Re: [VOTE] Apache HAWQ (incubating) 2.0.0.0-incubating Release

[Justin Mclean]

Hi,

> However, do you think that'd be a release blocker if we just have a link
> not full content in the source tarsal?

No it’s a very minor issue. I listed what I considered release blockers in my 
vote email next to the -1 vote.

Thanks,
Justin
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Apache HAWQ (incubating) 2.0.0.0-incubating Release

[Goden Yao]

the JIRA was drafted in such a way according to original feedback. I don't
know what's the best way , will check with our project mentors for that.


On Wed, Jul 27, 2016 at 3:25 PM Justin Mclean 
wrote:

> Hi,
>
> >   @Justin - I've checked all [1]-[57] reference.  [34] ./src/port/glob.c
> >   <
> https://github.com/apache/incubator-hawq/blob/2.0.0.0-incubating/src/port/glob.c
> >
> >was not referred in your previous email anywhere. But given the
> >   context, I think it fits in your comments about [28]-[33] and [35],
> let me
> >   know if I'm wrong.
>
> Correct that should of originally been [28]-[34].
>
> >   - https://issues.apache.org/jira/browse/HAWQ-952 (for merging
> >   copyright/NOTICE file, based on Justin and Alan's feedback) - it's
> arguable
> >   what's the right way, may need more guidance.
>
> Why do you you think that all copyright notices need to go in NOTICE?
> Given there 30 or more that are not listed in the there what makes these
> copyrights special?
>
> Thanks,
> Justin
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>

Re: [VOTE] Apache HAWQ (incubating) 2.0.0.0-incubating Release

[Ting(Goden) Yao]

the JIRA was drafted in such a way according to original feedback. I don't
know what's the best way , will check with our project mentors for that.

On Wed, Jul 27, 2016 at 3:25 PM Justin Mclean 
wrote:

> Hi,
>
> >   @Justin - I've checked all [1]-[57] reference.  [34] ./src/port/glob.c
> >   <
> https://github.com/apache/incubator-hawq/blob/2.0.0.0-incubating/src/port/glob.c
> >
> >was not referred in your previous email anywhere. But given the
> >   context, I think it fits in your comments about [28]-[33] and [35],
> let me
> >   know if I'm wrong.
>
> Correct that should of originally been [28]-[34].
>
> >   - https://issues.apache.org/jira/browse/HAWQ-952 (for merging
> >   copyright/NOTICE file, based on Justin and Alan's feedback) - it's
> arguable
> >   what's the right way, may need more guidance.
>
> Why do you you think that all copyright notices need to go in NOTICE?
> Given there 30 or more that are not listed in the there what makes these
> copyrights special?
>
> Thanks,
> Justin
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>

Re: [VOTE] Apache HAWQ (incubating) 2.0.0.0-incubating Release

[Justin Mclean]

Hi,

>   @Justin - I've checked all [1]-[57] reference.  [34] ./src/port/glob.c
>   
> 
>was not referred in your previous email anywhere. But given the
>   context, I think it fits in your comments about [28]-[33] and [35], let me
>   know if I'm wrong.

Correct that should of originally been [28]-[34].

>   - https://issues.apache.org/jira/browse/HAWQ-952 (for merging
>   copyright/NOTICE file, based on Justin and Alan's feedback) - it's arguable
>   what's the right way, may need more guidance.

Why do you you think that all copyright notices need to go in NOTICE? Given 
there 30 or more that are not listed in the there what makes these copyrights 
special?

Thanks,
Justin
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Apache HAWQ (incubating) 2.0.0.0-incubating Release

[Goden Yao]

Thanks for the clarification. I've filed:
https://issues.apache.org/jira/browse/HAWQ-960 to track this.

However, do you think that'd be a release blocker if we just have a link
not full content in the source tarball?

On Wed, Jul 27, 2016 at 3:19 PM Justin Mclean 
wrote:

> Hi,
>
> > Do you mean this should be put in VOTE email?
>
> I expected it in BUILD_INSTRUCTIONS.md but it just contains a link to the
> wiki page, but anywhere in the release is fine.
>
> Thanks,
> Justin
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>

Re: [VOTE] Apache HAWQ (incubating) 2.0.0.0-incubating Release

[Justin Mclean]

Hi,

> Do you mean this should be put in VOTE email?

I expected it in BUILD_INSTRUCTIONS.md but it just contains a link to the wiki 
page, but anywhere in the release is fine.

