Thanks a lot for looking at this. I think I now recall why I didn’t remove the Appendix when the issue was first reported. The license itself refers to the appendix when it defines “Work”:
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
I feel that we should remove this last parenthesis for the license to make
sense without the Appendix, but I'd prefer not to bother any lawyers ;-) If you
don't mind, I'd rather keep it.
> On 30 Aug 2023, at 20:02, Julian Hyde <[email protected]> wrote:
>
> Here is the definitive answer:
> https://issues.apache.org/jira/browse/LEGAL-346. My reading is that it is OK
> to include or exclude the appendix.
>
>> On Aug 30, 2023, at 6:38 AM, Calvin Kirs <[email protected]> wrote:
>>
>> On Wed, Aug 30, 2023 at 7:17 PM Bertil Chapuis <[email protected]
>> <mailto:[email protected]>> wrote:
>>>
>>> Hello Calvin,
>>> Hello Julian,
>>>
>>> Thank you for your reviews and for taking the time to list these points.
>>> You will find my comments below.
>>>
>>>> 1. The binary version needs to include the license of all components
>>>> required for compilation. If it is a standard AL2, it can be ignored.
>>>> You can refer to [1]
>>>> 2. The binary version of NOTICE needs to include the licenses of all
>>>> dependent third-party components (AFAIK, this is only required when
>>>> the license of the dependencies is AL2), you can refer to [2]
>>>
>>> We do have a THIRD-PARTY file at the root of the binary distribution that
>>> lists the licenses of the components required for compilation and at
>>> runtime. We don’t ignore AL2 licences in order to be exhaustive and to keep
>>> the build process simple. We released version 0.7.1 believing this was
>>> sufficient to comply with this requirement. What do you think?
>>
>> What I mean is all the contents of its license file (if it is standard
>> AL2, you don't need to include it) and list them according to your
>> needs.
>>
>> The same goes for NOTICE files. If these components use the AL2
>> protocol and include NOTICE, then you need to include these in the
>> NOTICE file in the root directory.
>> I think Josh is familiar with this.
>>>
>>>> 3. The LICENSE file of the binary version needs to declare which
>>>> version of the source code your binary version is based on. You can
>>>> refer to [3]
>>>
>>> Ok, we shall address this.
>>>
>>>> Source package:
>>>> 1. For the LICENSE file in the source code package, I don't know which
>>>> specific codes are dependent on the source code, so I can't check
>>>> whether it is correct or not. I suggest that we list the specific
>>>> modifications in the license.
>>>
>>> I’m worried that this listing won’t survive a refactoring. The current
>>> approach is to include a clear reference to the original project in the
>>> javadoc. Here is an exemple:
>>>
>>> https://github.com/apache/incubator-baremaps/blob/a62a1a38f809134e3bf4c69fd192523877babd7e/baremaps-core/src/main/java/org/apache/baremaps/stream/BufferedSpliterator.java#L28
>>>
>>> As a result searching for the names listed in the LICENSE file in the
>>> codebase quickly returns the adapted files. For instance, searching for
>>> OSMPBF will return the osmformat.proto file.
>>>
>>>
>>>> 2. The license of logo.svg is Font Awesome Free License. I see that
>>>> Font Awesome Free is free, open source, and GPL friendly. You can use
>>>> it for commercial projects, open source projects, or really almost
>>>> whatever you want.
>>>> This is not allowed to be added to ASF projects.
>>>
>>> Good catch, we need to address this and find a replacement for this icon.
>>>
>>>>
>>>> [1] https://github.com/apache/hadoop/tree/trunk/licenses-binary
>>>> [2] https://github.com/apache/hadoop/blob/trunk/NOTICE-binary
>>>> [3] https://github.com/apache/hadoop/blob/trunk/LICENSE-binary
>>>>
>>>> On Wed, Aug 30, 2023 at 4:10 AM Julian Hyde <[email protected]> wrote:
>>>>>
>>>>> -1 (binding)
>>>>>
>>>>> Downloaded, checked src-tar contents against git tag [1], checked
>>>>> LICENSE/NOTICE/README/DISCLAIMER [2], checked signatures/hashes[3],
>>>>> checked for binaries in src-tar, compiled using OpenJDK 17 and Maven
>>>>> 3.8.1, ran rat.
>>>>>
>>>>> Everything that I checked looks good. But I’m voting -1 because of the
>>>>> binary licensing issues that Calvin reported. Let’s get those issues
>>>>> fixed and do another RC.
>>>>>
>>>>> By the way. I think we should keep the voting period to 3 days (or 4 days
>>>>> over a weekend). Even though votes may sometimes take a long time, the
>>>>> voters SHOULD try to vote promptly. If there is a serious issue, we would
>>>>> like to discover it quickly and move to the next RC in a tempo of days
>>>>> rather than weeks.
