Re: Robot vs. personal KEYS for signing releases
2015-06-08 17:41 GMT+02:00 David Nalley da...@gnsa.us: On Mon, Jun 8, 2015 at 9:40 AM, Cédric Champeau cedric.champ...@gmail.com wrote: We are not using the Apache CI servers for that but our own CI server. IMHO you should make a difference between building and checking. Building should be automated as much as possible. Checking the release is a human job. There are lots of reasons why we stopped releasing from a local computer years ago. Who has access to the keys? How are they secured, and what's the plan for going forward with that? (and this should all be documented) I ask this because I know of more than one project that has had a 'centralized key' to sign with; but which the PMC didn't control; and that eventually caused problems when the person with access to the key disappeared from the community. The key is on the CI server. All PMC members have access to it. It is also on Bintray. I have signed the key too.
Re: [DISCUSS] Freemarker Incubation proposal
Hi, On Mon, Jun 8, 2015 at 9:11 PM, Daniel Dekany ddek...@freemail.hu wrote: A simple question regarding the SGA... at the bottom there's List of software and other intellectual property covered by this agreement:. I wonder if we should have Freemarker under that,... The best by far is to prepare archives of the code that's being donated, at a public URL, and include the sha1 or other digests of those archives in that software grant list. This makes it absolutely clear what is being donated. -Bertrand - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Ranger 0.5.0 (incubating)
Justin Thanks for looking into this. The MPL license was used by pnotify. We removed it as part of JIRA https://issues.apache.org/jira/browse/RANGER-316, but we didn¹t update the LICENSE.txt file. Is it okay to remove the license text from the file during our next release or is it a blocker for this release? I have created JIRA https://issues.apache.org/jira/browse/RANGER-542 to track it. We will also address your rest of your concerns during our next release. I have created the following JIRA to track it https://issues.apache.org/jira/browse/RANGER-541. Thanks Bosco On 6/6/15, 6:35 PM, Justin Mclean jus...@classsoftware.com wrote: Hi, +0 binding until MPL issue clarified, then I¹ll change my vote to +1. But there a few other things that need to be fixed for next release. I checked - Release does¹t contain incubating in release name. - Signatures and hash good (but could be improved) - DISCLAIMER exists - Year range in NOTICE file is incorrect - NOTICE file has minor issues (see below) - LICENSE file also have a few minor issues - All source file have Apache headers - No unexpected binaries in source release - Can compile from source The LICENSE notes that you using JQuery Pine Notify which is triple licensed under GPL, LGPL and MPL. MPL is a category B license and as such needs to be handled with care [6]. However I¹m not sure that it is actually bundled in the software - can you confirm this. If it is not it can be removed from the LICENSE. Permissive licenses such as Apache and MIT do not normally get mentioned in the NOTICE file [4] as the NOTICE file places a burden on downstream projects can these please be removed. The following seem to be missing from the LICENSE - font awesome (MIT + SIL) see security-admin/src/main/webapp/fonts/fontawesome/fontawesome-webfont.svg and ranger-0.5.0/security-admin/src/main/webapp/fonts/fontawesome/FontAwesome. * + ranger-0.5.0/security-admin/src/main/webapp/fonts/fontopensans/open-sans* - backbone forms (MIT) see ranger-0.5.0/security-admin/src/main/webapp/libs/bower/backbone-forms/* - select2 (MIT) see security-admin/src/main/webapp/libs/bower/select2/select2.css - bootstrap (MIT) see ranger-0.5.0/security-admin/src/main/webapp/themejs/1.3.0/bootstrap.min.js - QUnit (MIT) see security-admin/src/main/webapp/libs/bower/globalize/test/qunit/qunit.js - jsDump (BSD -part of QUnit) see security-admin/src/main/webapp/libs/bower/globalize/test/qunit/qunit.js - Sizzle.js (part of jQuery) see security-admin/src/main/webapp/libs/bower/globalize/examples/browser/jquer y-1.4.4.js Also VisualSearch.js could be placed with the other MIT licenses. There is also no need to list Apache licensed software in LICENSE, however it¹s not an licensing error, and up to you if you want to leave them there. For the next release can you please fix the following: - Add incubating to the release name [1] - Place the release in the correct place [2][3] - Put