2-0.5.1/unittest2/
> 55. ./tools/bin/pythonSrc/lockfile-0.9.1/LICENSE
> 56. ./src/include/catalog/JSON
> 57. ./src/pl/plperl/ppport.h
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