Thanks,
Justin
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Apache HAWQ (incubating) 2.0.0.0-incubating Release

[Goden Yao]

A quick update:
I've filed

   - https://issues.apache.org/jira/browse/HAWQ-958 (for all license issues
   in Justin's email)
   @Justin - I've checked all [1]-[57] reference.  [34] ./src/port/glob.c
   

was not referred in your previous email anywhere. But given the
   context, I think it fits in your comments about [28]-[33] and [35], let me
   know if I'm wrong.
   - https://issues.apache.org/jira/browse/HAWQ-957 (for NOTICE cleanup
   based on Justin's email)
   - https://issues.apache.org/jira/browse/HAWQ-952 (for merging
   copyright/NOTICE file, based on Justin and Alan's feedback) - it's arguable
   what's the right way, may need more guidance.
   - https://issues.apache.org/jira/browse/HAWQ-959 (for unexpected Bianry
   files based on RAT reports)
   - *Pending Question*: For Justin - should I attach a build instruction
   text file in the future VOTE email
   - *Pending Question*: for @John D. Ament - regarding file naming
   contradicts license claim.

Thanks
-Goden

On Wed, Jul 27, 2016 at 2:19 PM Goden Yao  wrote:

> Hi Justin - for this comment:
>
> I’d suggest that build instructions are included in the release rather
> than a link to them. If the instructions at the URL change in the future
> how do I know how to build this release?
>
> We have a wikipage:
> https://cwiki.apache.org/confluence/display/HAWQ/Build+and+Install , it
> contains a lot of content (and you're right it might get updated often).
>
> Do you mean this should be put in VOTE email? or I can make a txt file (as
> snapshot for the moment) and attach it with the VOTE email next time.
> ​
>
> On Wed, Jul 27, 2016 at 10:10 AM Goden Yao  wrote:
>
>> Thanks Justin for your detailed and thorough analysis - I'll bring this
>> back to the community and address the items listed one by one.
>> Meanwhile, please let us know if you see any other issues so we can solve
>> them together in the next Release Candidate.
>>
>> Appreciate your effort.
>> -Goden
>>
>> On Tue, Jul 26, 2016 at 8:03 PM Justin Mclean 
>> wrote:
>>
>>> Hi,
>>>
>>> -1 (binding) binary in source release, LICENSE and  NOTICE issues, ASF
>>> header added to files not under Apache 2.0 license, possible inclusion of
>>> GPL licensed software and possible Category X software included in release
>>> (BSD with ad clause).
>>>
>>> This is not a simple release to check and I may of missed a few things
>>> due to the large amount of noise.
>>>
>>> I checked:
>>> - release contains incubating
>>> - signatures and hashes good
>>> - I’m not sure what the intent of COPYRIGHT is. I also don't think as it
>>> has been suggested that this should be merged with NOTICE, NOTICE doesn’t
>>> not list all copyrights just those that have be relocated from source
>>> files. [1]
>>> - NOTICE incorrecly contains a long list of copyright statements. I
>>> would expect to see one or perhaps two here i.e. the original authors who
>>> donated the software and who copyright statements were removed from the
>>> original files.
>>> - LICENSE is missing a large number of things (see below)
>>> - Please use the short form of the license linking to a license files in
>>> LICENSE
>>> - Looks like there is an unexpected binary in the release [2] May be
>>> others given rat reports 770+ binary files
>>> - Impossible to say if files have correct ASF headers or not, given the
>>> large number of files with ASF headers (5000 odd files)
>>> - Failed to compile form source but likely my setup
>>>
>>> License is missing (in some cases note the different copyright owners)
>>> - BSD licensed code [3]
>>> - BSD license code [7]
>>> - license for this file [9]
>>> - license for this file [10] Are we OK this was taken form GNU C?
>>> - MIT license PSI [11]
>>> - BSD licensed code [12]
>>> - BSD licensed code [13] Is this regard as cryptography code? [14]
>>> - BSD licensed code [15][16]
>>> - license for this file [17]
>>> - license of these files [18][19]
>>> - license of this file [20]
>>> - regex license [21]
>>> - How are these files licensed? [22] + others copyright AEG Automation
>>> GmbH
>>> - How is this file licensed? [23]
>>> - BSD licensed libpq [24]. Is this consider crypto code and may need an
>>> export license?
>>> - pgdump [25]
>>> - license for this file [26]
>>> - license for this file [27] Look like an ASF header may of been
>>> incorrectly added to this.
>>> - This BSD licensed file [36]
>>> - license for these files [37][38] and others in [39]
>>> - This BSD licensed file [40]
>>> - This BSD licensed file [41]
>>> - BSD licensed pychecker [42]
>>> - licenses for all of these files [43]
>>> - BSD license pg800 [44]
>>> - how is this file licensed? [45]
>>> - license for this file [47]
>>> - Python license for this file [48]. Is this an Apache comparable
>>> license?
>>> - How are these files licensed? [49] Note multiple copyright owners and
>>> missing headers.
>>> - BSD licensed fig leaf. [50] Note that files 

Re: [VOTE] Apache HAWQ (incubating) 2.0.0.0-incubating Release

[Goden Yao]

Hi Justin - for this comment:

I’d suggest that build instructions are included in the release rather than
a link to them. If the instructions at the URL change in the future how do
I know how to build this release?

