Hi John, > On May 6, 2017, at 5:27 AM, John D. Ament <johndam...@apache.org> wrote: > > Craig, > > To comment on a few of these notes. > > Many of these are valid issues with the release, but generally would not > block an initial release. I would recommend we follow our rule of "point > it out, pass it as it doesn't create a legal issue, and expect it to be > fixed for next release."
I was (am) -1 due to the binaries: jars and shared objects. The other items are informational and I'm happy to discuss them. If we agree that they can be fixed for a future release, we can resolve them with "JIRA filed for next release". > > The only potential issues I see as legal impacting are the binaries and the > com.google source code. > > On Wed, May 3, 2017 at 9:23 PM Craig Russell <apache....@gmail.com> wrote: > >> I also must vote -1 on this release. >> >> clr% find . -name "*.jar" >> ./android/playground/gradle/wrapper/gradle-wrapper.jar >> ./android/sdk/gradle/wrapper/gradle-wrapper.jar >> ./android/sdk/license/license-gradle-plugin-0.12.1.jar >> ./android/sdk/license/maven-license-plugin-1.10.b1.jar >> ./android/sdk/license/plexus-utils-3.0.24.jar >> ./android/weex_debug/gradle/wrapper/gradle-wrapper.jar >> ./android/weex_debug/libs/classes.jar >> ./scripts/apache-rat-0.12.jar >> >> 1. These jar files are not source and must not appear in the source >> release. >> >> 2. I appreciate the effort involved in compiling the >> POSSIBLE-NOTICES-FOR-BIN-DIST. But looking into these dependencies I am >> troubled by the difficulty actually finding the licenses of the projects. >> >> For example, the "possible notice" for animaitonjs (possible typo here) >> refers to https://www.npmjs.com/package/animationjs from which it is >> impossible (ok, perhaps possible but I could not find a link) to find the >> actual project. >> >> References to npmjs in this entire file should be removed and replaced by >> references to the home of the project. (Not relevant for this release >> because the files are not actually being distributed.) >> >> > > The history behind this file is a bit jaded. As best as I can tell, Weex > followed the path of RocketMQ and attempted to have a combined file. There > are typically separate source and binary notices when the binary is an all > inclusive application (standalone server that can just run). My point is that a downstream user trying to perform due diligence will find it difficult or impossible to determine the license applied to the dependency if all they have is the npm reference. The user should be able to easily find the project where it lives. IIUC, npm is a binary distribution mechanism, not a source repository. > > >> 3. The java source files in android/commons/src are still in the >> com.alibaba name space. Assuming that these are actually weex source files, >> they must be repackaged to org.apache. >> >> > The ASF actually has no policy around this. There is no requirement for > any specific Java package name. We do however encourage the usage from a > branding standpoint. To this day, Groovy continues to use > org.codehaus.groovy to avoid backwards compatibility issues. Ok. I would be interested to see the user code that actually contains references to these package names. I thought from brief inspection that this was a set of tools used by gui developers not programmers. > > > >> 4. The javascript source files in playground/app/src are missing the >> license header. They have a style that I do not recognize. Are these >> generated files? The first several lines of storage-demo.js: >> >> /******/ (function(modules) { // webpackBootstrap >> /******/ // The module cache >> /******/ var installedModules = {}; >> >> /******/ // The require function >> /******/ function __webpack_require__(moduleId) { >> >> /******/ // Check if module is in cache >> /******/ if(installedModules[moduleId]) >> /******/ return installedModules[moduleId].exports; >> >> 5. The java files in playground/app/src/main/java_zxing are in the >> com.google name space. They have a google license header. >> >> 6. The packages/weex-html5 contains LICENSE and NOTICE files. These should >> be in the top level directory of the release. >> >> 7. The scripts/rh contains LICENSE and