Here is the definitive answer: https://issues.apache.org/jira/browse/LEGAL-346. My reading is that it is OK to include or exclude the appendix.
> On Aug 30, 2023, at 6:38 AM, Calvin Kirs <k...@apache.org> wrote: > > On Wed, Aug 30, 2023 at 7:17 PM Bertil Chapuis <bchap...@gmail.com > <mailto:bchap...@gmail.com>> wrote: >> >> Hello Calvin, >> Hello Julian, >> >> Thank you for your reviews and for taking the time to list these points. You >> will find my comments below. >> >>> 1. The binary version needs to include the license of all components >>> required for compilation. If it is a standard AL2, it can be ignored. >>> You can refer to [1] >>> 2. The binary version of NOTICE needs to include the licenses of all >>> dependent third-party components (AFAIK, this is only required when >>> the license of the dependencies is AL2), you can refer to [2] >> >> We do have a THIRD-PARTY file at the root of the binary distribution that >> lists the licenses of the components required for compilation and at >> runtime. We don’t ignore AL2 licences in order to be exhaustive and to keep >> the build process simple. We released version 0.7.1 believing this was >> sufficient to comply with this requirement. What do you think? > > What I mean is all the contents of its license file (if it is standard > AL2, you don't need to include it) and list them according to your > needs. > > The same goes for NOTICE files. If these components use the AL2 > protocol and include NOTICE, then you need to include these in the > NOTICE file in the root directory. > I think Josh is familiar with this. >> >>> 3. The LICENSE file of the binary version needs to declare which >>> version of the source code your binary version is based on. You can >>> refer to [3] >> >> Ok, we shall address this. >> >>> Source package: >>> 1. For the LICENSE file in the source code package, I don't know which >>> specific codes are dependent on the source code, so I can't check >>> whether it is correct or not. I suggest that we list the specific >>> modifications in the license. >> >> I’m worried that this listing won’t survive a refactoring. The current >> approach is to include a clear reference to the original project in the >> javadoc. Here is an exemple: >> >> https://github.com/apache/incubator-baremaps/blob/a62a1a38f809134e3bf4c69fd192523877babd7e/baremaps-core/src/main/java/org/apache/baremaps/stream/BufferedSpliterator.java#L28 >> >> As a result searching for the names listed in the LICENSE file in the >> codebase quickly returns the adapted files. For instance, searching for >> OSMPBF will return the osmformat.proto file. >> >> >>> 2. The license of logo.svg is Font Awesome Free License. I see that >>> Font Awesome Free is free, open source, and GPL friendly. You can use >>> it for commercial projects, open source projects, or really almost >>> whatever you want. >>> This is not allowed to be added to ASF projects. >> >> Good catch, we need to address this and find a replacement for this icon. >> >>> >>> [1] https://github.com/apache/hadoop/tree/trunk/licenses-binary >>> [2] https://github.com/apache/hadoop/blob/trunk/NOTICE-binary >>> [3] https://github.com/apache/hadoop/blob/trunk/LICENSE-binary >>> >>> On Wed, Aug 30, 2023 at 4:10 AM Julian Hyde <jhyde.apa...@gmail.com> wrote: >>>> >>>> -1 (binding) >>>> >>>> Downloaded, checked src-tar contents against git tag [1], checked >>>> LICENSE/NOTICE/README/DISCLAIMER [2], checked signatures/hashes[3], >>>> checked for binaries in src-tar, compiled using OpenJDK 17 and Maven >>>> 3.8.1, ran rat. >>>> >>>> Everything that I checked looks good. But I’m voting -1 because of the >>>> binary licensing issues that Calvin reported. Let’s get those issues fixed >>>> and do another RC. >>>> >>>> By the way. I think we should keep the voting period to 3 days (or 4 days >>>> over a weekend). Even though votes may sometimes take a long time, the >>>> voters SHOULD try to vote promptly. If there is a serious issue, we would >>>> like to discover it quickly and move to the next RC in a tempo of days >>>> rather than weeks. >> >> Thank you for clarifying this point. >> >>>> Julian >>>> >>>> >>>> [1] Git and src-tar mostly