We have a wikipage:
https://cwiki.apache.org/confluence/display/HAWQ/Build+and+Install , it
contains a lot of content (and you're right it might get updated often).

Do you mean this should be put in VOTE email? or I can make a txt file (as
snapshot for the moment) and attach it with the VOTE email next time.
​

On Wed, Jul 27, 2016 at 10:10 AM Goden Yao  wrote:

> Thanks Justin for your detailed and thorough analysis - I'll bring this
> back to the community and address the items listed one by one.
> Meanwhile, please let us know if you see any other issues so we can solve
> them together in the next Release Candidate.
>
> Appreciate your effort.
> -Goden
>
> On Tue, Jul 26, 2016 at 8:03 PM Justin Mclean 
> wrote:
>
>> Hi,
>>
>> -1 (binding) binary in source release, LICENSE and  NOTICE issues, ASF
>> header added to files not under Apache 2.0 license, possible inclusion of
>> GPL licensed software and possible Category X software included in release
>> (BSD with ad clause).
>>
>> This is not a simple release to check and I may of missed a few things
>> due to the large amount of noise.
>>
>> I checked:
>> - release contains incubating
>> - signatures and hashes good
>> - I’m not sure what the intent of COPYRIGHT is. I also don't think as it
>> has been suggested that this should be merged with NOTICE, NOTICE doesn’t
>> not list all copyrights just those that have be relocated from source
>> files. [1]
>> - NOTICE incorrecly contains a long list of copyright statements. I would
>> expect to see one or perhaps two here i.e. the original authors who donated
>> the software and who copyright statements were removed from the original
>> files.
>> - LICENSE is missing a large number of things (see below)
>> - Please use the short form of the license linking to a license files in
>> LICENSE
>> - Looks like there is an unexpected binary in the release [2] May be
>> others given rat reports 770+ binary files
>> - Impossible to say if files have correct ASF headers or not, given the
>> large number of files with ASF headers (5000 odd files)
>> - Failed to compile form source but likely my setup
>>
>> License is missing (in some cases note the different copyright owners)
>> - BSD licensed code [3]
>> - BSD license code [7]
>> - license for this file [9]
>> - license for this file [10] Are we OK this was taken form GNU C?
>> - MIT license PSI [11]
>> - BSD licensed code [12]
>> - BSD licensed code [13] Is this regard as cryptography code? [14]
>> - BSD licensed code [15][16]
>> - license for this file [17]
>> - license of these files [18][19]
>> - license of this file [20]
>> - regex license [21]
>> - How are these files licensed? [22] + others copyright AEG Automation
>> GmbH
>> - How is this file licensed? [23]
>> - BSD licensed libpq [24]. Is this consider crypto code and may need an
>> export license?
>> - pgdump [25]
>> - license for this file [26]
>> - license for this file [27] Look like an ASF header may of been
>> incorrectly added to this.
>> - This BSD licensed file [36]
>> - license for these files [37][38] and others in [39]
>> - This BSD licensed file [40]
>> - This BSD licensed file [41]
>> - BSD licensed pychecker [42]
>> - licenses for all of these files [43]
>> - BSD license pg800 [44]
>> - how is this file licensed? [45]
>> - license for this file [47]
>> - Python license for this file [48]. Is this an Apache comparable license?
>> - How are these files licensed? [49] Note multiple copyright owners and
>> missing headers.
>> - BSD licensed fig leaf. [50] Note that files incorrectly has had ASF
>> headers applied.
>> - This BSD licensed file [51]
>> - This public domain style sheet [52]
>> - This file [53]
>> - License for unit test2 [54]
>> - MIT licensed lock file [55]
>> - JSON code here [56]
>> - License for this file [57]
>>
>> And I may of missed some, as I wasn't doing a full review - that would
>> likely take many many hours.
>>
>> Looks like GPL/LPGL licensed code may be included [4][5][6] in the
>> release.
>>
>> This file [8] and others(?) may incorrectly have an ASF headers on it.
>> Also why does this file have an ASF header with copyright line? [46]
>>
>> Code includes code licensed under the 4 clause BSD license which is not
>> compatible with the Apache 2.0 license. [28][29][30][31][32][33] It may be
>> that this clause has been rescinded [35] and it OK to include but that
>> needs to be checked.
>>
>> I’d suggest that build instructions  are included in the release rather
>> than a link to them. If the instructions at the URL change in the future
>> how do I know how to build this release?
>>
>> Also some one owes me a beer!
>>
>> Thanks,
>> Justin
>>
>> 1. http://www.apache.org/legal/src-headers.html#headers
>> 2. depends/thirdparty/thrift/lib/erl/rebar
>> 3. ./tools/

