Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[Roman Shaposhnik]

On Thu, Feb 4, 2016 at 5:29 PM, Justin Mclean  wrote:
> Hi,
>
>> Well, that's the problem -- the source doesn't have it.
>
> It should as the first couple of line of the BSD license header are like so 
> (from a file I happen to be looking at at this instance):
>
> /*
> * Copyright (c) 2015, Nordic Semiconductor ASA
>  * All rights reserved.
>  *
>  * Redistribution and use in source and binary forms, with or without
>  * modification, are permitted provided that the following conditions are met:
>
> etc etc

Well, that's the ideal case. There are files that don't have it. In
fact, most of the files
coming from PostgreSQL code base don't have explicit licensing headers.

Seeing the other thread re: NOTICE I'll leave it be for now -- even if
we don't get
it squeaky clean this time -- we can gradually make it better before
the project graduates.

Once again -- thanks for your efforts around reviewing our RC and also for
sparking a much needed discussion around LICENSE/NOTICE policies.

Thanks,
Roman.

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[Justin Mclean]

Hi,

> Well, that's the problem -- the source doesn't have it.

It should as the first couple of line of the BSD license header are like so 
(from a file I happen to be looking at at this instance):

/*
* Copyright (c) 2015, Nordic Semiconductor ASA
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:

etc etc

Thanks,
Justin
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[Roman Shaposhnik]

On Thu, Feb 4, 2016 at 5:19 PM, Justin Mclean  wrote:
> Hi,
>
>> I mean the BSD license makes you advertise the Copyright Notice and there's 
>> a better
>> chance of it going downstream via NOTICE.
>
> The source file will have the header which contains the copyright notice so 
> it will still be there, perhaps just not as obvious unless it listed in 
> license.

Well, that's the problem -- the source doesn't have it. The only place it gets
reflected is in LICENSE and NOTICE (and again I totally see your point
of reducing that to just LICENSE -- but I thought both is a bit more
bullet-proof).

Thanks,
Roman.

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[Justin Mclean]

Hi,

> I mean the BSD license makes you advertise the Copyright Notice and there's a 
> better
> chance of it going downstream via NOTICE.

The source file will have the header which contains the copyright notice so it 
will still be there, perhaps just not as obvious unless it listed in license.

Thanks,
Justin
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[Roman Shaposhnik]

On Wed, Feb 3, 2016 at 7:12 PM, Justin Mclean  wrote:
> Hi,
>
>> can you please take a look at this and see if that's acceptable:
>>   https://github.com/rvs/incubator-hawq/blob/master/LICENSE
>>   https://github.com/rvs/incubator-hawq/blob/master/NOTICE 
>> 
>
> Quick look looks much better but I’ve not gone through and double checked.
>
> You may want to check the copyrights in NOTICE however. Have all these 
> copyrights been relocated from a header file?
> There no need to list all copyrights (esp for MIT or BSD software) but only 
> those that have be relocated or those included
> in non ASF bundled Apache licensed software.

Strictly speaking you're absolutely correct, but  isn't it better to
do this anyway? I mean the BSD
license makes you advertise the Copyright Notice and there's a better
chance of it going
downstream via NOTICE.

Just curious.

Thanks,
Roman.

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[Justin Mclean]

Hi,

> can you please take a look at this and see if that's acceptable:
>   https://github.com/rvs/incubator-hawq/blob/master/LICENSE
>   https://github.com/rvs/incubator-hawq/blob/master/NOTICE 
> 

Quick look looks much better but I’ve not gone through and double checked.

You may want to check the copyrights in NOTICE however. Have all these 
copyrights been relocated from a header file? There no need to list all 
copyrights (esp for MIT or BSD software) but only those that have be relocated 
or those included in non ASF bundled Apache licensed software.

Thanks,
Justin

Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[Roman Shaposhnik]

On Wed, Feb 3, 2016 at 7:00 PM, John D. Ament  wrote:
> So should we cancel this vote and wait for a new RC?

Yup.

Thanks,
Roman.

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[John D. Ament]

So should we cancel this vote and wait for a new RC?