the contents of hashes in a standard format (making it easier to check) - Consider adding apache to release artefact name - Correct years in NOTICE file - Remove unnecessary information from NOTICE - Add missing licenses to LICENSE Note that the first two items are marked as MUST in the incubator policy. Thanks, Justin 1.http://incubator.apache.org/incubation/Incubation_Policy.html#Releases 2. http://www.apache.org/dist/incubator/ranger/ 3. http://incubator.apache.org/incubation/Incubation_Policy.html#Releases 4. http://www.apache.org/dev/licensing-howto.html#permissive-deps 5. http://www.apache.org/legal/resolved.html#category-b - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Sentry incubating version 1.5.0 (rc0)
Thanks for the feedback Justin! We are updating the LICENSE file as part of this jira: https://issues.apache.org/jira/browse/SENTRY-764 and we will spin up a new RC once this is reviewed and committed. Coming to your other suggestions please see inline On Thu, Jun 4, 2015 at 9:27 PM, Justin Mclean jus...@classsoftware.com wrote: Hi, -1 binding due to license issues (and involves GPL) and release is in wrong location. I checked: - incubating in artefact name - signatures and hashes correct - DISCLAIMER exists - LICENSE is not correct (see below) - NOTICE is correct - no unexpected binaries in source release - Most files have apache headers (see below) There are several non Apache licensed bits that need to be aded to LICENSE or not included in the release: ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/velocity/jquery.autocomplete.js (dual MIT/GPL) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_ar.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_bg.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_da.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_de.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_es.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_fa.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_fi.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_fr.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_hi.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_hu.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_it.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_nl.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_no.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_pt.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_ro.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_ru.txt (BSD licensed) ./sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/lang/stopwords_sv.txt (BSD licensed) Please place the release in the correct place [1], note that this is a “MUST” and was noted as an issue for the last incubating candidate. According to my understanding of following sections in incubator release management wiki: - Release distribution section [1] (Once a release has been approved by the Incubator PMC http://incubator.apache.org/incubation/Roles_and_Responsibilities.html#Incubator+Project+Management+Committee+%28PMC%29 ..) and - Release candidates section[2](It is traditional that release managers use their Apache home space to make available release candidates. ..) It looks like released artifacts go into apache.org/dist and release candidates go into personal apache spaces. Is that not true? For the next release also consider: - The are several .vm and .sql files that are missing apache headers - Consider removing the multiple .gitignore files in the source release We are doing this as part of https://issues.apache.org/jira/browse/SENTRY-763 Thanks, Justin 1. http://incubator.apache.org/incubation/Incubation_Policy.html#Releases - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org Thanks! [1] - http://incubator.apache.org/guides/releasemanagement.html#release-distribution [2] - http://incubator.apache.org/guides/releasemanagement.html#best-practices-release-candidates -- Sravya Tirukkovalur
Re: [VOTE] Release Apache Ranger 0.5.0 (incubating)