Re: [VOTE] Apache Gearpump (incubating) 0.8.1-RC4 as 0.8.1

[Andrew Purtell]

Jersey is dual licensed CDDL and a transitive dependency from (at least) Hadoop 
and Spark. 


> On Jul 27, 2016, at 7:23 AM, Kam Kasravi  wrote:
> 
> Hi Justin
> 
> These were tagged as GPL
> 
> 
> I'll determine their dependencies linkage - we have no references to 
> com.sun.jersey within our codebase but it looks to be dual licensed?
> 
> Thanks
> Kam
> 
> 
> On Tuesday, July 26, 2016 6:28 PM, Justin Mclean  
> wrote:
> 
> 
> Hi,
> 
> > [Kam] This analyzes jars required to build the binary artifacts - so my 
> > assumption is that it is not relevant to release just the source?
> 
> Apache project cannot have GPL dependancies [1][5][6] (there are however a 
> few exceptions for optional parts[2] and some build tools [3]). I’d first 
> check to see if the software is question is dual licensed. [4]
> 
> > Based on just releasing source there are no CCL related artifacts included 
> > in the .tgz.
> 
> Again see [1] and [6] for problematic licenses.
> 
> Thanks,
> Justin
> 
> 1.http://www.apache.org/legal/resolved.html#prohibited
> 2. http://www.apache.org/legal/resolved.html#optional
> 3. http://www.apache.org/legal/resolved.html#build-tools
> 4. http://www.apache.org/legal/resolved.html#mutually-exclusive
> 5. http://www.apache.org/licenses/GPL-compatibility.html
> 6. http://www.apache.org/legal/resolved.html#category-x
> 
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
> 
> 
> 
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Apache HAWQ (incubating) 2.0.0.0-incubating Release

[Goden Yao]

Thanks Justin for your detailed and thorough analysis - I'll bring this
back to the community and address the items listed one by one.
Meanwhile, please let us know if you see any other issues so we can solve
them together in the next Release Candidate.

Appreciate your effort.
-Goden

On Tue, Jul 26, 2016 at 8:03 PM Justin Mclean 
wrote:

