Josh, You are of course correct on all points.
- We neglected to be careful about the implications of binary bundling and transitive dependencies (JIRA <https://issues.apache.org/jira/browse/METRON-374>). - It's a good idea to use ephemeral ports on our integration test components (JIRA <https://issues.apache.org/jira/browse/METRON-375>). - We should correct the issues with the webpage (JIRA <https://issues.apache.org/jira/browse/METRON-376>) Regarding Findbugs, if you open up the pom <http://central.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.pom> from com.google.code.findbugs:jsr305-1.3.9 the ASLv2 is referenced. That being said, it's pretty clear that findbugs itself is lgpl, so I am also confused. Regardless, a more careful inspection and handling of our transitive dependencies is obviously called for. Thanks for the careful attention. :) Casey On Wed, Aug 17, 2016 at 1:27 AM, Josh Elser <els...@apache.org> wrote: > +1 with reservations (binding) > > * DISCLAIMER present > * LICENSE/NOTICE seem reasonable > * xsums/sigs OK > * Can build from source > * Unit tests pass (after I stopped my local hbase instance, maybe you > could use random ports from the ephemeral range for your test services > instead of the default service ports) > * Integration tests didn't (I stopped after a failure in > BulkLoadMapperIntegrationTest) > * Tag is deployed and matches VOTE > * Overly aggressive RAT exclusions, but it passes and seems ok. Would > strongly recommend you prune this list in the future to make sure you don't > start shipping files which do not have a license header. You presently have > many exclusions for files which don't even exist in the codebase. > > Reservations: > > It is important to make sure that not only is the source-release artifact > properly licensed, but the resulting artifacts that source-release creates > are also properly licensed (in other words: the jars your build creates). > > Your shaded jars are not correctly licensed. For example, you include > org.abego.treelayout:org.abego.treelayout.core:jar:1.0.1 in > metron-common-0.2.0BETA.jar which is 3-clause BSD licensed, yet the > contained META-INF/LICENSE file has no mention of this. I also see a number > of CDDL licensed jars being included. > > The most worrisome artifact I see included is > com.google.code.findbugs:jsr305-1.3.9 in multiple artifacts > (metron-pcap-backend-0.2.0BETA.jar for one). This artifact befuddles me > because it is completely unclear whether it is GPL'ed or ASLv2 (last I > checked, documentation was not clear at all). Ironically, you also have > com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1 included > which is a clearly ASLv2 licensed implementation of the same spec (we won't > get into me asking "why" both are included *winks*). > > I don't think you need to fix these for this release, but you should make > an effort to do this before your next release. Yes, it sucks. Yes, you're > not the only one who has done it/will do it again. > > Branding: > > Took a look at your website too. > > * Your required ASF navigation links are not present > http://www.apache.org/foundation/marks/pmcs.html#navigation > * Incubator disclaimer and logo are present (yay) > * Noticed "Ambari" and not "Apache Ambari" on > http://metron.incubator.apache.org/documentation/. Would be good to make > sure you're using proper names for ASF projects. > > > > James Sirota wrote: > >> This release is exactly the same as RC2, but the Mozilla licensed file >> was removed so it doesn’t cause problems for us on the incubator general >> boards. We no longer use it so we just removed it. >> >> This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating >> >> Full list of changes in this release: >> >> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2. >> 0BETA-RC3-incubating/CHANGES >> >> The tag/commit to be voted upon is Metron_0.2.0BETA_rc3: >> >> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron. >> git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>http >> s://git-wip-us.apache.org/repos/asf?p=incubator-metron. >> git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb >> >> The source archive being voted upon can be found here: >> >> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2. >> 0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz >> >> Other release files, signatures and digests can be found here: >> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2. >> 0BETA-RC3-incubating/ >> <https://dist.apache.org/repos/dist/dev/incubator/metron/0. >> 2.0BETA-RC3-incubating/> >> The release artifacts are signed with the following key: >> >> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron. >> git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18 >> ;hb=75642001803396e8884385b0fc297a2312ead3eb>https://git- >> wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f= >> KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=756420018 >> 03396e8884385b0fc297a2312ead3eb >> >> >> Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3 >> incubating >> >> When voting, please list the actions taken to verify the release. >> Recommended build validation and verification instructions are posted >> here: >> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds >> >> This vote will be open for at least 72 hours. >> >> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating >> [ ] 0 No opinion >> [ ] -1 Do not release this package because... >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
