Re: [VOTE] Release Rya (Incubating) version 3.2.10
Great, glad it's helpful. Also, thanks for taking this on. The first release is always the hardest, and I didn't do a good job commending you on stepping up :) Aaron D. Mihalik wrote: Thanks Josh! This list is great. I'll add the RC-X to the "Vote" email for the next RC. I also updated the release docs to include that note. I added these tasks to track: (Blocker) RYA-177 - Review License on Rya Dependencies RYA-178 Review RAT Exclusions RYA-179 - Review License / Copyright notices on Rya Artifacts RYA-180 - Review Licensing of Shaded/War'd Rya Artifacts RYA-182 - Review SCM Tag in Parent POM Is RYA-180 subsumed by RYA-177? If we verify that all of the Rya Dependencies are not "Category X", are there additional concerns about what we war/shade up? No, sadly :). The LICENSE and NOTICE files you have at the top-level of the source-release are "easy" right now because you do not bundle any other code than just "Apache Rya (incubating)". Therefore, you only have to deal with Rya's licensing (which is simple). When you start creating artifacts that contain other artifacts, you must update LICENSE and NOTICE appropriately (in META-INF/ in JARs/WARs). A tl;dr is that, for every dependency you bundle, you must include it's license in the LICENSE file and propagate any relevant information from their NOTICE file (e.g. copyright/attribution statements) into your NOTICE file. There are lots of good write-ups coming out of other ASF projects of late which can help distill this. I would recommend we just make a note to deal with this post-3.2.10. As an incubator project, you get a pass on doing this all 100% correct; however, the incompatible licensing is pretty heinous (so I'm treating these separately). :) --Aaron On Mon, Sep 12, 2016 at 11:35 AM Josh Elserwrote: (thanks for the extension, I started looking at this and then forgot about it) -1 (binding) First off, please include some sort of "RC-X" identifier in the vote subject so that we can differentiate them in the archives. - The good * xsums+sigs match * Can build from source * Ran all unit tests (as invoked during `mvn package`) * Found no binary files - Things that must be fixed * https://dist.apache.org/repos/dist/release/incubator/rya and https://dist.apache.org/repos/dist/dev/incubator/rya don't exist. You must have the former created with a KEYS file that contains the GPG public keys for those creating Rya release notes. Typically, you should use dist.a.o/repos/dist/dev/incubator/rya to stage your release artifacts, although policy on whether using the staging repo alone is sufficient is not clear to me. (were it not for the licensing issues below, we could just fix this) * jgridshift:jgridshift appears to be LGPL licensed (https://github.com/floscher/jGridShift/blob/master/LICENSE). You may not use this software. It looks like it was not appropriately marked in its pom which is why the configuration from Rya's parent apache.pom did not catch it. This is brought in via org.geotools.xsd:gt-xsd-gml3. * colt (http://dst.lbl.gov/ACSSoftware/colt/) appears to be another brought in by com.tinkerpop.blueprints:blueprints-core * com.google.code.findbugs:jsr305 is another example of GPL licensing. While the artifact appears to have the ASL tagged on the pom, all Findbugs documentation states that the project is GPL. I would recommend to make a pass over your dependencies to verify that you aren't depending on any projects which are licensed with a license on this list: http://www.apache.org/legal/resolved.html#category-x. See http://www.apache.org/licenses/GPL-compatibility.html for more details. The above three examples were found via a brief glance. - Things to fix later (later rc's or the next release) * Copyright year in NOTICE is wrong (2015 instead of 2016) * mvn apache-rat:check passes (after `rm DEPENDENCIES`) * A number of files which have 'Copyright (C) 2014 Rya' in the license header in