Casey,
Thanks so much for the quick turn-around on JIRA issues. Great to see :)
Re: findbug's jsr305 jar, yup, that is precisely the confusion I have
with it. I would encourage use of
https://github.com/stephenc/findbugs-annotations/ just to avoid any
potential issues. This person has done a few clean-room impls which are
ASLv2 licensed which are super helpful. I know of two projects now which
have successfully swapped these jars and have not faced any issues.
- Josh
Casey Stella wrote:
Josh,
You are of course correct on all points.
- We neglected to be careful about the implications of binary bundling
and transitive dependencies (JIRA
<https://issues.apache.org/jira/browse/METRON-374>).
- It's a good idea to use ephemeral ports on our integration test
components (JIRA<https://issues.apache.org/jira/browse/METRON-375>).
- We should correct the issues with the webpage (JIRA
<https://issues.apache.org/jira/browse/METRON-376>)
Regarding Findbugs, if you open up the pom
<http://central.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.pom>
from com.google.code.findbugs:jsr305-1.3.9 the ASLv2 is referenced. That
being said, it's pretty clear that findbugs itself is lgpl, so I am also
confused. Regardless, a more careful inspection and handling of our
transitive dependencies is obviously called for. Thanks for the careful
attention. :)
Casey
On Wed, Aug 17, 2016 at 1:27 AM, Josh Elser<els...@apache.org> wrote:
+1 with reservations (binding)
* DISCLAIMER present
* LICENSE/NOTICE seem reasonable
* xsums/sigs OK
* Can build from source
* Unit tests pass (after I stopped my local hbase instance, maybe you
could use random ports from the ephemeral range for your test services
instead of the default service ports)
* Integration tests didn't (I stopped after a failure in
BulkLoadMapperIntegrationTest)
* Tag is deployed and matches VOTE
* Overly aggressive RAT exclusions, but it passes and seems ok. Would
strongly recommend you prune this list in the future to make sure you don't
start shipping files which do not have a license header. You presently have
many exclusions for files which don't even exist in the codebase.
Reservations:
It is important to make sure that not only is the source-release artifact
properly licensed, but the resulting artifacts that source-release creates
are also properly licensed (in other words: the jars your build creates).
Your shaded jars are not correctly licensed. For example, you include
org.abego.treelayout:org.abego.treelayout.core:jar:1.0.1 in
metron-common-0.2.0BETA.jar which is 3-clause BSD licensed, yet the
contained META-INF/LICENSE file has no mention of this. I also see a number
of CDDL licensed jars being included.
The most worrisome artifact I see included is
com.google.code.findbugs:jsr305-1.3.9 in multiple artifacts
(metron-pcap-backend-0.2.0BETA.jar for one). This artifact befuddles me
because it is completely unclear whether it is GPL'ed or ASLv2 (last I
checked, documentation was not clear at all). Ironically, you also have
com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1 included
which is a clearly ASLv2 licensed implementation of the same spec (we won't
get into me asking "why" both are included *winks*).
I don't think you need to fix these for this release, but you should make
an effort to do this before your next release. Yes, it sucks. Yes, you're
not the only one who has done it/will do it again.
Branding:
Took a look at your website too.
* Your required ASF navigation links are not present
http://www.apache.org/foundation/marks/pmcs.html#navigation
* Incubator disclaimer and logo are present (yay)
* Noticed "Ambari" and not "Apache Ambari" on
http://metron.incubator.apache.org/documentation/. Would be good to make
sure you're using proper names for ASF projects.
James Sirota wrote:
This release is exactly the same as RC2, but the Mozilla licensed file
was removed so it doesn’t cause problems for us on the incubator general
boards. We no longer use it so we just removed it.
This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating
Full list of changes in this release:
https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
0BETA-RC3-incubating/CHANGES
The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:
<https://git-wip-us.apache.org/repos/asf?p=incubator-metron.
git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>http
s://git-wip-us.apache.org/repos/asf?p=incubator-metron.
git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb
The source archive being voted upon can be found here:
https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz
Other release files, signatures and digests can be found here:
https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
0BETA-RC3-incubating/
<https://dist.apache.org/repos/dist/dev/incubator/metron/0.
2.0BETA-RC3-incubating/>
The release artifacts are signed with the following key:
<https://git-wip-us.apache.org/repos/asf?p=incubator-metron.
git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18
;hb=75642001803396e8884385b0fc297a2312ead3eb>https://git-
wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=
KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=756420018
03396e8884385b0fc297a2312ead3eb
Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3
incubating
When voting, please list the actions taken to verify the release.
Recommended build validation and verification instructions are posted
here:
https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
This vote will be open for at least 72 hours.
[ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
[ ] 0 No opinion
[ ] -1 Do not release this package because...
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