On Wed, Feb 3, 2016 at 9:56 PM Roman Shaposhnik 
wrote:

> Justin,
>
> once again -- thank you so much for your diligent reviews! Wrt.
> NOTICE/LICENSE files
> can you please take a look at this and see if that's acceptable:
>https://github.com/rvs/incubator-hawq/blob/master/LICENSE
>https://github.com/rvs/incubator-hawq/blob/master/NOTICE
>
> Wrt. crypto code -- you ended up being absolutely right and apologize
> for the confusion.
> The only thing I can say in my defense is that I got double tripped up by:
>  http://www.apache.org/dev/crypto.html#faq-previouslyexported
>
> http://www.postgresql.org/message-id/can1ef+z1b1ecxq1gyudfo8wbp5+6mfkcqqgu_xvtnzuak9h...@mail.gmail.com
>
> At any rate, we're removing the crypto code:
>  https://issues.apache.org/jira/browse/HAWQ-394
>
> Hopefully this will take care of your concerns.
>
> Thanks,
> Roman.
>
> On Wed, Jan 27, 2016 at 5:12 AM, Justin Mclean 
> wrote:
> > Hi,
> >
> >> I think this section of NOTICE is simply not worded well enough.
> >
> > No problem, if it is not bundled it should be removed, if the wording is
> wrong it should be fixed.
> >
> >> Not it doesn’t.
> >
> > You might want to double check the files in here:
> > ./contrib/pgcrypto
> > ./src/interfaces/libpq
> >
> > Just do a quick search for SSL for instance. Or take a look a
> contrib/pgcrypto/crypt-blowfish.c it says "This code comes from John the
> Ripper password cracker, with reentrant and crypt(3) interfaces added,” and
> that looks to be GPL software or I think public domain?  I’d expect that to
> be in the LICENSE file. [1] I haven’t looked at everything in detail but
> there enough for concern and IMO it needs to be double checked.
> >
> > Exactly what is covered by "cryptographic functions” I’m not entirely
> sure. Do we have somewhere where that is spelt out? For instance is MD5
> included in that? (see ./contrib/pgcrypto/crypt-md5.c,
> ./contrib/pgcrypto/md5.c, ./src/backend/libpq/md5.c) or DES
> (./contrib/pgcrypto/crypt-des.c) or SHA2 (./contrib/pgcrypto/sha2.c) or
> blowfish mentioned above? (and those are not the only files)
> >
> >> Apache License  -- no sure what you mean here -- I think we're simply
> >> bubbling up the dependencies NOTICEs. Why is that wrong?
> >
> > Bubbling up NOTICEs is correct but AFAICS you’re not doing that.
> >
> >> Not sure what do you want us to do to handle that case.
> >
> > Fix the paths or remove it if it's no longer the case would be best I
> think.
> >
> > Thanks,
> > Justin
> >
> > 1. http://www.openwall.com/john/doc/LICENSE.shtml
> > -
> > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> > For additional commands, e-mail: general-h...@incubator.apache.org
> >
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>

Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[Roman Shaposhnik]

Justin,

once again -- thank you so much for your diligent reviews! Wrt.
NOTICE/LICENSE files
can you please take a look at this and see if that's acceptable:
   https://github.com/rvs/incubator-hawq/blob/master/LICENSE
   https://github.com/rvs/incubator-hawq/blob/master/NOTICE

Wrt. crypto code -- you ended up being absolutely right and apologize
for the confusion.
The only thing I can say in my defense is that I got double tripped up by:
 http://www.apache.org/dev/crypto.html#faq-previouslyexported
 
http://www.postgresql.org/message-id/can1ef+z1b1ecxq1gyudfo8wbp5+6mfkcqqgu_xvtnzuak9h...@mail.gmail.com

At any rate, we're removing the crypto code:
 https://issues.apache.org/jira/browse/HAWQ-394

Hopefully this will take care of your concerns.

Thanks,
Roman.