+1 From: Selvamohan Neethiraj sneet...@apache.org Sent: Saturday, June 06, 2015 1:43 PM To: general@incubator.apache.org Subject: [VOTE] Release Apache Ranger 0.5.0 (incubating) The Apache Ranger community has voted on and approved a proposal to release Apache Ranger 0.5.0 (incubating) - Voting Thread Link http://mail-archives.apache.org/mod_mbox/incubator-ranger-dev/201506.mbox/% 3cd1945353.23599%25sneethi...@hortonworks.com%3E . This will be our second release since the project entered incubation in July 2014. The ranger-0.5.0-rc3 release candidate is build from ranger-0.5 branch and is available with the following artifacts up for a project vote: Git tag for the release: https://git-wip-us.apache.org/repos/asf?p=incubator-ranger.git;a=shortlog;h= refs/tags/ranger-0.5.0-rc3 https://git-wip-us.apache.org/repos/asf?p=incubator-ranger.git;a=shortlog;h =refs/tags/ranger-0.5.0-rc3 Source release: http://people.apache.org/~sneethir/ranger/ranger-0.5.0-rc3/ranger-0.5.0.tar. gz http://people.apache.org/~sneethir/ranger/ranger-0.5.0-rc3/ranger-0.5.0.tar .gz PGP Signature: http://people.apache.org/~sneethir/ranger/ranger-0.5.0-rc3/ranger-0.5.0.tar. gz.asc http://people.apache.org/~sneethir/ranger/ranger-0.5.0-rc3/ranger-0.5.0.tar .gz.asc MD5/SHA hash: http://people.apache.org/~sneethir/ranger/ranger-0.5.0-rc3/ranger-0.5.0.tar. gz.mds http://people.apache.org/~sneethir/ranger/ranger-0.5.0-rc3/ranger-0.5.0.tar .gz.mds Keys to verify the signature of the release artifact are available at: https://people.apache.org/keys/group/ranger.asc The vote will be open for at least 72 hours or until necessary number of votes is reached. [ ] +1 approve [ ] +0 no opinion [ ] -1 disapprove (and reason why) Here is my +1 (non binding) Thanks Selva- - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Ranger 0.5.0 (incubating)
Hi, Changing my vote to +1 binding The MPL license was used by pnotify. We removed it as part of JIRA https://issues.apache.org/jira/browse/RANGER-316, but we didn¹t update the LICENSE.txt file. Is it okay to remove the license text from the file during our next release or is it a blocker for this release? Fine to remove next release. Thanks, Justin - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Kylin-0.7.1-incubating
Forwarding my vote from the dev list: +1 (binding) Julian On Jun 8, 2015, at 12:08 AM, Li Yang liy...@apache.org wrote: +1 (binding) Verified hash and signature. Compiled on Win7 64bit, JDK 1.7.0_51 Unit test has known issue on Win7, but fine on Mac. On Mon, Jun 8, 2015 at 12:31 PM, Henry Saputra henry.sapu...@gmail.com wrote: Hash files look good Signature look good Source download and compiled Looks like not 3rd party exes DISCLAIMER file looks good NOTICE and LICENSE files look good +1 (binding) Congrats guys! - Henry On Sun, Jun 7, 2015 at 12:49 AM, Luke Han luke...@apache.org wrote: Hi all, The Apache Kylin community has voted on and approved a proposal to release Apache Kylin 0.7.1 (incubating), the first release of Apache Kylin. Since this is first release after join Apache Incubating project, we would like to hear more feedback from incubator community and please help to verify and vote our release candidate. We already have applied some suggestion in last vote attempt, please refer to below vote mail thread for detail. Proposal: http://s.apache.org/kylin-0.7.1-vote_rc3 Vote result: 10 binding +1 votes 0 non-binding +1 votes No -1 votes http://s.apache.org/kylin-0.7.1-result_rc3 The commit to be voted upon: https://github.com/apache/incubator-kylin/commit/6a7d07dd79ffc00ba1ece330010275b6f0715de8 Its hash is 6a7d07dd79ffc00ba1ece330010275b6f0715de8. The artifacts to be voted on are located here: https://dist.apache.org/repos/dist/dev/incubator/kylin/apache-kylin-0.7.1-incubating-rc3/ The hashes of the artifacts are as follows: src.zip.md5 792f7c984db55927a60aa129001fa9c6 src.zip.sha1 2c64e617c8ac7a57140225c0bd737d5f5f66a4e0 src.tar.gz.md5 9f196c930c85b0a9d932ce6dee004422 src.tar.gz.sha1 74e685aa426cd21f4708a1c84ae11dac3b535f91 A staged Maven repository is available for review at: https://repository.apache.org/content/repositories/orgapachekylin-1006/ Release artifacts are signed with the following key: https://people.apache.org/keys/committer/lukehan.asc Pursuant to the Releases section of the Incubation Policy and with the endorsement of our mentors we would now like to request the permission of the Incubator PMC to publish the release. The vote is open for 72 hours, or until the necessary number of votes (3 +1) is reached. [ ] +1 Release this package [ ] 0 I don't feel strongly about it, but I'm okay with the release [ ] -1 Do not release this package because... Luke Han, on behalf of Apache Kylin PPMC - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Ranger 0.5.0 (incubating)
