Thanks Justin for your detailed and thorough analysis - I'll bring this back to the community and address the items listed one by one. Meanwhile, please let us know if you see any other issues so we can solve them together in the next Release Candidate.
Appreciate your effort. -Goden On Tue, Jul 26, 2016 at 8:03 PM Justin Mclean <jus...@classsoftware.com> wrote: > Hi, > > -1 (binding) binary in source release, LICENSE and NOTICE issues, ASF > header added to files not under Apache 2.0 license, possible inclusion of > GPL licensed software and possible Category X software included in release > (BSD with ad clause). > > This is not a simple release to check and I may of missed a few things due > to the large amount of noise. > > I checked: > - release contains incubating > - signatures and hashes good > - I’m not sure what the intent of COPYRIGHT is. I also don't think as it > has been suggested that this should be merged with NOTICE, NOTICE doesn’t > not list all copyrights just those that have be relocated from source > files. [1] > - NOTICE incorrecly contains a long list of copyright statements. I would > expect to see one or perhaps two here i.e. the original authors who donated > the software and who copyright statements were removed from the original > files. > - LICENSE is missing a large number of things (see below) > - Please use the short form of the license linking to a license files in > LICENSE > - Looks like there is an unexpected binary in the release [2] May be > others given rat reports 770+ binary files > - Impossible to say if files have correct ASF headers or not, given the > large number of files with ASF headers (5000 odd files) > - Failed to compile form source but likely my setup > > License is missing (in some cases note the different copyright owners) > - BSD licensed code [3] > - BSD license code [7] > - license for this file [9] > - license for this file [10] Are we OK this was taken form GNU C? > - MIT license PSI [11] > - BSD licensed code [12] > - BSD licensed code [13] Is this regard as cryptography code? [14] > - BSD licensed code [15][16] > - license for this file [17] > - license of these files [18][19] > - license of this file [20] > - regex license [21] > - How are these files licensed? [22] + others copyright AEG Automation GmbH > - How is this file licensed? [23] > - BSD licensed libpq [24]. Is this consider crypto code and may need an > export license? > - pgdump [25] > - license for this file [26] > - license for this file [27] Look like an ASF header may of been > incorrectly added to this. > - This BSD licensed file [36] > - license for these files [37][38] and others in [39] > - This BSD licensed file [40] > - This BSD licensed file [41] > - BSD licensed pychecker [42] > - licenses for all of these files [43] > - BSD license pg800 [44] > - how is this file licensed? [45] > - license for this file [47] > - Python license for this file [48]. Is this an Apache comparable license? > - How are these files licensed? [49] Note multiple copyright owners and > missing headers. > - BSD licensed fig leaf. [50] Note that files incorrectly has had ASF > headers applied. > - This BSD licensed file [51] > - This public domain style sheet [52] > - This file [53] > - License for unit test2 [54] > - MIT licensed lock file [55] > - JSON code here [56] > - License for this file [57] > > And I may of missed some, as I wasn't doing a full review - that would > likely take many many hours. > > Looks like GPL/LPGL licensed code may be included [4][5][6] in the release. > > This file [8] and others(?) may incorrectly have an ASF headers on it. > Also why does this file have an ASF header with copyright line? [46] > > Code includes code licensed under the 4 clause BSD license which is not > compatible with the Apache 2.0 license. [28][29][30][31][32][33] It may be > that this clause has been rescinded [35] and it OK to include but that > needs to be checked. > > I’d suggest that build instructions are included in the release rather > than a link to them. If the instructions at the URL change in the future > how do I know how to build this release? > > Also some one owes me a beer! > > Thanks, > Justin > > 1. http://www.apache.org/legal/src-headers.html#headers > 2. depends/thirdparty/thrift/lib/erl/rebar > 3. ./tools/bin/pythonSrc/unittest2-0.5.1/setup.py > 4. ./depends/thirdparty/thrift/debian/copyright (end of file) > 5. ./depends/thirdparty/thrift/doc/licenses/lgpl-2.1.txt > 6. ./tools/bin/gppylib/operations/test/test_package.py > 7. ./depends/thirdparty/thrift/compiler/cpp/src/md5.? > 8. ./tools/sbin/hawqstandbywatch.py > 9. ./src/backend/port/dynloader/ultrix4.h > 10. ./src/port/inet_aton.c > 11. ./tools/bin/pythonSrc/PSI-0.3b2_gp/ > 12. ./src/port/snprintf.c > 13 ./src/port/crypt.c > 14. http://www.apache.org/dev/crypto.html > 15. ./src/port/memcmp.c > 16. ./src/backend/utils/mb/wstrcmp.c > 17. ./src/port/rand.c > 18. ./src/backend/utils/adt/inet_net_ntop.c > 19. ./src/backend/utils/adt/inet_net_pton.c > 20 ./src/port/strlcpy.c > 21. ./src/backend/regex/COPYRIGHT > 22. ./src/backend/port/qnx4/shm.c > 23. ./src/backend/port/beos/shm.c > 24. ./src/backend/libpq/sha2.? > 25. ./src/bin/pg_dump/ > 26. ./src/port/gettimeofday.c > 27. ./depends/thirdparty/thrift/lib/cpp/src/thrift/windows/SocketPair.cpp > 28. ./src/backend/port/dynloader/freebsd.c > 29. ./src/backend/port/dynloader/netbsd.c > 30. ./src/backend/port/dynloader/openbsd.c > 31. ./src/bin/gpfdist/src/gpfdist/glob.c > 32. ./src/bin/gpfdist/src/gpfdist/include/glob.h > 33. ./src/include/port/win32_msvc/glob.h > 34. ./src/port/glob.c > 35. ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change > 36. ./src/bin/pg_controldata/pg_controldata.c > 37. ./depends/thirdparty/thrift/aclocal/ax_cxx_compile_stdcxx_11.m4 > 38. ./depends/thirdparty/thrift/aclocal/ax_boost_base.m4 > 39. ./depends/thirdparty/thrift/aclocal > 40. ./depends/thirdparty/thrift/build/cmake/FindGLIB.cmake > 41. ./tools/bin/pythonSrc/unittest2-0.5.1/setup.py > 42. ./tools/bin/pythonSrc/pychecker-0.8.18/ > 43. ./src/interfaces/libpq/po/*.po > 44. ./tools/bin/ext/pg8000/* > 45. ./src/backend/utils/mb/Unicode/UCS_to_GB18030.pl > 46. > ./contrib/hawq-hadoop/hawq-mapreduce-tool/src/test/resources/log4j.properties > 47 ./tools/bin/pythonSrc/lockfile-0.9.1/lockfile/pidlockfile.py > 48 ./tools/bin/pythonSrc/pychecker-0.8.18/pychecker2/symbols.py > 49. ./src/backend/utils/mb/Unicode/* > 50. ./tools/bin/ext/figleaf/* > 51. ./depends/thirdparty/thrift/lib/py/compat/win32/stdint.h > 52. ./tools/bin/pythonSrc/PyGreSQL-4.0/docs/default.css > 53. ./src/test/locale/test-ctype.c > 54 ./tools/bin/pythonSrc/unittest2-0.5.1/unittest2/ > 55. ./tools/bin/pythonSrc/lockfile-0.9.1/LICENSE > 56. ./src/include/catalog/JSON > 57. ./src/pl/plperl/ppport.h > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
