Vote passes with 3 +1 binding votes: - Taylor Goetz - Billie Rinaldi - Josh Elser
And One non-binding vote - Debo Dutta Thanks to everyone who voted James On 8/17/16, 9:39 AM, "Josh Elser" <els...@apache.org> wrote: >Casey, > >Thanks so much for the quick turn-around on JIRA issues. Great to see :) > >Re: findbug's jsr305 jar, yup, that is precisely the confusion I have >with it. I would encourage use of >https://github.com/stephenc/findbugs-annotations/ just to avoid any >potential issues. This person has done a few clean-room impls which are >ASLv2 licensed which are super helpful. I know of two projects now which >have successfully swapped these jars and have not faced any issues. > >- Josh > >Casey Stella wrote: >> Josh, >> >> You are of course correct on all points. >> >> - We neglected to be careful about the implications of binary bundling >> and transitive dependencies (JIRA >> <https://issues.apache.org/jira/browse/METRON-374>). >> - It's a good idea to use ephemeral ports on our integration test >> components (JIRA<https://issues.apache.org/jira/browse/METRON-375>). >> - We should correct the issues with the webpage (JIRA >> <https://issues.apache.org/jira/browse/METRON-376>) >> >> Regarding Findbugs, if you open up the pom >> <http://central.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.pom> >> from com.google.code.findbugs:jsr305-1.3.9 the ASLv2 is referenced. That >> being said, it's pretty clear that findbugs itself is lgpl, so I am also >> confused. Regardless, a more careful inspection and handling of our >> transitive dependencies is obviously called for. Thanks for the careful >> attention. :) >> >> Casey >> >> On Wed, Aug 17, 2016 at 1:27 AM, Josh Elser<els...@apache.org> wrote: >> >>> +1 with reservations (binding) >>> >>> * DISCLAIMER present >>> * LICENSE/NOTICE seem reasonable >>> * xsums/sigs OK >>> * Can build from source >>> * Unit tests pass (after I stopped my local hbase instance, maybe you >>> could use random ports from the ephemeral range for your test services >>> instead of the default service ports) >>> * Integration tests didn't (I stopped after a failure in >>> BulkLoadMapperIntegrationTest) >>> * Tag is deployed and matches VOTE >>> * Overly aggressive RAT exclusions, but it passes and seems ok. Would >>> strongly recommend you prune this list in the future to make sure you don't >>> start shipping files which do not have a license header. You presently have >>> many exclusions for files which don't even exist in the codebase. >>> >>> Reservations: >>> >>> It is important to make sure that not only is the source-release artifact >>> properly licensed, but the resulting artifacts that source-release creates >>> are also properly licensed (in other words: the jars your build creates). >>> >>> Your shaded jars are not correctly licensed. For example, you include >>> org.abego.treelayout:org.abego.treelayout.core:jar:1.0.1 in >>> metron-common-0.2.0BETA.jar which is 3-clause BSD licensed, yet the >>> contained META-INF/LICENSE file has no mention of this. I also see a number >>> of CDDL licensed jars being included. >>> >>> The most worrisome artifact I see included is >>> com.google.code.findbugs:jsr305-1.3.9 in multiple artifacts >>> (metron-pcap-backend-0.2.0BETA.jar for one). This artifact befuddles me >>> because it is completely unclear whether it is GPL'ed or ASLv2 (last I >>> checked, documentation was not clear at all). Ironically, you also have >>> com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1 included >>> which is a clearly ASLv2 licensed implementation of the same spec (we won't >>> get into me asking "why" both are included *winks*). >>> >>> I don't think you need to fix these for this release, but you should make >>> an effort to do this before your next release. Yes, it sucks. Yes, you're >>> not the only one who has done it/will do it again. >>> >>> Branding: >>> >>> Took a look at your website too. >>> >>> * Your required ASF navigation links are not present >>> http://www.apache.org/foundation/marks/pmcs.html#navigation >>> * Incubator disclaimer and logo are present (yay) >>> * Noticed "Ambari" and not "Apache Ambari" on >>> http://metron.incubator.apache.org/documentation/. Would be good to make >>> sure you're using proper names for ASF projects. >>> >>> >>> >>> James Sirota wrote: >>> >>>> This release is exactly the same as RC2, but the Mozilla licensed file >>>> was removed so it doesn’t cause problems for us on the incubator general >>>> boards. We no longer use it so we just removed it. >>>> >>>> This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating >>>> >>>> Full list of changes in this release: >>>> >>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2. >>>> 0BETA-RC3-incubating/CHANGES >>>> >>>> The tag/commit to be voted upon is Metron_0.2.0BETA_rc3: >>>> >>>> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron. >>>> git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>http >>>> s://git-wip-us.apache.org/repos/asf?p=incubator-metron. >>>> git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb >>>> >>>> The source archive being voted upon can be found here: >>>> >>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2. >>>> 0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz >>>> >>>> Other release files, signatures and digests can be found here: >>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2. >>>> 0BETA-RC3-incubating/ >>>> <https://dist.apache.org/repos/dist/dev/incubator/metron/0. >>>> 2.0BETA-RC3-incubating/> >>>> The release artifacts are signed with the following key: >>>> >>>> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron. >>>> git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18 >>>> ;hb=75642001803396e8884385b0fc297a2312ead3eb>https://git- >>>> wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f= >>>> KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=756420018 >>>> 03396e8884385b0fc297a2312ead3eb >>>> >>>> >>>> Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3 >>>> incubating >>>> >>>> When voting, please list the actions taken to verify the release. >>>> Recommended build validation and verification instructions are posted >>>> here: >>>> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds >>>> >>>> This vote will be open for at least 72 hours. >>>> >>>> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating >>>> [ ] 0 No opinion >>>> [ ] -1 Do not release this package because... >>>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >>> For additional commands, e-mail: general-h...@incubator.apache.org >>> >>> >> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >For additional commands, e-mail: general-h...@incubator.apache.org > >