extras/rya.merger that should not exist. Copyright statement should only appear in the NOTICE file (`fgrep -Ri 'copyright' rya-project-3.2.10 | fgrep -v 'The ASF licenses this file'`) *v3.2.10-RC1 is incorrect in parent pom * I see a bunch of maven-shade-plugin uses and at least one warfile project: keep in mind that you should be ensuring that the generated artifacts by your official source-release should also be licensed per ASF policy. This isn't something you have to fix for this first release, but it would bar Rya from a +1 to graduate from me. * Saw some XML files in the build which were excluded from the apache-rat-plugin. I'd recommend minimizing the exclusions as much as possible. - Josh Aaron D. Mihalik wrote: I am pleased to be calling this vote for the source release of Apache Rya (Incubating), version 3.2.10. The source zip, including signatures, digests, etc. can be found at: https://repository.apache.org/content/repositories/orgapacherya-1001/org/apache/rya/rya-project/3.2.10/ The
Re: [VOTE] Release Rya (Incubating) version 3.2.10
-1 (non-binding) because RYA-169 Mongo direct example is broken. This is fixed in pull request #87 The example is important and should be working in the release IMHO. david. On Mon, Sep 12, 2016 at 12:04 PM, Aaron D. Mihalikwrote: > Thanks Josh! This list is great. > > I'll add the RC-X to the "Vote" email for the next RC. I also updated the > release docs to include that note. > > I added these tasks to track: > > (Blocker) RYA-177 - Review License on Rya Dependencies > RYA-178 Review RAT Exclusions > RYA-179 - Review License / Copyright notices on Rya Artifacts > RYA-180 - Review Licensing of Shaded/War'd Rya Artifacts > RYA-182 - Review SCM Tag in Parent POM > > Is RYA-180 subsumed by RYA-177? If we verify that all of the Rya > Dependencies are not "Category X", are there additional concerns about what > we war/shade up? > > --Aaron > > On Mon, Sep 12, 2016 at 11:35 AM Josh Elser wrote: > > > (thanks for the extension, I started looking at this and then forgot > > about it) > > > > -1 (binding) > > > > First off, please include some sort of "RC-X" identifier in the vote > > subject so that we can differentiate them in the archives. > > > > - The good > > > > * xsums+sigs match > > * Can build from source > > * Ran all unit tests (as invoked during `mvn package`) > > * Found no binary files > > > > - Things that must be fixed > > > > * https://dist.apache.org/repos/dist/release/incubator/rya and > > https://dist.apache.org/repos/dist/dev/incubator/rya don't exist. You > > must have the former created with a KEYS file that contains the GPG > > public keys for those creating Rya release notes. Typically, you should > > use dist.a.o/repos/dist/dev/incubator/rya to stage your release > > artifacts, although policy on whether using the staging repo alone is > > sufficient is not clear to me. (were it not for the licensing issues > > below, we could just fix this) > > * jgridshift:jgridshift appears to be LGPL licensed > > (https://github.com/floscher/jGridShift/blob/master/LICENSE). You may > > not use this software. It looks like it was not appropriately marked in > > its pom which is why the configuration from Rya's parent apache.pom did > > not catch it. This is brought in via org.geotools.xsd:gt-xsd-gml3. > > * colt (http://dst.lbl.gov/ACSSoftware/colt/) appears to be another > > brought in by com.tinkerpop.blueprints:blueprints-core > > * com.google.code.findbugs:jsr305 is another example of GPL licensing. > > While the artifact appears to have the ASL tagged on the pom, all > > Findbugs documentation states that the project is GPL. > > > > I would recommend to make a pass over your dependencies to verify that > > you aren't depending on any projects which are licensed with a license > > on this list: http://www.apache.org/legal/resolved.html#category-x. See > > http://www.apache.org/licenses/GPL-compatibility.html for more details. > > The above three