> Hi,
>
> -1 (binding) binary in source release, LICENSE and  NOTICE issues, ASF
> header added to files not under Apache 2.0 license, possible inclusion of
> GPL licensed software and possible Category X software included in release
> (BSD with ad clause).
>
> This is not a simple release to check and I may of missed a few things due
> to the large amount of noise.
>
> I checked:
> - release contains incubating
> - signatures and hashes good
> - I’m not sure what the intent of COPYRIGHT is. I also don't think as it
> has been suggested that this should be merged with NOTICE, NOTICE doesn’t
> not list all copyrights just those that have be relocated from source
> files. [1]
> - NOTICE incorrecly contains a long list of copyright statements. I would
> expect to see one or perhaps two here i.e. the original authors who donated
> the software and who copyright statements were removed from the original
> files.
> - LICENSE is missing a large number of things (see below)
> - Please use the short form of the license linking to a license files in
> LICENSE
> - Looks like there is an unexpected binary in the release [2] May be
> others given rat reports 770+ binary files
> - Impossible to say if files have correct ASF headers or not, given the
> large number of files with ASF headers (5000 odd files)
> - Failed to compile form source but likely my setup
>
> License is missing (in some cases note the different copyright owners)
> - BSD licensed code [3]
> - BSD license code [7]
> - license for this file [9]
> - license for this file [10] Are we OK this was taken form GNU C?
> - MIT license PSI [11]
> - BSD licensed code [12]
> - BSD licensed code [13] Is this regard as cryptography code? [14]
> - BSD licensed code [15][16]
> - license for this file [17]
> - license of these files [18][19]
> - license of this file [20]
> - regex license [21]
> - How are these files licensed? [22] + others copyright AEG Automation GmbH
> - How is this file licensed? [23]
> - BSD licensed libpq [24]. Is this consider crypto code and may need an
> export license?
> - pgdump [25]
> - license for this file [26]
> - license for this file [27] Look like an ASF header may of been
> incorrectly added to this.
> - This BSD licensed file [36]
> - license for these files [37][38] and others in [39]
> - This BSD licensed file [40]
> - This BSD licensed file [41]
> - BSD licensed pychecker [42]
> - licenses for all of these files [43]
> - BSD license pg800 [44]
> - how is this file licensed? [45]
> - license for this file [47]
> - Python license for this file [48]. Is this an Apache comparable license?
> - How are these files licensed? [49] Note multiple copyright owners and
> missing headers.
> - BSD licensed fig leaf. [50] Note that files incorrectly has had ASF
> headers applied.
> - This BSD licensed file [51]
> - This public domain style sheet [52]
> - This file [53]
> - License for unit test2 [54]
> - MIT licensed lock file [55]
> - JSON code here [56]
> - License for this file [57]
>
> And I may of missed some, as I wasn't doing a full review - that would
> likely take many many hours.
>
> Looks like GPL/LPGL licensed code may be included [4][5][6] in the release.
>
> This file [8] and others(?) may incorrectly have an ASF headers on it.
> Also why does this file have an ASF header with copyright line? [46]
>
> Code includes code licensed under the 4 clause BSD license which is not
> compatible with the Apache 2.0 license. [28][29][30][31][32][33] It may be
> that this clause has been rescinded [35] and it OK to include but that
> needs to be checked.
>
> I’d suggest that build instructions  are included in the release rather
> than a link to them. If the instructions at the URL change in the future
> how do I know how to build this release?
>
> Also some one owes me a beer!
>
> Thanks,
> Justin
>
> 1. http://www.apache.org/legal/src-headers.html#headers
> 2. depends/thirdparty/thrift/lib/erl/rebar
> 3. ./tools/bin/pythonSrc/unittest2-0.5.1/setup.py
> 4. ./depends/thirdparty/thrift/debian/copyright (end of file)
> 5. ./depends/thirdparty/thrift/doc/licenses/lgpl-2.1.txt
> 6. ./tools/bin/gppylib/operations/test/test_package.py
> 7. ./depends/thirdparty/thrift/compiler/cpp/src/md5.?
> 8. ./tools/sbin/hawqstandbywatch.py
> 9. ./src/backend/port/dynloader/ultrix4.h
> 10. ./src/port/inet_aton.c
> 11. ./tools/bin/pythonSrc/PSI-0.3b2_gp/
> 12. ./src/port/snprintf.c
> 13 ./src/port/crypt.c
> 14. http://www.apache.org/dev/crypto.html
> 15. ./src/port/memcmp.c
> 16. ./src/backend/utils/mb/wstrcmp.c
> 17. ./src/port/rand.c
> 18. ./src/backend/utils/adt/inet_net_ntop.c
> 19. ./src/backend/utils/adt/inet_net_pton.c
>

RE: Code signing and WOT for releases

[Dennis E. Hamilton]

> -Original Message-
> From: Martin Gainty [mailto:mgai...@hotmail.com]
> Sent: Wednesday, July 27, 2016 08:06
> To: general@incubator.apache.org
> Subject: RE: Code signing and WOT for releases
> 
> 
> 
> > From: dennis.hamil...@acm.org
> > To: general@incubator.apache.org
> > Subject: RE: Code signing and WOT for releases
> > Date: Tue, 26 Jul 2016 10:33:13 -0700
> > [ ... ] Yesterday, I received an email from one of the users who
> received a security advisory message that I signed.  The user's mail
> reader reported that the signature was untrusted (no surprise) and that
> the signature was BAD.  Since the mail reader shows the stripped
> message, and it looks perfectly fine, there is no way to help analyze
> that from my end.
> >
> > What I did do was (1) verify the message that was sent to me from the
> list and (2) verify the message in the list archive.  I then (3) advised
> the recipient what I did and also (4) how to find a public key
> certificate matching the ID in the signature and how to check that the
> private key is asserted to be in the possession of the person
> controlling orc...@apache.org and how the individual having control of
> that email address is associated with the ASF.
> 
> MG>can we assume the key was converted to PKCS8 before asserting the
> key?
> http://stackoverflow.com/questions/5230942/how-to-read-a-private-key-
> for-use-with-opensaml
> 
> MG>and then built new SignatureBuilder().buildObject() Signature with
> key locations before assigning
> assertion.setSignature(___)?http://www.programcreek.com/java-api-
> examples/index.php?api=org.opensaml.xml.signature.Signature
> 
> MG>/thanks dennis/
[orcmid] 

This signing had nothing to do with MIME-signatures or SSL.  It is a plaintext 
message that has a "clearsign" OpenPGP signed section in-line in the message 
body.  (The signed part was created first and then pasted into the plaintext 
email.)  You can see the archived form at

 where it is the only message there. At the bottom of the HTML-formatted 
display of the message, select the "Unnamed text/plain" link to see a cleaner 
plaintext.  