match: >>>> >>>> $ diff -r . /tmp/apache-baremaps-0.7.2-incubating-src/ >>>> Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-cli/src: test >>>> Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-ogcapi: target >>>> Only in ./baremaps-renderer: assets >>>> Only in ./baremaps-renderer: declaration.d.ts >>>> Only in ./baremaps-renderer: .gitignore >>>> Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-renderer: >>>> node_modules >>>> Only in ./baremaps-renderer: package.json >>>> Only in ./baremaps-renderer: package-lock.json >>>> Only in ./baremaps-renderer: .prettierignore >>>> Only in ./baremaps-renderer: .prettierrc.json >>>> Only in ./baremaps-renderer: README.md >>>> Only in ./baremaps-renderer: tsconfig.json >>>> Only in >>>> /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-server/src/main/resources: >>>> maputnik >>>> Only in .: basemap >>>> Only in .: examples >>>> Only in .: .git >>>> Only in .: .github >>>> Only in .: .gitignore >>>> Only in .: .min >>>> Only in .: mvnw >>>> Only in .: mvnw.cmd >>>> diff -r ./README /tmp/apache-baremaps-0.7.2-incubating-src/README >>>> 1c1 >>>> < # Apache Baremaps (incubating) ${project.version} >>>> --- >>>>> # Apache Baremaps (incubating) 0.7.2 >>>> diff -r ./scripts/generate-artifacts.sh >>>> /tmp/apache-baremaps-0.7.2-incubating-src/scripts/generate-artifacts.sh >>>> 22c22 >>>> < version=$(./mvnw -q -Dexec.executable=echo >>>> -Dexec.args='${project.version}' --non-recursive exec:exec) >>>> --- >>>>> version=$(./mvnw -q -Dexec.executable=echo -Dexec.args='0.7.2' >>>>> --non-recursive exec:exec) >>>> 35c35 >>>> < for artifact in ./baremaps-$version-incubating-*; do >>>> --- >>>>> for artifact in ./apache-baremaps-$version-incubating-*; do >>>> >>>> Any reason not to include .github/, .gitignore, examples, basemap, and the >>>> various files in baremaps-renderer ? >> >> We use the baremaps-renderer solely to perform integration tests on the >> basemap before making significant changes to the style. I’m not sure if it >> makes sense to include it in the release. >> >>>> [2] In LICENSE, you should remove the "APPENDIX: How to apply the Apache >>>> License to your work” section. >> >> Sorry for that, I believe you already mentioned this point in a previous >> review. >> >>>> [3] I received the same error as Calvin did: >>>> >>>> gpg: Good signature from "Bertil Chapuis <bchap...@gmail.com>" [unknown]. >>>> gpg: WARNING: This key is not certified with a trusted signature! >>>> gpg: There is no indication that the signature belongs to the >>>> owner. >>>> >>>> This error can be fixed by Bertil getting his key signed by someone in our >>>> web of trust. This can be done after release, but let’s get it done. >> >> It would be great if someone could guide me in this process. I believe >> Bertrand could help as we meet in person from time to time. >> >> Best regards, >> >> Bertil >> >>>>> On Aug 29, 2023, at 12:02 PM, Bertil Chapuis <bchap...@gmail.com> wrote: >>>>> >>>>> Hello Calvin, >>>>> >>>>> It would be great if you can list a few actionable items regarding >>>>> licensing. >>>>> >>>>> https://github.com/apache/incubator-baremaps/issues/492 >>>>> >>>>> I did a pass on almost everything before joining the incubator, and had >>>>> to rewrite or find alternatives to all the problematic GPL dependencies. >>>>> A second pass made after joining the incubator revealed a few additional >>>>> issues, but I think we are close from being compliant. In my opinion, the >>>>> main issue is related to datasets (e.g. openstreetmap files) used in the >>>>> tests. We added the DISCLAIMER-WIP to acknowledge these issues in the src >>>>> and binary distributions without blocking the release process. >>>>> >>>>> Best regards, >>>>> >>>>> Bertil >>>>> >>>>>> On 29 Aug 2023, at 18:12, Josh Fischer <j...@joshfischer.io> wrote: >>>>>> >>>>>> Calvin, >>>>>> >>>>>> You made me think of a license question. With Heron, we kept a separate >>>>>> copy of all the licenses that were not ALV2 [1]. Is this something that >>>>>> needs to be done for Baremaps? >>>>>> >>>>>> 1. https://github.com/apache/incubator-heron/tree/master/licenses >>>>>> >>>>>> - Josh >>>>>> >>>>>>> On Aug 29, 2023, at 11:04 AM, Calvin Kirs <k...