Thank you Justin, for the really in-depth analysis!
I'm traveling right now with very limited internet access.
I think, regarding that we are about to graduate soon, we need to
address these concerns. Retreat, and get that work done.
I'm going to call off the vote.
A prompt action plan:
1. We need to include another build step, for creating those binaries
form some kind of source.
2. The crafted parser/compiler/code completion test data shall be left
as it is, I do not know better solution than add their license as we do
with images in license-info.xml. We have many of tests placing the
cursor directly at a place of these input files then test an IDE action
(that's just an example)
3. I think we need further guidance what to do with 3rd party licenses
which are refering to libraries which are not present in the source
distribution but pulled in build time. We obviously need to include
those into the convenience binaries.
Laszlo Kishalmi
On 3/29/19 6:43 PM, Justin Mclean wrote:
Hi,
Sorry but I’m -1 as there is binary code in the source release and possible
copyright issues and there are a number of other issues as well. Most of these
issues have been brought up before on previous releases and have not been
addressed e.g. [3] While each incubating release doesn’t need to be perfect,
issues found, particularly serious ones, do need to be fixed. I suggest you
speak to your mentors on how to correct this issues.
I will not however that my -1 vote is not a veto, and you can still release the
software if you get 3 +1 IPMC votes and more +1’s than -1’s.
I checked:
- incubating in name
- DISCLAIMER exists
- LICENSE and NOTICE need more work (see below)
- There are a number (100’s) of source files that do not have ASF headers,
Please run rat and please add headers to .java, .jsp and .php files that are
missing the ASF headers.
- Compiled code is included in the source release (see below)
- I didn’t try to compile
Theres are the binary inclusions that seem to contain compiled code, an ASF
release should not include this:
B
./platform/autoupdate.services/test/unit/src/org/netbeans/api/autoupdate/data/com-example-testmodule-cluster.nbm
B
./platform/autoupdate.services/test/unit/src/org/netbeans/api/autoupdate/data/org-yourorghere-brokendepending.nbm
B
./platform/autoupdate.services/test/unit/src/org/netbeans/api/autoupdate/data/org-yourorghere-depending.nbm
B
./platform/autoupdate.services/test/unit/src/org/netbeans/api/autoupdate/data/org-yourorghere-depending_on_new_one_engine.nbm
B
./platform/autoupdate.services/test/unit/src/org/netbeans/api/autoupdate/data/org-yourorghere-engine-1-1.nbm
B
./platform/autoupdate.services/test/unit/src/org/netbeans/api/autoupdate/data/org-yourorghere-engine-1-2.nbm
B
./platform/autoupdate.services/test/unit/src/org/netbeans/api/autoupdate/data/org-yourorghere-engine.nbm
B
./platform/autoupdate.services/test/unit/src/org/netbeans/api/autoupdate/data/org-yourorghere-executable-permissions.nbm
B
./platform/autoupdate.services/test/unit/src/org/netbeans/api/autoupdate/data/org-yourorghere-fragment.nbm
B
./platform/autoupdate.services/test/unit/src/org/netbeans/api/autoupdate/data/org-yourorghere-independent-1-1.nbm
B
./platform/autoupdate.services/test/unit/src/org/netbeans/api/autoupdate/data/org-yourorghere-independent.nbm
B
./platform/autoupdate.services/test/unit/src/org/netbeans/api/autoupdate/data/org-yourorghere-refresh_providers_test.nbm
There are a number of other suspicious binary files as well, include one
mentioned in [3].
I think there some more work to do on licensing here, and these will be needed
to be fixed in a later release:
- You are not compiling with the terms of the licenses of the software you have
bundled. Most licenses need for you to include the full text of the license and
not just list it license. This is an issue with most of the dtd files, note
that some licenses include a copyright line so a single copy of that type of
license is not enough.
- As well as listing the 3rd party files it would be to also see the product
and version number included.
- As it is currently structured it’s not easily possible to check if you are
including all of the needed licenses in LICENSES as you are also including the
text of licenses of things that are not bundled but are dependancies, so I’m
been unable to check if LICENSE and NOTICE are correct.
- A spot check show that things are bundled but not mentioned in LICENSE as
they need to be, for example [1][2]. I would expect there to be others.
- It also look like you are including image file that you do not have
permission to distribute
Give all of the above this release is almost impossible to check if it in
compliance with ASF release, distribution or legal policies and some
improvement need to be made so that it can be.
Thanks,
Justin
1.
./ide/css.editor/test/unit/src/org/netbeans/modules/css/editor/module/main/properties/PropertiesATest.java
2.
./php/php.editor/test/unit/data/testfiles/actions/testImportData/libs/nette.min.php
3.
https://lists.apache.org/thread.html/2b6ad0d98a9342595da27902f25e7c43c4291738154eedc8b33afb5e@%3Cgeneral.incubator.apache.org%3E
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