>>>
>>> Thank you for clarifying this point.
>>>
>>>>> Julian
>>>>>
>>>>>
>>>>> [1] Git and src-tar mostly match:
>>>>>
>>>>> $ diff -r . /tmp/apache-baremaps-0.7.2-incubating-src/
>>>>> Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-cli/src: test
>>>>> Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-ogcapi: target
>>>>> Only in ./baremaps-renderer: assets
>>>>> Only in ./baremaps-renderer: declaration.d.ts
>>>>> Only in ./baremaps-renderer: .gitignore
>>>>> Only in /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-renderer:
>>>>> node_modules
>>>>> Only in ./baremaps-renderer: package.json
>>>>> Only in ./baremaps-renderer: package-lock.json
>>>>> Only in ./baremaps-renderer: .prettierignore
>>>>> Only in ./baremaps-renderer: .prettierrc.json
>>>>> Only in ./baremaps-renderer: README.md
>>>>> Only in ./baremaps-renderer: tsconfig.json
>>>>> Only in
>>>>> /tmp/apache-baremaps-0.7.2-incubating-src/baremaps-server/src/main/resources:
>>>>> maputnik
>>>>> Only in .: basemap
>>>>> Only in .: examples
>>>>> Only in .: .git
>>>>> Only in .: .github
>>>>> Only in .: .gitignore
>>>>> Only in .: .min
>>>>> Only in .: mvnw
>>>>> Only in .: mvnw.cmd
>>>>> diff -r ./README /tmp/apache-baremaps-0.7.2-incubating-src/README
>>>>> 1c1
>>>>> < # Apache Baremaps (incubating) ${project.version}
>>>>> ---
>>>>>> # Apache Baremaps (incubating) 0.7.2
>>>>> diff -r ./scripts/generate-artifacts.sh
>>>>> /tmp/apache-baremaps-0.7.2-incubating-src/scripts/generate-artifacts.sh
>>>>> 22c22
>>>>> < version=$(./mvnw -q -Dexec.executable=echo
>>>>> -Dexec.args='${project.version}' --non-recursive exec:exec)
>>>>> ---
>>>>>> version=$(./mvnw -q -Dexec.executable=echo -Dexec.args='0.7.2'
>>>>>> --non-recursive exec:exec)
>>>>> 35c35
>>>>> < for artifact in ./baremaps-$version-incubating-*; do
>>>>> ---
>>>>>> for artifact in ./apache-baremaps-$version-incubating-*; do
>>>>>
>>>>> Any reason not to include .github/, .gitignore, examples, basemap, and
>>>>> the various files in baremaps-renderer ?
>>>
>>> We use the baremaps-renderer solely to perform integration tests on the
>>> basemap before making significant changes to the style. I’m not sure if it
>>> makes sense to include it in the release.
>>>
>>>>> [2] In LICENSE, you should remove the "APPENDIX: How to apply the Apache
>>>>> License to your work” section.
>>>
>>> Sorry for that, I believe you already mentioned this point in a previous
>>> review.
>>>
>>>>> [3] I received the same error as Calvin did:
>>>>>
>>>>> gpg: Good signature from "Bertil Chapuis <[email protected]>" [unknown].
>>>>> gpg: WARNING: This key is not certified with a trusted signature!
>>>>> gpg: There is no indication that the signature belongs to the
>>>>> owner.
>>>>>
>>>>> This error can be fixed by Bertil getting his key signed by someone in
>>>>> our web of trust. This can be done after release, but let’s get it done.
>>>
>>> It would be great if someone could guide me in this process. I believe
>>> Bertrand could help as we meet in person from time to time.
>>>
>>> Best regards,
>>>
>>> Bertil
>>>
>>>>>> On Aug 29, 2023, at 12:02 PM, Bertil Chapuis <[email protected]> wrote:
>>>>>>
>>>>>> Hello Calvin,
>>>>>>
>>>>>> It would be great if you can list a few actionable items regarding
>>>>>> licensing.
>>>>>>
>>>>>> https://github.com/apache/incubator-baremaps/issues/492
>>>>>>
>>>>>> I did a pass on almost everything before joining the incubator, and had
>>>>>> to rewrite or find alternatives to all the problematic GPL dependencies.
>>>>>> A second pass made after joining the incubator revealed a few additional
>>>>>> issues, but I think we are close from being compliant. In my opinion,
>>>>>> the main issue is related to datasets (e.g. openstreetmap files) used in
>>>>>> the tests. We added the DISCLAIMER-WIP to acknowledge these issues in
>>>>>> the src and binary distributions without blocking the release process.