This is not unlike the .asc files that can be made as external PGP signatures 
of code, except it is inline instead of external to the file being signed.

> >
> > (I made another check of the archived message too.  The raw form of
> the message fails to verify when downloaded and that appears to be on
> account of some encoding features that have to be processed properly for
> the original text to be reconstituted properly. That might or might not
> be relevant to how that recipient's email reader handles PGP
> > signatures.)
[orcmid] 

(If you look at the raw version on the archive, you will see a pile of =20 line 
endings that make the raw form unverifiable.  And because the signature block 
has a line ending in =, there is an appended raw "3D" that breaks the whole 
thing. A client that does not restore the plaintext before checking the 
signature will claim that the signature is "BAD".)

PS: I sent the same message to a colleague who has a PGP-aware email client, 
and the message verified automatically and was presented without the boundaries 
and the signature block.  Instead, there was a marker that indicated the part 
of the message that was signed.  So it would appear that the person who 
reported to me encountered an interoperability failure.
> >
[ ... ]


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Releasing Apache Metron 0.2.0BETA-RC3

[Debo Dutta (dedutta)]

+1

Sent from my iPhone

> On Jul 27, 2016, at 9:32 AM, James Sirota  wrote:
> 
> This release is exactly the same as RC2, but the Mozilla licensed file was 
> removed so it doesn’t cause problems for us on the incubator general boards. 
> We no longer use it so we just removed it.
> 
> This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating
> 
> Full list of changes in this release:
> 
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/CHANGES
> 
> The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:
> 
> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb
> 
> The source archive being voted upon can be found here:
> 
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz
> 
> Other release files, signatures and digests can be found here:
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/
> 
> The release artifacts are signed with the following key:
> 
> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a2312ead3eb
> 
> 
> Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3 
> incubating
> 
> When voting, please list the actions taken to verify the release.
> Recommended build validation and verification instructions are posted here:
> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
> 
> This vote will be open for at least 72 hours.
> 
> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
> [ ] 0 No opinion
> [ ] -1 Do not release this package because...

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

[VOTE] Releasing Apache Metron 0.2.0BETA-RC3

[James Sirota]

This release is exactly the same as RC2, but the Mozilla licensed file was 
removed so it doesn’t cause problems for us on the incubator general boards. We 
no longer use it so we just removed it.

This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating

Full list of changes in this release:

https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/CHANGES

The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:

https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb

The source archive being voted upon can be found here:

https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz

Other release files, signatures and digests can be found here:
https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/

The release artifacts are signed with the following key:

https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a2312ead3eb


Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3 incubating

When voting, please list the actions taken to verify the release.
Recommended build validation and verification instructions are posted here:
https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds

This vote will be open for at least 72 hours.

[ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
[ ] 0 No opinion
[ ] -1 Do not release this package because...

RE: Code signing and WOT for releases

[Martin Gainty]

> From: dennis.hamil...@acm.org
> To: general@incubator.apache.org
> Subject: RE: Code signing and WOT for releases
> Date: Tue, 26 Jul 2016 10:33:13 -0700
> 
> 
> 
> > -Original Message-
> > From: Nick Kew [mailto:n...@apache.org]
> > Sent: Tuesday, July 26, 2016 02:25
> > To: general@incubator.apache.org
> > Subject: Re: Code signing and WOT for releases
> > 
> > On Tue, 2016-07-26 at 09:19 +0200, Thorsten Schöning wrote:
> > > Hi all,
> > >
> > > the docs about release management for incubating projects make clear
> > > that the release needs to be signed[1] and in the end associated with
> > > the project AND the WOT of Apache in general[2].
> > 
> > I don't like that term "the WOT of Apache in general", with its
> > implied suggestion that an Apache WoT might differ from AN Other.
> > Even if a private Apache WoT were a reality, how would that help
> > our users verify our releases?  Surely the WoT we should be
> > concerned with is the Strong Set that unifies Geekdom at large.
> [orcmid] 
> 
> I think that is perhaps relevant to how the WoT is viewed, but it does not 
> necessarily consider the audience of the signed material.  
> 
> For example, Apache OpenOffice distributes binaries on behalf of end-users.  
> They are unlikely to know anyone in the WoT of a signer and, while there may 
> be an effect in numbers, it is not clear how one can be satisfied abut the 
> identity and veracity of the signer.
> 
> Also, there are two aspects that seem to be muddled in discussion of the WoT. 
>  There is how much one trusts that the private key is in the exclusive 
> control of the user identified in the public key certificate and that the 
> identification is accurate, and the not-quite-the-same question of how much 
> one trusts the possessor of that private key to be careful in the 
> counter-signing of the public keys of others.  
> 
> > Yes, also the project's KEYS and id.apache.org, but that's
> > a separate issue to the WoT!
> [orcmid] 
> 
> Right.  Yesterday, I received an email from one of the users who received a 
> security advisory message that I signed.  The user's mail reader reported 
> that the signature was untrusted (no surprise) and that the signature was 
> BAD.  Since the mail reader shows the stripped message, and it looks 
> perfectly fine, there is no way to help analyze that from my end.
> 
> What I did do was (1) verify the message that was sent to me from the list 
> and (2) verify the message in the list archive.  I then (3) advised the 
> recipient what I did and also (4) how to find a public key certificate 
> matching the ID in the signature and how to check that the private key is 
> asserted to be in the possession of the person controlling orc...@apache.org 
> and how the individual having control of that email address is associated 
> with the ASF.