NOTICE files. These should be in >> the top level directory of the release. >> >> 8. There is an executable file that doesn't belong: >> >> clr% ls -l start >> -rwxr-xr-x@ 1 clr staff 161 Apr 27 20:34 start >> >> > Projects often times include executable files.I've never seen this as an > issue before. We don't allow binary files. My bad. I'm afraid I was confused by this one. It's not an issue. When I tried to examine it via MacOSX Finder, it didn't allow me to open it in a text viewer. > > >> 9. There is an executable gradlew in sdk/gradle that doesn't belong in a >> source release. >> >> 10. There are shared objects in sdk/libs that don't belong in a source >> release. >> >> 11. There are NOTICE and LICENSE files in ios/sdk that seem to be unix >> executable files. Same thing here. The permissions need to be changed but it's not a blocker. >> >> clr% ls -l ios/sdk >> total 40 >> -rwxr-xr-x@ 1 clr staff 11343 Apr 27 20:34 LICENSE >> -rwxr-xr-x@ 1 clr staff 575 Apr 27 20:34 NOTICE >> >> 12. The README.md doesn't tell me how to build/use org.apache.weex. The >> first several lines refer to third-party projects from Alibaba and >> cocoapods. How do I use the Apache project? Craig >> >> Craig >> >>> On May 2, 2017, at 5:26 PM, John D. Ament <johndam...@apache.org> wrote: >>> >>> Sorry but -1 due to binaries in the source release. I'm not sure if I >>> missed these the last go around or what, but they should not be included >>> (gradle-wrapper I know was called out before): >>> >>> >> ./apache-weex-incubating-0.12.0-src/android/playground/gradle/wrapper/gradle-wrapper.jar >>> >> ./apache-weex-incubating-0.12.0-src/android/sdk/gradle/wrapper/gradle-wrapper.jar >>> >> ./apache-weex-incubating-0.12.0-src/android/sdk/license/license-gradle-plugin-0.12.1.jar >>> >> ./apache-weex-incubating-0.12.0-src/android/sdk/license/maven-license-plugin-1.10.b1.jar >>> >> ./apache-weex-incubating-0.12.0-src/android/sdk/license/plexus-utils-3.0.24.jar >>> >> ./apache-weex-incubating-0.12.0-src/android/weex_debug/gradle/wrapper/gradle-wrapper.jar >>> ./apache-weex-incubating-0.12.0-src/android/weex_debug/libs/classes.jar >>> ./apache-weex-incubating-0.12.0-src/scripts/apache-rat-0.12.jar >>> >>> Other things checked: >>> - Has DISCLAIMER >>> - File name includes incubating >>> - NOTICE and LICENSE look right, especially like the name >>> POSSIBLE-NOTICES-FOR-BIN-DIST >>> >>> I have no idea how to build from source, would be good to include that + >>> how to run rat in your instructions. If it weren't for the binary files >> I >>> would vote a +1. >>> >>> John >>> >>> On Tue, May 2, 2017 at 1:49 AM sospartan <sospar...@apache.org> wrote: >>> >>>> Hi all, >>>> I'll calling a vote for Weex-incubating 0.12.0-RC3 release. >>>> >>>> The PPMC vote for this release has passed: >>>> >>>> >> https://lists.apache.org/thread.html/c5514c86433e3551cae00b21a77a1407ee20846f6565f9701d78c85b@%3Cdev.weex.apache.org%3E >>>> >>>> The tag to be voted upon: >>>> https://git-wip-us.apache.org/repos/asf?p=incubator-weex.git >>>> ;a=shortlog;h=refs/tags/0.12.0-rc3 >>>> >>>> The commit hash: >>>> >>>> >> https://git-wip-us.apache.org/repos/asf?p=incubator-weex.git;a=commit;h=702d04c4922105069f537afdb4688f808530994d >>>> >>>> The source tarball can be found at: >>>> >>>> >> https://dist.apache.org/repos/dist/dev/incubator/weex/0.12.0-incubating/RC3/ >>>> >>>> The fingerprint of key to sign release artifacts: >>>> 97B9 6598 A6A3 B63C 53BD 77E9 44C5 2286 22B9 7784 >>>> >>>> Release artifacts are signed with the following key: >>>> https://dist.apache.org/repos/dist/dev/incubator/weex/KEYS >>>> >>>> Release note about this version: >>>> https://issues.apache.org/jira/browse/WEEX-26 >>>> >>>> This vote will remain open for at least 72 hours. >>>> Please vote on releasing this RC. >>>> >>>> [ ] +1 approve >>>> [ ] +0 no opinion >>>> [ ] -1 disapprove (and reason why) >>>> >>>> -- >>>> Best Regards! >>>> ------------------------------ >>>> >>>> sospartan >>>> https://weex-project.io >>>> >> >> Craig L Russell >> c...@apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org Craig L Russell Secretary, Apache Software Foundation c...@apache.org http://db.apache.org/jdo --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