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Bertil
>>>>>>
>>>>>>> On 29 Aug 2023, at 18:12, Josh Fischer <[email protected]> wrote:
>>>>>>>
>>>>>>> Calvin,
>>>>>>>
>>>>>>> You made me think of a license question. With Heron, we kept a
>>>>>>> separate copy of all the licenses that were not ALV2 [1]. Is this
>>>>>>> something that needs to be done for Baremaps?
>>>>>>>
>>>>>>> 1. https://github.com/apache/incubator-heron/tree/master/licenses
>>>>>>>
>>>>>>> - Josh
>>>>>>>
>>>>>>>> On Aug 29, 2023, at 11:04 AM, Calvin Kirs <[email protected]> wrote:
>>>>>>>>
>>>>>>>> I'll find time tomorrow to list specific checks.
>>>>>>>> BTW, we cannot fully rely on rat to indicate whether the license is
>>>>>>>> compliant.
>>>>>>>> In addition, regarding the modification of source code dependencies,
>>>>>>>> we'd better list the specific files in the LICENSE file, otherwise it
>>>>>>>> is difficult for us to judge whether this part is compliant.
>>>>>>>>
>>>>>>>> On Tue, Aug 29, 2023 at 11:31 PM Calvin Kirs <[email protected]
>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>
>>>>>>>>> On Tue, Aug 29, 2023 at 10:39 PM Josh Fischer <[email protected]>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Right now I’m 0.
>>>>>>>>>>
>>>>>>>>>> I’ve not run across this before, I’m not sure if it’s an issue for
>>>>>>>>>> the release. See gpg output below about the key not being
>>>>>>>>>> certified. This is the reason my vote is 0 at the moment.
>>>>>>>>>> gpg --verify $FILE.asc $FILE
>>>>>>>>>> gpg: Signature made Thu Aug 24 07:11:17 2023 CDT
>>>>>>>>>> gpg: using RSA key
>>>>>>>>>> 16D7A0B27D5ADD52BD57932971751399FB39CB84
>>>>>>>>>> gpg: Good signature from "Bertil Chapuis <[email protected]>"
>>>>>>>>>> [unknown]
>>>>>>>>>> gpg: WARNING: This key is not certified with a trusted signature!
>>>>>>>>>
>>>>>>>>> don't worry, it's ok.
>>>>>>>>>>
>>>>>>>>>> I checked:
>>>>>>>>>> - Downloaded; checked hashes/signatures; checked LICENSE, NOTICE,
>>>>>>>>>> DISCLAIMER-WIP; compiled and ran tests on OSX, OpenJDK 17, Maven
>>>>>>>>>> 3.8.4.
>>>>>>>>>> - Rat check showed 1441 unapproved licenses. However, since we are
>>>>>>>>>> a WIP and I think this issue is known, so we are good.
>>>>>>>>>> - I tried to run the example from the tar.gz binary, but the website
>>>>>>>>>> seems to refer to the repo - not a release. As an example, the
>>>>>>>>>> openStreet Map example wouldn’t work with one of our binary
>>>>>>>>>> releases. This isn’t a blocker by any means, just a developer
>>>>>>>>>> experience idea that I thought about while checking the release.
>>>>>>>>>>
>>>>>>>>>> $ cd examples/openstreetmap
>>>>>>>>>> $ baremaps workflow execute --file workflow.json
>>>>>>>>>>
>>>>>>>>>> Because the “examples” folder wasn’t in the binary release I wasn’t
>>>>>>>>>> sure how to run the example.
>>>>>>>>>>
>>>>>>>>>> - Josh
>>>>>>>>>>
>>>>>>>>>>> On Aug 28, 2023, at 3:20 PM, Bertil Chapuis <[email protected]>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Thank you Josh and Julian. There is no hurry, especially if we can
>>>>>>>>>>> increase the duration of the vote.
>>>>>>>>>>>
>>>>>>>>>>> As we all have busy schedule, I will probably extend future release
>>>>>>>>>>> votes to one week in the future.
>>>>>>>>>>>
>>>>>>>>>>> Best,
>>>>>>>>>>>
>>>>>>>>>>> Bertil
>>>>>>>>>>>
>>>>>>>>>>>> On 28 Aug 2023, at 19:07, Julian Hyde <[email protected]>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> What Josh said. I’ll review & vote today. Apologies.
>>>>>>>>>>>>
>>>>>>>>>>>>> On Aug 28, 2023, at 7:42 AM, Josh Fischer <[email protected]>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> I apologize for my absence. I will spend some time looking at it
>>>>>>>>>>>>> in the next 24 hours.