MG>can we assume the key was converted to PKCS8 before asserting the key?
http://stackoverflow.com/questions/5230942/how-to-read-a-private-key-for-use-with-opensaml

MG>and then built new SignatureBuilder().buildObject() Signature with key 
locations before assigning 
assertion.setSignature(___)?http://www.programcreek.com/java-api-examples/index.php?api=org.opensaml.xml.signature.Signature

MG>/thanks dennis/
> 
> (I made another check of the archived message too.  The raw form of the 
> message fails to verify when downloaded and that appears to be on account of 
> some encoding features that have to be processed properly for the original 
> text to be reconstituted properly. That might or might not be relevant to how 
> that recipient's email reader handles PGP
> signatures.)
> 
> > 
> > In terms of instructions I can't improve on Mark's reply.
> > I would add that it's not entirely unprecedented to sign a
> > release with a key that can't be verified in the Strong Set,
> > but you should make all efforts to avoid that.  A key that
> > can't be verified adds no more security than an MD5 checksum.
> > 
> > --
> > Nick Kew
> > 
> > 
> > -
> > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> > For additional commands, e-mail: general-h...@incubator.apache.org
> 
> 
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
> 
  

Re: [VOTE] Apache Gearpump (incubating) 0.8.1-RC4 as 0.8.1

[Kam Kasravi]

Hi Justin
These were tagged as GPL

I'll determine their dependencies linkage - we have no references to 
com.sun.jersey within our codebase but it looks to be dual licensed?
ThanksKam 

On Tuesday, July 26, 2016 6:28 PM, Justin Mclean  
wrote:
 

 Hi,

> [Kam] This analyzes jars required to build the binary artifacts - so my 
> assumption is that it is not relevant to release just the source?

Apache project cannot have GPL dependancies [1][5][6] (there are however a few 
exceptions for optional parts[2] and some build tools [3]). I’d first check to 
see if the software is question is dual licensed. [4]

> Based on just releasing source there are no CCL related artifacts included in 
> the .tgz.

Again see [1] and [6] for problematic licenses.

Thanks,
Justin

1.http://www.apache.org/legal/resolved.html#prohibited
2. http://www.apache.org/legal/resolved.html#optional
3. http://www.apache.org/legal/resolved.html#build-tools
4. http://www.apache.org/legal/resolved.html#mutually-exclusive
5. http://www.apache.org/licenses/GPL-compatibility.html
6. http://www.apache.org/legal/resolved.html#category-x
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org


  
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: svn commit: r1753711 - in /incubator/public/trunk/content: podlings.xml projects/trafficcontrol.xml

[Eric Covener]

On Wed, Jul 27, 2016 at 7:39 AM, John D. Ament  wrote:
> TrafficControl is not yet a TLP, I am correcting their reporting group.
>
> On Thu, Jul 21, 2016 at 12:31 PM  wrote:
>
>> Author: covener
>> Date: Thu Jul 21 16:31:14 2016
>> New Revision: 1753711
>>
>> URL: http://svn.apache.org/viewvc?rev=1753711&view=rev
>> Log:
>> add basic Traffic Control incubating project XML from template.


Sorry/thanks!


-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Incubator PMC Report Timeline - August 2016

[John D. Ament]

August 2016 Incubator report timeline:

http://wiki.apache.org/incubator/August2016

Wed August 03 -- Podling reports due by end of day
Sun August 07 -- Shepherd reviews due by end of day
Sun August 07 -- Summary due by end of day
Tue August 09 -- Mentor signoff due by end of day
Wed August 10 -- Report submitted to Board
Wed August 17 -- Board meeting

Re: svn commit: r1753711 - in /incubator/public/trunk/content: podlings.xml projects/trafficcontrol.xml

[John D. Ament]

TrafficControl is not yet a TLP, I am correcting their reporting group.

