Thank you all for the input, let’s consider this a blocker. As soon as we have the NOTICE fix , I will prepare the new RC.
Gyula On Tue, 29 Mar 2022 at 06:51, Yang Wang <danrtsey...@gmail.com> wrote: > Given that *flink-kubernetes-shaded* already contains a NOTICE file, and > *flink-kubernetes-webhook* does not bundle any dependencies. > IIUC, what we should do now is to add a correct NOTICE file only for the > *flink-kubernetes-operator* module. > > If I do not miss anything, this would not be very difficult and I would > like to fix it. > > > Best, > Yang > > Thomas Weise <t...@apache.org> 于2022年3月29日周二 11:25写道: > > > I believe if we as the PMC distribute a docker image (which is optional, > > "convenience"), then that image has to follow the rules for binary > packages > > [1]. (And I would assume that applies regardless where we host the > images.) > > > > Now to say that we only publish sources kind of side steps that problem. > At > > the same time it probably also defeats the purpose of the preview > release, > > which is to make it easier for folks that are not active contributors to > > take the operator for a test drive. > > > > So I'm leaning towards publishing the images with respective NOTICE > > requirements (for the layers that we add). > > > > We are also planning to publish the jar files in the future as it helps > to > > build clients and those would need to have the binary NOTICE also. > > > > Cheers, > > Thomas > > > > [1] https://infra.apache.org/licensing-howto.html#binary > > > > On Mon, Mar 28, 2022 at 9:20 AM Gyula Fóra <gyf...@apache.org> wrote: > > > > > I see your point and the value for having such a notice added. > > > > > > I think there are 2 completely distinct questions at play here: > > > > > > a) Is there a legal requirement for a NOTICE file for the docker image? > > > b) If not, should we block the release on this and add it immediately? > > > > > > For a) > > > I think from a legal (and ASF policy) perspective there is one question > > > that decides whether this is a requirement for this release or not: > > > Is the docker image part of the release? > > > > > > I think the answer here is clearly no, the image is not part of the > > > release. Only the Dockerfile is part of the release. > > > > > > For b) > > > I think adding the NOTICE is a good idea but it will take some work so > I > > > would not block the preview release on it. > > > If someone has some handy utility or experience generating it, I don't > > mind > > > including it in later RCs of course. > > > Otherwise we can aim for the next release. > > > > > > Gyula > > > > > > > > > On Mon, Mar 28, 2022 at 6:03 PM Chesnay Schepler <ches...@apache.org> > > > wrote: > > > > > > > One difference to Flink is that the distribution bundled in the > docker > > > > image still contains the NOTICE covering the contents of it. > > > > > > > > It may admittedly not be the most discoverable place, but a > reasonable > > > one > > > > I think. > > > > > > > > Docker as a whole is very weird when it comes to licensing. > > > > Think of all the things are are shipped in an image; I don't think we > > can > > > > (nor should) try to document everything in there. > > > > For the most part this is also not necessary as the Flink images are > > > based > > > > on Debian, > > > > where (al)most every installed package already embeds licensing > > > > information into the image. > > > > > > > > However, for content that we copy into the image (i.e., the jars), I > > > think > > > > it would be reasonable to document that. > > > > (and based on experience from the Flink side has also shown other > > > > advantages beyond licensing...) > > > > > > > > On 28/03/2022 17:41, Gyula Fóra wrote: > > > > > > > > Thanks for the input! > > > > > > > > I am not an expert on this topic and have been contemplating this > > myself > > > > also. > > > > We are basically trying to follow the precedent set by Flink and > > Statefun > > > > projects where the docker builds that we use to publish images to > > > > dockerhub do not declare any notices. > > > > > > > > We will not use ghcr.io for the final release but will use dockerhub > > > like > > > > flink and other apache projects. > > > > > > > > If I look at it from a strictly technical point of view, the docker > > image > > > > is not part of the official release (as it's also not part of the > > > > flink/statefun release). > > > > > > > > It would be good to get some input from others on this. It's not > > > > impossible to add the notices but it's considerable work and > > maintenance > > > > overhead. > > > > By extending the logic would you then also add license information > for > > > the > > > > base images of the docker container (and so on so forth)? > > > > > > > > My gut feeling would be that we could highlight this in the NOTICE of > > the > > > > main project (or some other appropriate place) but we do not > > explicitly > > > > list the dependencies. > > > > > > > > Would be good to hear how others feel about this! > > > > > > > > Gyula > > > > > > > > On Mon, Mar 28, 2022 at 5:26 PM Chesnay Schepler <ches...