@apache.org> wrote: >>>>>>> >>>>>>> I'll find time tomorrow to list specific checks. >>>>>>> BTW, we cannot fully rely on rat to indicate whether the license is >>>>>>> compliant. >>>>>>> In addition, regarding the modification of source code dependencies, >>>>>>> we'd better list the specific files in the LICENSE file, otherwise it >>>>>>> is difficult for us to judge whether this part is compliant. >>>>>>> >>>>>>> On Tue, Aug 29, 2023 at 11:31 PM Calvin Kirs <k...@apache.org >>>>>>> <mailto:k...@apache.org>> wrote: >>>>>>>> >>>>>>>> On Tue, Aug 29, 2023 at 10:39 PM Josh Fischer <j...@joshfischer.io> >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Right now I’m 0. >>>>>>>>> >>>>>>>>> I’ve not run across this before, I’m not sure if it’s an issue for >>>>>>>>> the release. See gpg output below about the key not being certified. >>>>>>>>> This is the reason my vote is 0 at the moment. >>>>>>>>> gpg --verify $FILE.asc $FILE >>>>>>>>> gpg: Signature made Thu Aug 24 07:11:17 2023 CDT >>>>>>>>> gpg: using RSA key >>>>>>>>> 16D7A0B27D5ADD52BD57932971751399FB39CB84 >>>>>>>>> gpg: Good signature from "Bertil Chapuis <bchap...@gmail.com>" >>>>>>>>> [unknown] >>>>>>>>> gpg: WARNING: This key is not certified with a trusted signature! >>>>>>>> >>>>>>>> don't worry, it's ok. >>>>>>>>> >>>>>>>>> I checked: >>>>>>>>> - Downloaded; checked hashes/signatures; checked LICENSE, NOTICE, >>>>>>>>> DISCLAIMER-WIP; compiled and ran tests on OSX, OpenJDK 17, Maven >>>>>>>>> 3.8.4. >>>>>>>>> - Rat check showed 1441 unapproved licenses. However, since we are a >>>>>>>>> WIP and I think this issue is known, so we are good. >>>>>>>>> - I tried to run the example from the tar.gz binary, but the website >>>>>>>>> seems to refer to the repo - not a release. As an example, the >>>>>>>>> openStreet Map example wouldn’t work with one of our binary releases. >>>>>>>>> This isn’t a blocker by any means, just a developer experience idea >>>>>>>>> that I thought about while checking the release. >>>>>>>>> >>>>>>>>> $ cd examples/openstreetmap >>>>>>>>> $ baremaps workflow execute --file workflow.json >>>>>>>>> >>>>>>>>> Because the “examples” folder wasn’t in the binary release I wasn’t >>>>>>>>> sure how to run the example. >>>>>>>>> >>>>>>>>> - Josh >>>>>>>>> >>>>>>>>>> On Aug 28, 2023, at 3:20 PM, Bertil Chapuis <bchap...@gmail.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Thank you Josh and Julian. There is no hurry, especially if we can >>>>>>>>>> increase the duration of the vote. >>>>>>>>>> >>>>>>>>>> As we all have busy schedule, I will probably extend future release >>>>>>>>>> votes to one week in the future. >>>>>>>>>> >>>>>>>>>> Best, >>>>>>>>>> >>>>>>>>>> Bertil >>>>>>>>>> >>>>>>>>>>> On 28 Aug 2023, at 19:07, Julian Hyde <jhyde.apa...@gmail.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> What Josh said. I’ll review & vote today. Apologies. >>>>>>>>>>> >>>>>>>>>>>> On Aug 28, 2023, at 7:42 AM, Josh Fischer <j...@joshfischer.io> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> I apologize for my absence. I will spend some time looking at it >>>>>>>>>>>> in the next 24 hours. >>>>>>>>>>>> >>>>>>>>>>>> This is one of the fun and challenging parts of working through >>>>>>>>>>>> the incubator. I’ve had votes go over two weeks before. Our best >>>>>>>>>>>> bet is to get as many binding (preferably 3) votes on the >>>>>>>>>>>> dev@baremaps list. It’s often harder to get votes on general@a.o >>>>>>>>>>>> <mailto:general@a.o>. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Let’s wait a few more days to get binding votes. Open-source moves >>>>>>>>>>>> at the speed of open-source, fun! >>>>>>>>>>>> >>>>>>>>>>>>> On Aug 28, 2023, at 9:10 AM, Bertil Chapuis <bchap...@gmail.com> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hello Everyone, >>>>>>>>>>>>> >>>>>>>>>>>>> We don’t have enough vote for publishing our release. Can we >>>>>>>>>>>>> extend the deadline or should we start a new vote? >>>>>>>>>>>>> >>>>>>>>>>>>> I see that some projects, such as Apache Pekko, ask the incubator >>>>>>>>>>>>> mailing-list to vote for their releases. Should we try to do the >>>>>>>>>>>>> same? >>>>>>>>>>>>> >>>>>>>>>>>>> Best regards, >>>>>>>>>>>>> >>>>>>>>>>>>> Bertil >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> On 24 Aug 2023, at 14:52, Bertil Chapuis <bchap...