examples were found via a brief glance. > > > > - Things to fix later (later rc's or the next release) > > > > * Copyright year in NOTICE is wrong (2015 instead of 2016) > > * mvn apache-rat:check passes (after `rm DEPENDENCIES`) > > * A number of files which have 'Copyright (C) 2014 Rya' in the license > > header in extras/rya.merger that should not exist. Copyright statement > > should only appear in the NOTICE file (`fgrep -Ri 'copyright' > > rya-project-3.2.10 | fgrep -v 'The ASF licenses this file'`) > > * v3.2.10-RC1 is incorrect in parent pom > > * I see a bunch of maven-shade-plugin uses and at least one warfile > > project: keep in mind that you should be ensuring that the generated > > artifacts by your official source-release should also be licensed per > > ASF policy. This isn't something you have to fix for this first release, > > but it would bar Rya from a +1 to graduate from me. > > * Saw some XML files in the build which were excluded from the > > apache-rat-plugin. I'd recommend minimizing the exclusions as much as > > possible. > > > > - Josh > > > > Aaron D. Mihalik wrote: > > > I am pleased to be calling this vote for the source release of Apache > Rya > > > (Incubating), version 3.2.10. > > > > > > The source zip, including signatures, digests, etc. can be found at: > > > > > https://repository.apache.org/content/repositories/ > orgapacherya-1001/org/apache/rya/rya-project/3.2.10/ > > > > > > The Git tag is v3.2.10 > > > The Git commit ID is 16196b4c658062545964602835cb5fbd2870e578 > > > > > https://git-wip-us.apache.org/repos/asf?p=incubator-rya.git;a=commit;h= > 16196b4c658062545964602835cb5fbd2870e578 > > > > > > Checksums of rya-project-3.2.10-source-release.zip: > > > SHA1: dee4a5e4f8e74c4de614d02c7b17a5e0db132649 > > > MD5: df4a47ae1232725bc95450f5e49de95c > > > > > > Release artifacts are signed with the following key: > > > https://people.apache.org/keys/committer/mihalik.asc > > > > > > Issues that were closed/resolved for this release are here: > > > > >
Re: [VOTE] Release Rya (Incubating) version 3.2.10
Thanks Josh! This list is great. I'll add the RC-X to the "Vote" email for the next RC. I also updated the release docs to include that note. I added these tasks to track: (Blocker) RYA-177 - Review License on Rya Dependencies RYA-178 Review RAT Exclusions RYA-179 - Review License / Copyright notices on Rya Artifacts RYA-180 - Review Licensing of Shaded/War'd Rya Artifacts RYA-182 - Review SCM Tag in Parent POM Is RYA-180 subsumed by RYA-177? If we verify that all of the Rya Dependencies are not "Category X", are there additional concerns about what we war/shade up? --Aaron On Mon, Sep 12, 2016 at 11:35 AM Josh Elserwrote: > (thanks for the extension, I started looking at this and then forgot > about it) > > -1 (binding) > > First off, please include some sort of "RC-X" identifier in the vote > subject so that we can differentiate them in the archives. > > - The good > > * xsums+sigs match > * Can build from source > * Ran all unit tests (as invoked during `mvn package`) > * Found no binary files > > - Things that must be fixed > > * https://dist.apache.org/repos/dist/release/incubator/rya and > https://dist.apache.org/repos/dist/dev/incubator/rya don't exist. You > must have the former created with a KEYS file that contains the GPG > public keys for those creating Rya release notes. Typically, you should > use dist.a.o/repos/dist/dev/incubator/rya to stage your release > artifacts, although policy on whether using the staging repo alone is > sufficient is not clear to me. (were it not for the licensing issues > below, we could just fix this) > * jgridshift:jgridshift appears to be LGPL licensed > (https://github.com/floscher/jGridShift/blob/master/LICENSE). You may > not use this software. It looks like it was not appropriately marked in > its pom which is why the configuration from Rya's parent apache.pom did > not catch it. This is brought in via