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is one of the fun and challenging parts of working through
>>>>>>>>>>>>> the incubator. I’ve had votes go over two weeks before. Our best
>>>>>>>>>>>>> bet is to get as many binding (preferably 3) votes on the
>>>>>>>>>>>>> dev@baremaps list. It’s often harder to get votes on [email protected]
>>>>>>>>>>>>> <mailto:[email protected]>.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Let’s wait a few more days to get binding votes. Open-source
>>>>>>>>>>>>> moves at the speed of open-source, fun!
>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Aug 28, 2023, at 9:10 AM, Bertil Chapuis <[email protected]>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello Everyone,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> We don’t have enough vote for publishing our release. Can we
>>>>>>>>>>>>>> extend the deadline or should we start a new vote?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I see that some projects, such as Apache Pekko, ask the
>>>>>>>>>>>>>> incubator mailing-list to vote for their releases. Should we try
>>>>>>>>>>>>>> to do the same?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Best regards,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Bertil
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 24 Aug 2023, at 14:52, Bertil Chapuis <[email protected]>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hello Everyone,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Following our online release party (thank you Leonard and
>>>>>>>>>>>>>>> Perdjesk), we have created a build for Apache Baremaps
>>>>>>>>>>>>>>> (incubating) 0.7.2, release candidate 1.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks to everyone who has contributed to this release.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You can read the release notes here:
>>>>>>>>>>>>>>> https://github.com/apache/incubator-baremaps/releases/tag/v0.7.2-rc1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The commit to be voted upon:
>>>>>>>>>>>>>>> https://github.com/apache/incubator-baremaps/tree/v0.7.2-rc1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Its hash is e917d5b02fdb64c3f715afd449bb1fe9ca5c2f58.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Its tag is v0.7.2-rc1.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The artifacts to be voted on are located here:
>>>>>>>>>>>>>>> https://dist.apache.org/repos/dist/dev/incubator/baremaps/0.7.2-rc1/
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The hashes of the artifacts are as follows:
>>>>>>>>>>>>>>> d910b50ebed4200d0ef6f0c1ee3e4db0cd95ea005fe54fca66dfc4ec4dca73e96edc8913654c85c73539d6a9d27481157fea9f456a9f3aa451c178a811a89ea0
>>>>>>>>>>>>>>> ./apache-baremaps-0.7.2-incubating-src.tar.gz
>>>>>>>>>>>>>>> fda00056b9785bbbb7f966e92cf7e118071f5b6d44f9652176a4626cec38c5b0738933b24e23efef423eafba2111bc6a22e6f00a67fda2f10b0011f9c22f3208
>>>>>>>>>>>>>>> ./apache-baremaps-0.7.2-incubating-bin.tar.gz
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Release artifacts are signed with the following key:
>>>>>>>>>>>>>>> http://people.apache.org/keys/committer/bchapuis.asc
>>>>>>>>>>>>>>> https://downloads.apache.org/incubator/baremaps/KEYS
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The README file for the src distribution contains instructions
>>>>>>>>>>>>>>> for building and testing the release.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Please vote on releasing this package as Apache Baremaps 0.7.2.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The vote is open for the next 72 hours and passes if a majority
>>>>>>>>>>>>>>> of at least three +1 PMC votes are cast.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [ ] +1 Release this package as Apache Baremaps <version>
>>>>>>>>>>>>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the
>>>>>>>>>>>>>>> release
>>>>>>>>>>>>>>> [ ] -1 Do not release this package because...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Here is my vote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> +1 (binding): I checked the signatures and the checksums; I
>>>>>>>>>>>>>>> built the project from its sources; and checked the binary
>>>>>>>>>>>>>>> distribution.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Best regards,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Bertil Chapuis
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>>>>> To unsubscribe, e-mail: [email protected]
>>>>>>>>>>>> For additional commands, e-mail: [email protected]
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Best wishes!
>>>>>>>>> CalvinKirs
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Best wishes!
>>>>>>>> CalvinKirs
>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: [email protected]
>>>>>>>> <mailto:[email protected]>
>>>>>>>> For additional commands, e-mail: [email protected]
>>>>>>>> <mailto:[email protected]>
>>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: [email protected]
>>>>> For additional commands, e-mail: [email protected]
>>>>>
>>>>
>>>>
>>>> --
>>>> Best wishes!
>>>> CalvinKirs
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [email protected]
>>>> For additional commands, e-mail: [email protected]
>>>>
>>>
>>
>>
>> --
>> Best wishes!
>> CalvinKirs
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> <mailto:[email protected]>
>> For additional commands, e-mail: [email protected]
>> <mailto:[email protected]>
signature.asc
Description: Message signed with OpenPGP