My compliments to Justin for catching this and for the community for (nearly) resolving this even before. Well done all round. On Tue, Jun 9, 2015 at 1:32 PM, Justin Mclean jus...@classsoftware.com wrote: Hi, Changing my vote to +1 binding The MPL license was used by pnotify. We removed it as part of JIRA https://issues.apache.org/jira/browse/RANGER-316, but we didn¹t update the LICENSE.txt file. Is it okay to remove the license text from the file during our next release or is it a blocker for this release? Fine to remove next release. Thanks, Justin - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: June report prep
So, I hate to bring this up, but I think we're at a stalemate for the sentry podling for this month. We tend to not include a podlings report if there are no mentor sign offs. It seems like the mentors aren't inclined to sign off based on some of the issues that have popped up. On Mon, Jun 8, 2015 at 12:35 PM Patrick Hunt ph...@apache.org wrote: Hi David, you and Joe have been doing great, I'm afraid I've been distracted with more issues at home/work than usual. I've been concerned, and this is more serious than usual given the fact that both the community and the oversight missed a serious issue, but given the current feedback and the response (ongoing) from the community we should be able to get things back on track. Thanks, Patrick On Sat, Jun 6, 2015 at 3:14 PM, David Nalley da...@gnsa.us wrote: On Fri, Jun 5, 2015 at 3:23 PM, Patrick Hunt ph...@apache.org wrote: Ted can you give some concrete examples, because I see some good feedback along with folks attempting to address the feedback. Processes updated or re-iterated, etc... I haven't seen any comments like stop the presses till... is addressed and that being ignored. More along the lines of an issue being raised and the community immediately working to address it. For example most recently giving more time to construct the board report. Failing to cc general@ on the vote is a serious issue. That's part of the release process though, it's documented and been followed in previous releases. Human error this time around afaict (along with the mentors, myself included, who didn't notice it till later) https://cwiki.apache.org/confluence/display/SENTRY/How+to+Release They seem oblivious to process issues Are there specific process issues that are missing and should hold up a vote? I see alot of process related details on their wiki https://cwiki.apache.org/confluence/display/SENTRY/Home Patrick Patrick, I agree with most of what you wrote. In many ways I'm worried that this is a failure on the part of mentors. Very early, this morning in Tokyo, it dawned on me that perhaps the mentors (esp. me) are part of the problem. This isn't the first time that issues have been called out with Sentry - and there does seem to be willingness to address issues on the part of the project. 'We keep saying $n is problematic' - and I worry (and am certainly guilty in my case) of assuming everyone largely 'gets it'. I've also not shown them specific concrete examples of some types of non-problematic behavior. By the time most folks become a member, or join the IPMC, the Apache way of doing things is second nature, and we don't always realize that it may be completely foreign to folks who haven't been doing it for as long. I've just sent a long email to dev@ to hopefully make this clearer, call out some examples, and hopefully generate a discussion on how we move forward. --David - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Sentry incubating version 1.5.0 (rc0)
Hi, - Release candidates section[2](It is traditional that release managers use their Apache home space to make available release candidates. ..”) That used to be the case a few years back but is no longer the case see [1] and for TLP [2]. That page needs be updated. Thanks, Justin 1. http://incubator.apache.org/incubation/Incubation_Policy.html#Releases 2. http://www.apache.org/dev/release.html#host-rc - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Ranger 0.5.0 (incubating)
+1 binding. On Tue, Jun 9, 2015 at 2:50 PM, general@incubator.apache.org general@incubator.apache.org wrote: My compliments to Justin for catching this and for the community for (nearly) resolving this even before. Well done all round. On Tue, Jun 9, 2015 at 1:32 PM, Justin Mclean jus...@classsoftware.com wrote: Hi, Changing my vote to +1 binding The MPL license was used by pnotify. We removed it as part of JIRA https://issues.apache.org/jira/browse/RANGER-316, but we didn¹t update the LICENSE.txt file. Is it okay to remove the license text from the file during our next release or is it a blocker for this release? Fine to remove next release. Thanks, Justin - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org