@gmail.com> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hello Everyone, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Following our online release party (thank you Leonard and >>>>>>>>>>>>>> Perdjesk), we have created a build for Apache Baremaps >>>>>>>>>>>>>> (incubating) 0.7.2, release candidate 1. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks to everyone who has contributed to this release. >>>>>>>>>>>>>> >>>>>>>>>>>>>> You can read the release notes here: >>>>>>>>>>>>>> https://github.com/apache/incubator-baremaps/releases/tag/v0.7.2-rc1 >>>>>>>>>>>>>> >>>>>>>>>>>>>> The commit to be voted upon: >>>>>>>>>>>>>> https://github.com/apache/incubator-baremaps/tree/v0.7.2-rc1 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Its hash is e917d5b02fdb64c3f715afd449bb1fe9ca5c2f58. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Its tag is v0.7.2-rc1. >>>>>>>>>>>>>> >>>>>>>>>>>>>> The artifacts to be voted on are located here: >>>>>>>>>>>>>> https://dist.apache.org/repos/dist/dev/incubator/baremaps/0.7.2-rc1/ >>>>>>>>>>>>>> >>>>>>>>>>>>>> The hashes of the artifacts are as follows: >>>>>>>>>>>>>> d910b50ebed4200d0ef6f0c1ee3e4db0cd95ea005fe54fca66dfc4ec4dca73e96edc8913654c85c73539d6a9d27481157fea9f456a9f3aa451c178a811a89ea0 >>>>>>>>>>>>>> ./apache-baremaps-0.7.2-incubating-src.tar.gz >>>>>>>>>>>>>> fda00056b9785bbbb7f966e92cf7e118071f5b6d44f9652176a4626cec38c5b0738933b24e23efef423eafba2111bc6a22e6f00a67fda2f10b0011f9c22f3208 >>>>>>>>>>>>>> ./apache-baremaps-0.7.2-incubating-bin.tar.gz >>>>>>>>>>>>>> >>>>>>>>>>>>>> Release artifacts are signed with the following key: >>>>>>>>>>>>>> http://people.apache.org/keys/committer/bchapuis.asc >>>>>>>>>>>>>> https://downloads.apache.org/incubator/baremaps/KEYS >>>>>>>>>>>>>> >>>>>>>>>>>>>> The README file for the src distribution contains instructions >>>>>>>>>>>>>> for building and testing the release. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Please vote on releasing this package as Apache Baremaps 0.7.2. >>>>>>>>>>>>>> >>>>>>>>>>>>>> The vote is open for the next 72 hours and passes if a majority >>>>>>>>>>>>>> of at least three +1 PMC votes are cast. >>>>>>>>>>>>>> >>>>>>>>>>>>>> [ ] +1 Release this package as Apache Baremaps <version> >>>>>>>>>>>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the >>>>>>>>>>>>>> release >>>>>>>>>>>>>> [ ] -1 Do not release this package because... >>>>>>>>>>>>>> >>>>>>>>>>>>>> Here is my vote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> +1 (binding): I checked the signatures and the checksums; I >>>>>>>>>>>>>> built the project from its sources; and checked the binary >>>>>>>>>>>>>> distribution. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Best regards, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Bertil Chapuis >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> --------------------------------------------------------------------- >>>>>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org >>>>>>>>>>> For additional commands, e-mail: dev-h...@baremaps.apache.org >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Best wishes! >>>>>>>> CalvinKirs >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Best wishes! >>>>>>> CalvinKirs >>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org >>>>>>> <mailto:dev-unsubscr...@baremaps.apache.org> >>>>>>> For additional commands, e-mail: dev-h...@baremaps.apache.org >>>>>>> <mailto:dev-h...@baremaps.apache.org> >>>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org >>>> For additional commands, e-mail: dev-h...@baremaps.apache.org >>>> >>> >>> >>> -- >>> Best wishes! >>> CalvinKirs >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org >>> For additional commands, e-mail: dev-h...@baremaps.apache.org >>> >> > > > -- > Best wishes! > CalvinKirs > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org > <mailto:dev-unsubscr...@baremaps.apache.org> > For additional commands, e-mail: dev-h...@baremaps.apache.org > <mailto:dev-h...@baremaps.apache.org>