@apache.org > > > > > > wrote: > > > > > > > >> I don't think having users build the fat-jar & docker image absolves > > us > > > >> of all responsibility w.r.t. the licensing of used products. > > > >> > > > >> At the very least we need to inform users what licenses the fat-jar > & > > > >> docker image fall under such that they can make an informed decision > > as > > > to > > > >> whether they can adhere to said restrictions. > > > >> In particular since building it yourself is (apparently) a hard > > > >> requirement for using said product. > > > >> > > > >> Even beyond that though, as *we* push images to ghcr.io we still > need > > > to > > > >> adhere to the licensing requirements in any case afaict. > > > >> > > > >> On 28/03/2022 17:07, Gyula Fóra wrote: > > > >> > > > >> Hi Chesnay, > > > >> > > > >> Let me try to explain the "strange stuff" > > > >> > > > >> flink-kubernetes-shaded relocates some classes found in > > flink-kubernetes > > > >> in order to not conflict with some of the operator dependencies. > > > >> This is necessary as flink-kubernetes packages almost everything in > > the > > > >> fat-jar as-is without relocation. I think this should be fine from a > > > >> release perspective, as flink-kubernetes already contains the > > > >> relevant notice files. > > > >> > > > >> For flink-kubernetes-operator we are not releasing a fat-jar as we > > > don't > > > >> have any client binaries etc. It is not necessary for the users > > > therefore > > > >> it's not part of the release. > > > >> We release the Dockerfile instead so that users can build the image. > > > >> Since the fatjar is not part of the release we do not have bundled > > > >> dependencies, and we do not need extra licensing information I > > believe. > > > >> > > > >> Cheers, > > > >> Gyula > > > >> > > > >> On Mon, Mar 28, 2022 at 4:40 PM Chesnay Schepler < > ches...@apache.org> > > > >> wrote: > > > >> > > > >>> There's some strange stuff in here. > > > >>> > > > >>> What exactly is the purpose of flink-kubernetes-shaded? You're just > > > >>> re-packaging flink-kubernetes without making any changes. > > > >>> > > > >>> The uploaded flink-kubernetes-operator jar isn't bundling any > > > >>> dependencies. Why is the fat jar not uploaded? Is it used anywhere > > else > > > >>> (e.g., directly embedded into a docker image) > > > >>> If it is used, where do you have the appropriate licensing > > information > > > >>> for the bundled dependencies? > > > >>> > > > >>> On 28/03/2022 16:14, Gyula Fóra wrote: > > > >>> > Hi everyone, > > > >>> > > > > >>> > Please review and vote on the release candidate #1 for the > version > > > >>> 0.1.0 of > > > >>> > Apache Flink Kubernetes Operator, > > > >>> > as follows: > > > >>> > [ ] +1, Approve the release > > > >>> > [ ] -1, Do not approve the release (please provide specific > > comments) > > > >>> > > > > >>> > **Release Overview** > > > >>> > > > > >>> > As an overview, the release consists of the following: > > > >>> > a) Kubernetes Operator canonical source distribution (including > the > > > >>> > Dockerfile), to be deployed to the release repository at > > > >>> dist.apache.org > > > >>> > b) Kubernetes Operator Helm Chart to be deployed to the release > > > >>> repository > > > >>> > at dist.apache.org > > > >>> > c) Maven artifacts to be deployed to the Maven Central Repository > > > >>> > > > > >>> > **Staging Areas to Review** > > > >>> > > > > >>> > The staging areas containing the above mentioned artifacts are as > > > >>> follows, > > > >>> > for your review: > > > >>> > * All artifacts for a,b) can be found in the corresponding dev > > > >>> repository > > > >>> > at dist.apache.org [1] > > > >>> > * All artifacts for c) can be found at the Apache Nexus > Repository > > > [2] > > > >>> > > > > >>> > All artifacts are signed with the > > > >>> > key 911F218F79ACEA8EB453799EEE325DDEBFED467D [3] > > > >>> > > > > >>> > Other links for your review: > > > >>> > * JIRA release notes [4] > > > >>> > * source code tag "release-0.1.0-rc1" [5] > > > >>> > * PR to update the website Downloads page to include Kubernetes > > > >>> Operator > > > >>> > links [6] > > > >>> > > > > >>> > **Vote Duration** > > > >>> > > > > >>> > The voting time will run for at least 72 hours. > > > >>> > It is adopted by majority approval, with at least 3 PMC > affirmative > > > >>> votes. > > > >>> > > > > >>> > **Note for Functional Verification** > > > >>> > Please use the source distribution and helm chart directly from > [1] > > > to > > > >>> > build and deploy the operator in your testing environment. > > > >>> > > > > >>> > Thanks, > > > >>> > Gyula > > > >>> > > > > >>> > [1] > > > >>> > > > > >>> > > > > > > https://dist.apache.org/repos/dist/dev/flink/flink-kubernetes-operator-0.1.0-rc1/ > > > >>> > [2] > > > >>> > > > > https://repository.apache.org/content/repositories/orgapacheflink-1490/ > > > >>> > [3] https://dist.apache.org/repos/dist/release/flink/KEYS > > > >>> > [4] > > > >>> > > > > >>> > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351499 > > > >>> > [5] > > > >>> > > > > >>> > > > > > > https://github.com/apache/flink-kubernetes-operator/tree/release-0.1.0-rc1 > > > >>> > [6] https://github.com/apache/flink-web/pull/519 > > > >>> > > > > >>> > > > >>> > > > >> > > > > > > > > > >