On Wed, Jan 27, 2016 at 5:12 AM, Justin Mclean  wrote:
> Hi,
>
>> I think this section of NOTICE is simply not worded well enough.
>
> No problem, if it is not bundled it should be removed, if the wording is 
> wrong it should be fixed.
>
>> Not it doesn’t.
>
> You might want to double check the files in here:
> ./contrib/pgcrypto
> ./src/interfaces/libpq
>
> Just do a quick search for SSL for instance. Or take a look a 
> contrib/pgcrypto/crypt-blowfish.c it says "This code comes from John the 
> Ripper password cracker, with reentrant and crypt(3) interfaces added,” and 
> that looks to be GPL software or I think public domain?  I’d expect that to 
> be in the LICENSE file. [1] I haven’t looked at everything in detail but 
> there enough for concern and IMO it needs to be double checked.
>
> Exactly what is covered by "cryptographic functions” I’m not entirely sure. 
> Do we have somewhere where that is spelt out? For instance is MD5 included in 
> that? (see ./contrib/pgcrypto/crypt-md5.c, ./contrib/pgcrypto/md5.c, 
> ./src/backend/libpq/md5.c) or DES (./contrib/pgcrypto/crypt-des.c) or SHA2 
> (./contrib/pgcrypto/sha2.c) or blowfish mentioned above? (and those are not 
> the only files)
>
>> Apache License  -- no sure what you mean here -- I think we're simply
>> bubbling up the dependencies NOTICEs. Why is that wrong?
>
> Bubbling up NOTICEs is correct but AFAICS you’re not doing that.
>
>> Not sure what do you want us to do to handle that case.
>
> Fix the paths or remove it if it's no longer the case would be best I think.
>
> Thanks,
> Justin
>
> 1. http://www.openwall.com/john/doc/LICENSE.shtml
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[Justin Mclean]

Hi,

> I think this section of NOTICE is simply not worded well enough.

No problem, if it is not bundled it should be removed, if the wording is wrong 
it should be fixed.

> Not it doesn’t.

You might want to double check the files in here:
./contrib/pgcrypto
./src/interfaces/libpq

Just do a quick search for SSL for instance. Or take a look a 
contrib/pgcrypto/crypt-blowfish.c it says "This code comes from John the Ripper 
password cracker, with reentrant and crypt(3) interfaces added,” and that looks 
to be GPL software or I think public domain?  I’d expect that to be in the 
LICENSE file. [1] I haven’t looked at everything in detail but there enough for 
concern and IMO it needs to be double checked.

Exactly what is covered by "cryptographic functions” I’m not entirely sure. Do 
we have somewhere where that is spelt out? For instance is MD5 included in 
that? (see ./contrib/pgcrypto/crypt-md5.c, ./contrib/pgcrypto/md5.c, 
./src/backend/libpq/md5.c) or DES (./contrib/pgcrypto/crypt-des.c) or SHA2 
(./contrib/pgcrypto/sha2.c) or blowfish mentioned above? (and those are not the 
only files)

> Apache License  -- no sure what you mean here -- I think we're simply
> bubbling up the dependencies NOTICEs. Why is that wrong?

Bubbling up NOTICEs is correct but AFAICS you’re not doing that.

> Not sure what do you want us to do to handle that case.

Fix the paths or remove it if it's no longer the case would be best I think.

Thanks,
Justin

1. http://www.openwall.com/john/doc/LICENSE.shtml
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[Roman Shaposhnik]

On Tue, Jan 26, 2016 at 8:06 PM, Justin Mclean  wrote:
> Hi,
>
> -1 binding until license and crypto issues are cleared up.

Justin, thanks for your quick review -- you're awesome, man!

Still I have a few questions/comments ;-)

> I notice the NOTICE mentions "Classpath Exception to the GPL” this is 
> Category X
> and can’t be included in an release. See 
> http://www.apache.org/legal/resolved.html#category-x

I think this section of NOTICE is simply not worded well enough.
It is a good ol' Jersey after all: https://jersey.java.net/license.html

Better yet, I think we actually got rid of it so we can strike that part
of NOTICE.

> This release also looks to contain crypto software - has this been followed? 
> [4]

Not it doesn't. It dynamically links against Crypto software, but as you can see
this is a source release only. A similar issue of the dynamic linking
against crypto/GPL
libraries came up during incubation and was addressed:
http://markmail.org/message/wiqekxsbmerufmln

> I checked:
> - file contain incubating
> - signatures and hashes good
> - DISCLAIMER exists
> - LICENSE and  NOTICE have (lots) issues
> - source files have headers
> - no unexpected binary files

Great!