On Thu, Jul 21, 2016 at 12:31 PM  wrote:

> Author: covener
> Date: Thu Jul 21 16:31:14 2016
> New Revision: 1753711
>
> URL: http://svn.apache.org/viewvc?rev=1753711&view=rev
> Log:
> add basic Traffic Control incubating project XML from template.
>
>
> Added:
> incubator/public/trunk/content/projects/trafficcontrol.xml
>   - copied, changed from r1753698,
> incubator/public/trunk/content/projects/incubation-status-template.xml
> Modified:
> incubator/public/trunk/content/podlings.xml
>
> Modified: incubator/public/trunk/content/podlings.xml
> URL:
> http://svn.apache.org/viewvc/incubator/public/trunk/content/podlings.xml?rev=1753711&r1=1753710&r2=1753711&view=diff
>
> ==
> --- incubator/public/trunk/content/podlings.xml [utf-8] (original)
> +++ incubator/public/trunk/content/podlings.xml [utf-8] Thu Jul 21
> 16:31:14 2016
> @@ -2424,6 +2424,17 @@ top of Apache HBase and other storage en
>  Nick Kew
>  
>  
> + resource="trafficcontrol" sponsor="Incubator" startdate="2016-07-12">
> +Traffic Control allows you to build a large scale
> content delivery network using open source.
> +
> +
> +Phil Sorber
> +Eric Covener
> +Daniel Gruno
> +J. Aaron Farr 
> +
> +
> +
>   sponsor="Incubator" startdate="2015-05-24">
>  Trafodion is a webscale SQL-on-Hadoop solution
> enabling transactional or operational workloads on Hadoop.
>  
>
> Copied: incubator/public/trunk/content/projects/trafficcontrol.xml (from
> r1753698,
> incubator/public/trunk/content/projects/incubation-status-template.xml)
> URL:
> http://svn.apache.org/viewvc/incubator/public/trunk/content/projects/trafficcontrol.xml?p2=incubator/public/trunk/content/projects/trafficcontrol.xml&p1=incubator/public/trunk/content/projects/incubation-status-template.xml&r1=1753698&r2=1753711&rev=1753711&view=diff
>
> ==
> --- incubator/public/trunk/content/projects/incubation-status-template.xml
> [utf-8] (original)
> +++ incubator/public/trunk/content/projects/trafficcontrol.xml [utf-8] Thu
> Jul 21 16:31:14 2016
> @@ -8,79 +8,37 @@
>
>
>
> --8-< cut here ---8-< cut here
> ---8-< cut here ---8-<
> -
> -  Project Incubation Status TEMPLATE
> -  This document is the template for project incubation status.
> -  What to do to set it up:
> -  
> -copy this file and name it .xml
> -add a section in incubator/content/podlings.xml
> -  
> -  For this file:
> -  
> -substitute the XYZ project name with the real one
> -fill in the "Description".
> -See http://www.apache.org/foundation/marks/pmcs.html#markdesc";>Project Naming
> And Descriptions
> -
> -edit "Project info" to contain only effective resources
> -start doing "Incubation work items"
> -  
> -  When an "Incubation work item" is done, place the date in the
> - supplied space, and if necessary update "Project info" to reflect
> - changes in resources.
> -  There are also sections where to place project news and
> incubation
> - status reports.
> -  
> -On the first edit of this file, please delete this entire
> section.
> -  
> -
> --8-< cut here ---8-< cut here
> ---8-< cut here ---8-<
> -
> -
> -
> -
> -  XYZ Project Incubation Status
> +
> +  Traffic Control Project Incubation Status
>This page tracks the project status, incubator-wise. For more
> general
>   project status, look on the project website.
>  
>  
>Description
> -  The XYZ Project is a wonderful project that does things and goes
> places.
> +  The Traffic Control Project allows you to build a large scale
> content
> +  delivery network.
>  
>  
>News
>
>  
> --MM-DD Project enters incubation.
> +2016-07-12 Project enters incubation.
>
>  
>  
>Project info
> -  
> -link to the main website
> -  
> -  
> -link to the page(s) that tell how to participate
> (Website,Mailing
> -lists,Bug tracking,Source code)
> -  
> -  
> -link to the project status file (Committers,non-incubation
> action
> -items,project resources, etc)
> -  
> -  If the project website and code repository are not yet setup,
> use the
> - following table:
>
>  
>item
>type
>reference
>  
> +
>  
>Mentors
> -  id1
> -  Name1 Surname1
> +  sorber
> +  Phil Sorber
> +
> +