org.geotools.xsd:gt-xsd-gml3. > * colt (http://dst.lbl.gov/ACSSoftware/colt/) appears to be another > brought in by com.tinkerpop.blueprints:blueprints-core > * com.google.code.findbugs:jsr305 is another example of GPL licensing. > While the artifact appears to have the ASL tagged on the pom, all > Findbugs documentation states that the project is GPL. > > I would recommend to make a pass over your dependencies to verify that > you aren't depending on any projects which are licensed with a license > on this list: http://www.apache.org/legal/resolved.html#category-x. See > http://www.apache.org/licenses/GPL-compatibility.html for more details. > The above three examples were found via a brief glance. > > - Things to fix later (later rc's or the next release) > > * Copyright year in NOTICE is wrong (2015 instead of 2016) > * mvn apache-rat:check passes (after `rm DEPENDENCIES`) > * A number of files which have 'Copyright (C) 2014 Rya' in the license > header in extras/rya.merger that should not exist. Copyright statement > should only appear in the NOTICE file (`fgrep -Ri 'copyright' > rya-project-3.2.10 | fgrep -v 'The ASF licenses this file'`) > * v3.2.10-RC1 is incorrect in parent pom > * I see a bunch of maven-shade-plugin uses and at least one warfile > project: keep in mind that you should be ensuring that the generated > artifacts by your official source-release should also be licensed per > ASF policy. This isn't something you have to fix for this first release, > but it would bar Rya from a +1 to graduate from me. > * Saw some XML files in the build which were excluded from the > apache-rat-plugin. I'd recommend minimizing the exclusions as much as > possible. > > - Josh > > Aaron D. Mihalik wrote: > > I am pleased to be calling this vote for the source release of Apache Rya > > (Incubating), version 3.2.10. > > > > The source zip, including signatures, digests, etc. can be found at: > > > https://repository.apache.org/content/repositories/orgapacherya-1001/org/apache/rya/rya-project/3.2.10/ > > > > The Git tag is v3.2.10 > > The Git commit ID is 16196b4c658062545964602835cb5fbd2870e578 > > > https://git-wip-us.apache.org/repos/asf?p=incubator-rya.git;a=commit;h=16196b4c658062545964602835cb5fbd2870e578 > > > > Checksums of rya-project-3.2.10-source-release.zip: > > SHA1: dee4a5e4f8e74c4de614d02c7b17a5e0db132649 > > MD5: df4a47ae1232725bc95450f5e49de95c > > > > Release artifacts are signed with the following key: > > https://people.apache.org/keys/committer/mihalik.asc > > > > Issues that were closed/resolved for this release are here: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12334209=Html=12319020 > > > > The vote will be open for 72 hours. > > Please download the release candidate and evaluate the necessary items > > including checking hashes, signatures, build from source, and test. Then > > please vote: > > > > [ ] +1 Release this package as rya-project-3.2.10 > > [ ] +0 no opinion > > [ ] -1 Do not release this package because because... > > >
Re: [VOTE] Release Rya (Incubating) version 3.2.10
All, I haven't received any votes on the release, so let's keep this vote open until Wednesday at 10pm EDT. Please reach out if you have any questions about downloading the artifacts, building the source, and testing Rya. All of the Rya Release process documentation are currently under development, so any questions the dev list has, or any issues people have will be incorporated into the documentation. --Aaron On Sat, Sep 10, 2016 at 4:21 PM Josh Elserwrote: > Negative, don't worry about it. > > I would add an exclusion to the apache-rat-plugin configuration for it. > > Aaron D. Mihalik wrote: > > Apache rat is failing. Delete .