> - unable to compile from source (but probably my set up - complains about 
> json-c)

The easiest way to build is via a docker container:
   https://cwiki.apache.org/confluence/display/HAWQ/Build+and+Install

> License and notice issues:
> - LICENSE is missing many BSD, MIT and similar pieces of licensed software.

Well, this is where I get to be an old fart and insist that
a position of LICENSE only containing ALv2 is actually
legally defensible and something that I've been advocating.

That said, a few recent threads (and especially a Marvin's
thoughtful response) convinced me that instead of endlessly
arguing about it I may as well go with the flow -- so yeah,
lets just move some parts of NOTICE to LICENSE.

> - NOTICE should not include MIT, BSD or normally Apache licenses. [1][2]

MIT/BSD -- see above. I actually really don't like them in LICENSE,
but like I said -- lets not argue about that.

Apache License  -- no sure what you mean here -- I think we're simply
bubbling up the dependencies NOTICEs. Why is that wrong?

> - NOTICE also should not include anything that is not bundled in the actual 
> source release.[3] (e.g. junit)

See bellow. I think we're bundling bits and pieces of it. But I'll
re-review since there could be entries that snuck into this
NOTICE from the binary NOTICE.

> - Some files listed in NOTICE don’t exist e.g. 
> src/google/protobuf/stubs/atomicops_internals_aix.h. This makes it hard to 
> review.

I think those are locations in the original. IIRC, the code
ended up in a few different places in HAWQ when it was
leveraged. It wasn't quite cut-n-paste, but it wasn't
code encapsulation either. Not sure what do you want
us to do to handle that case.

Thanks,
Roman.

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

[Vote] HAWQ 2.0.0-beta-incubating RC4

[Ting(Goden) Yao]

Incubator PMC,

The Apache HAWQ (incubating) community has voted on and
approved the proposal to release Apache HAWQ 2.0.0-beta (incubating).
The voting result is available at:
http://mail-archives.apache.org/mod_mbox/incubator-hawq-dev/201601.mbox/%3CCAB0yre=7VHcR-DYrOZxfRg159XBnE2u=jdyvmacapgouy5m...@mail.gmail.com%3E


This is the 1st release for Apache HAWQ (incubating), version:
2.0.0-beta-incubating

*It fixes the following issues:*
Clear all IP related issues for HAWQ and this is a source code tarball only
release.
Full list of JIRAs fixed/related to the release: link

To run check RAT, please do:

$mvn verify

​
first to get the correct RAT output.  Look inside of pom.xml to see the
classes of exceptions we're managing there for RAT.

*** Please download, review and vote  ***

*We're voting upon the source (tag):*
2.0.0-beta-incubating-RC4

*Source Files:*
https://dist.apache.org/repos/dist/dev/incubator/hawq/2.0.0-beta-incubating.
RC4

*Tag to be voted upon:*
https://git-wip-us.apache.org/repos/asf?p=incubator-hawq.git;a=commit;h=1b11926fef3a7ca445238c157571494c03276a82


*KEYS file containing PGP Keys we use to sign the release:*
https://dist.apache.org/repos/dist/dev/incubator/hawq/KEYS

The vote will be open for at least 72 hours or until necessary number of
votes
is reached. [ ] +1 approve [ ] +0 no opinion [ ] -1 disapprove (and reason
why)

Here is my +1 (non binding)

-Goden Yao

Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[Justin Mclean]

Hi,

-1 binding until license and crypto issues are cleared up.

I notice the NOTICE mentions "Classpath Exception to the GPL” this is Category 
X and can’t be included in an release. See 
http://www.apache.org/legal/resolved.html#category-x

This release also looks to contain crypto software - has this been followed? [4]

I checked:
- file contain incubating
- signatures and hashes good
- DISCLAIMER exists
- LICENSE and  NOTICE have (lots) issues
- source files have headers
- no unexpected binary files
- unable to compile from source (but probably my set up - complains about 
json-c)

License and notice issues:
- LICENSE is missing many BSD, MIT and similar pieces of licensed software. [1] 
For example libpg, PuTTY, pgcrypto, pexpect, gtest + lot of others
- NOTICE should not include MIT, BSD or normally Apache licenses. [1][2]
- NOTICE also should not include anything that is not bundled in the actual 
source release.[3] (e.g. junit)
- Some files listed in NOTICE don’t exist e.g. 
src/google/protobuf/stubs/atomicops_internals_aix.h. This makes it hard to 
review.