\DEPENDENCIES > > > > It does not have a license header (is that required for that file?) > > On Sat, Sep 10, 2016 at 3:11 PM Adina Crainiceanu > wrote: > > > >> I'm trying to figure out how to vote for this release by following the > >> checklist at: > >> > >> http://incubator.apache.org/guides/releasemanagement.html#check-list > >> > >> I'm trying to build from source. I downloaded the > >> rya-project-3.2.10-source-release.zip > >> < > >> > https://repository.apache.org/content/repositories/orgapacherya-1001/org/apache/rya/rya-project/3.2.10/rya-project-3.2.10-source-release.zip > >>> , > >> unzip it, and then I just tried mvn clean install, but I got errors. How > >> should I try to build from the source? I'm using Maven 3.0.5. > >> > >> I copy-pasted the error messages below, in case it helps > >> > >> Thanks, > >> Adina > >> > >> $ mvn clean install > >> [INFO] Scanning for projects... > >> Downloading: > >> > >> > http://repository.codehaus.org/org/codehaus/groovy/groovy-eclipse-batch/maven-metadata.xml > >> Downloading: > >> > >> > http://nexus.codehaus.org/snapshots/org/codehaus/groovy/groovy-eclipse-batch/maven-metadata.xml > >> [WARNING] Could not transfer metadata > >> org.codehaus.groovy:groovy-eclipse-batch/maven-metadata.xml from/to > >> codehaus.org (http://repository.codehaus.org): repository.codehaus.org: > >> unknown error > >> [WARNING] Could not transfer metadata > >> org.codehaus.groovy:groovy-eclipse-batch/maven-metadata.xml from/to > >> codehaus-snapshots (http://nexus.codehaus.org/snapshots/): > >> nexus.codehaus.org: unknown error > >> [WARNING] > >> [WARNING] Some problems were encountered while building the effective > model > >> for org.apache.rya:rya.prospector:jar:3.2.10 > >> [WARNING] 'build.plugins.plugin.version' for > >> org.apache.maven.plugins:maven-shade-plugin is missing. @ line 106, > column > >> 21 > >> [WARNING] > >> [WARNING] Some problems were encountered while building the effective > model > >> for org.apache.rya:rya.indexing:jar:3.2.10 > >> [WARNING] 'build.plugins.plugin.version' for > >> org.apache.maven.plugins:maven-shade-plugin is missing. @ line 156, > column > >> 12 > >> [WARNING] > >> [WARNING] Some problems were encountered while building the effective > model > >> for org.apache.rya:rya.reasoning:jar:3.2.10 > >> [WARNING] 'build.plugins.plugin.version' for > >> org.apache.maven.plugins:maven-shade-plugin is missing. @ line 97, > column > >> 21 > >> [WARNING] > >> [WARNING] Some problems were encountered while building the effective > model > >> for org.apache.rya:accumulo.pig:jar:3.2.10 > >> [WARNING] 'build.plugins.plugin.version' for > >> org.apache.maven.plugins:maven-shade-plugin is missing. @ line 78, > column > >> 21 > >> [WARNING] > >> [WARNING] It is highly recommended to fix these problems because they > >> threaten the stability of your build. > >> [WARNING] > >> [WARNING] For this reason, future Maven versions might no longer support > >> building such malformed projects. > >> [WARNING] > >> [INFO] > >> > >> [INFO] Reactor Build Order: > >> [INFO] > >> [INFO] Apache Rya Project > >> [INFO] Apache Rya Common Projects > >> [INFO] Apache Rya Common API > >> [INFO] Apache Rya Provenance > >> [INFO] Apache Rya DAO Projects > >> [INFO] Apache Rya Accumulo DAO > >> [INFO] Apache Rya MongoDB DAO > >> [INFO] Apache Rya Extra Projects > >> [INFO] Apache Rya Prospector > >> [INFO] Apache Rya Manual > >> [INFO] Apache Rya SAIL > >> [INFO] Apache Rya PCJ Core > >> [INFO] Apache Rya PCJ Fluo Parent > >> [INFO] Apache Rya PCJ Fluo App > >> [INFO] Apache Rya PCJ Fluo API > >> [INFO] Apache Rya Secondary Indexing > >> [INFO] Apache Rya MapReduce Tools > >> [INFO] Apache Rya Tinkerpop > >> [INFO] Apache Rya Console > >> [INFO] Apache Rya Secondary Indexing Example > >> [INFO] Apache Rya Reasoning > >> [INFO] Apache Rya Vagrant VM > >> [INFO] Apache Rya PCJ Fluo Client > >> [INFO] Apache Rya PCJ Fluo Integration Tests > >> [INFO] Apache Rya PCJ Fluo Demo > >> [INFO] Apache Rya Merge Tool > >> [INFO] Apache Rya OSGI Bundle > >> [INFO] Apache Rya ALX > >> [INFO] Apache Rya ALX Console > >> [INFO] Apache Rya Camel > >> [INFO] Apache Rya Pig Projects > >> [INFO] Apache Rya Accumulo Pig > >> [INFO] Apache Rya Web Projects