Thanks,
Justin

1. http://www.apache.org/dev/licensing-howto.html#permissive-deps
2. http://www.apache.org/dev/licensing-howto.html#alv2-dep
3. http://www.apache.org/dev/licensing-howto.html#guiding-principle
4. http://www.apache.org/dev/crypto.html


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4

[Roman Shaposhnik]

On Tue, Jan 26, 2016 at 5:23 PM, Ting(Goden) Yao  wrote:
> (I was told this email wasn't received by the mailing list so resending it)
>
> Incubator PMC,
>
> The Apache HAWQ (incubating) community has voted on and
> approved the proposal to release Apache HAWQ 2.0.0-beta (incubating).
> The voting result is available at:
> http://mail-archives.apache.org/mod_mbox/incubator-hawq-dev/201601.mbox/%3CCAB0yre=7VHcR-DYrOZxfRg159XBnE2u=jdyvmacapgouy5m...@mail.gmail.com%3E
>
>
> This is the 1st release for Apache HAWQ (incubating), version:
> 2.0.0-beta-incubating
>
> *It fixes the following issues:*
> Clear all IP related issues for HAWQ and this is a source code tarball only
> release.
> Full list of JIRAs fixed/related to the release: link
> 
> To run check RAT, please do:
>
> $mvn verify
>
> first to get the correct RAT output.  Look inside of pom.xml to see the
> classes of exceptions we're managing there for RAT.
>
> *** Please download, review and vote  ***
>
> *We're voting upon the source (tag):*
> 2.0.0-beta-incubating-RC4
>
> *Source Files:*
> https://dist.apache.org/repos/dist/dev/incubator/hawq/2.0.0-beta-incubating.RC4
>
> *Tag to be voted upon:*
> https://git-wip-us.apache.org/repos/asf?p=incubator-hawq.git;a=commit;h=1b11926fef3a7ca445238c157571494c03276a82
>
>
> *KEYS file containing PGP Keys we use to sign the release:*
> https://dist.apache.org/repos/dist/dev/incubator/hawq/KEYS
>
> The vote will be open for at least 72 hours or until necessary number of
> votes
> is reached. [ ] +1 approve [ ] +0 no opinion [ ] -1 disapprove (and reason
> why)

transferring my vote from the community thread:

+1 (binding)

Thanks,
Roman.

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

[VOTE] HAWQ 2.0.0-beta-incubating RC4

[Ting(Goden) Yao]

(I was told this email wasn't received by the mailing list so resending it)

Incubator PMC,

The Apache HAWQ (incubating) community has voted on and
approved the proposal to release Apache HAWQ 2.0.0-beta (incubating).
The voting result is available at:
http://mail-archives.apache.org/mod_mbox/incubator-hawq-dev/201601.mbox/%3CCAB0yre=7VHcR-DYrOZxfRg159XBnE2u=jdyvmacapgouy5m...@mail.gmail.com%3E


This is the 1st release for Apache HAWQ (incubating), version:
2.0.0-beta-incubating

*It fixes the following issues:*
Clear all IP related issues for HAWQ and this is a source code tarball only
release.
Full list of JIRAs fixed/related to the release: link

To run check RAT, please do:

$mvn verify

first to get the correct RAT output.  Look inside of pom.xml to see the
classes of exceptions we're managing there for RAT.

*** Please download, review and vote  ***

*We're voting upon the source (tag):*
2.0.0-beta-incubating-RC4

*Source Files:*
https://dist.apache.org/repos/dist/dev/incubator/hawq/2.0.0-beta-incubating.RC4

*Tag to be voted upon:*
https://git-wip-us.apache.org/repos/asf?p=incubator-hawq.git;a=commit;h=1b11926fef3a7ca445238c157571494c03276a82


*KEYS file containing PGP Keys we use to sign the release:*
https://dist.apache.org/repos/dist/dev/incubator/hawq/KEYS

The vote will be open for at least 72 hours or until necessary number of
votes
is reached. [ ] +1 approve [ ] +0 no opinion [ ] -1 disapprove (and reason
why)

Here is my +1 (non binding)
-Goden Yao