[VOTE] Release Apache FlexJS 0.6.0 RC2

[Alex Harui <ah...@adobe.com>]

Hi,

This is vote for the 0.6.0 release of Apache FlexJS.

The release candidate can be found here;
https://dist.apache.org/repos/dist/dev/flex/flexjs/0.6.0/rc2/

Before voting please review the section,'What are the ASF requirements on
approving a release?', at:
http://www.apache.org/dev/release.html#approving-a-release

At a minimum you would be expected to check that:
- MD5 and signed packages are correct
- README, RELEASE_NOTES, NOTICE and LICENSE files are all fine
- That the build script completes successfully
- That you can compile and cross-compile a simple example using the SDK.

The source package is set up the same way as the repo.  This means that
the results of the build are not the same as an IDE-compatible SDK.  The
compiled source package can be used in combination with the FalconJX
source package to compile some of the sample applications.

The most convenient way to use the binary package is to install it via Ant
or the Installer.  To use an Installer you must use InstallApacheFlex
version 3.1 or later.  You can get InstallApacheFlex here:
http://www.apache.org/dyn/closer.cgi?path=/flex/installer/3.1/binaries/

Please vote to approve this release:
+1 Approve the release
-1 Veto the release (please provide specific comments to why)

This vote will be open for 72 hours or until a result can be called.

The vote passes if there is:
- At least 3 +1 votes from the PMC
- More positive votes than negative votes

Remember that this is a 'beta-quality' release so I expect there
will be many bugs found.  IMO the goal is not to try to find and fix bugs
in the RC, but to make sure we have the packaging right, and enough
functionality that folks will have some success trying to use it.

People who are not in PMC are also encouraged to test out the release and
vote, although their votes will not be binding, they can influence how the
PMC votes.

When voting please indicate what OS, IDE, Flash Player version and AIR
version you tested with.

For your convenience, there is an ant script that automates the common
steps to validate a release.  Instead of individually downloading the
package and signature files, unzipping, etc, you can instead:
1) create an empty folder,
2) download into that folder this file:
https://dist.apache.org/repos/dist/dev/flex/flexjs/0.6.0/rc2/ApproveFlexJS.
xml
3) run the script: ant -e -f ApproveFlexJS.xml -Drelease.version=0.6.0
-Drc=2

You are not required to use this script, and more testing of the packages
and build results are always encouraged.


Please put all discussion about this release in the DISCUSSION thread not
this VOTE thread.

Thanks,
Alex Harui

Re: [VOTE] Release Apache FlexJS 0.6.0 RC2

[Peter Ent <pe...@adobe.com>]

+1

I ran the Approval script and I built from the src download the SDK and
examples.

The hash was fine
notes and license are fine
scripts build everything without errors
ran three examples (all examples built without errors for me)
built the IDE-compatable SDK and tested it with Flash Builder, running a
sample app.

Peter Ent
Adobe Systems/Apache Flex Project

On 3/30/16, 1:22 AM, "Alex Harui" <ah...@adobe.com> wrote:

>Hi,
>
>This is vote for the 0.6.0 release of Apache FlexJS.
>
>The release candidate can be found here;
>https://dist.apache.org/repos/dist/dev/flex/flexjs/0.6.0/rc2/
>
>Before voting please review the section,'What are the ASF requirements on
>approving a release?', at:
>http://www.apache.org/dev/release.html#approving-a-release
>
>At a minimum you would be expected to check that:
>- MD5 and signed packages are correct
>- README, RELEASE_NOTES, NOTICE and LICENSE files are all fine
>- That the build script completes successfully
>- That you can compile and cross-compile a simple example using the SDK.
>
>The source package is set up the same way as the repo.  This means that
>the results of the build are not the same as an IDE-compatible SDK.  The
>compiled source package can be used in combination with the FalconJX
>source package to compile some of the sample applications.
>
>The most convenient way to use the binary package is to install it via Ant
>or the Installer.  To use an Installer you must use InstallApacheFlex
>version 3.1 or later.  You can get InstallApacheFlex here:
>http://www.apache.org/dyn/closer.cgi?path=/flex/installer/3.1/binaries/
>
>Please vote to approve this release:
>+1 Approve the release
>-1 Veto the release (please provide specific comments to why)
>
>This vote will be open for 72 hours or until a result can be called.
>
>The vote passes if there is:
>- At least 3 +1 votes from the PMC
>- More positive votes than negative votes
>
>Remember that this is a 'beta-quality' release so I expect there
>will be many bugs found.  IMO the goal is not to try to find and fix bugs
>in the RC, but to make sure we have the packaging right, and enough
>functionality that folks will have some success trying to use it.
>
>People who are not in PMC are also encouraged to test out the release and
>vote, although their votes will not be binding, they can influence how the
>PMC votes.
>
>When voting please indicate what OS, IDE, Flash Player version and AIR
>version you tested with.
>
>For your convenience, there is an ant script that automates the common
>steps to validate a release.  Instead of individually downloading the
>package and signature files, unzipping, etc, you can instead:
>1) create an empty folder,
>2) download into that folder this file:
>https://dist.apache.org/repos/dist/dev/flex/flexjs/0.6.0/rc2/ApproveFlexJS
>.
>xml
>3) run the script: ant -e -f ApproveFlexJS.xml -Drelease.version=0.6.0
>-Drc=2
>
>You are not required to use this script, and more testing of the packages
>and build results are always encouraged.
>
>
>Please put all discussion about this release in the DISCUSSION thread not
>this VOTE thread.
>
>Thanks,
>Alex Harui
>

Re: [VOTE] Release Apache FlexJS 0.6.0 RC2

[Justin Mclean <ju...@classsoftware.com>]

HI,

> And how about this for an idea?  I will cut an RC3 tonight that is the
> same package but without the crypt folder?  We can still get it 72 hours
> of voting in before the event.

As RM you can do what you want.  If you do make a new RC I’ll compare changes to previous and review it as quickly as I can.

Thanks,
Justin

Re: [VOTE] Release Apache FlexJS 0.6.0 RC2

[Alex Harui <ah...@adobe.com>]

And how about this for an idea?  I will cut an RC3 tonight that is the
same package but without the crypt folder?  We can still get it 72 hours
of voting in before the event.

Thoughts?
-Alex

On 3/31/16, 3:36 PM, "Alex Harui" <ah...@adobe.com> wrote:

>Which podling removed Google closure library? I'd to read their reasons.
>
>
>Sent from my LG G3, an AT&T 4G LTE smartphone
>
>
>------ Original message------
>
>From: Justin Mclean
>
>Date: Thu, Mar 31, 2016 2:43 PM
>
>To: dev@flex.apache.org;
>
>Subject:Re: [VOTE] Release Apache FlexJS 0.6.0 RC2
>
>
>Hi,
>
>> Those files are bundled from Google Closure Library.  I opened a ticket
>> [13] to see if they have or require an ECCN.  In looking at the code, it
>> doesn’t.
>
>How do you come to that conclusion? [1][2]
>
>>  Did you see anything that would require it?
>
>As I said I’m not 100% sure. [3] Another project in incubation with
>similar code removed it recently. I can see it does contain pbkdf2 which
>is used to create keys for asymmetric encryption algorithms. It also
>contains AES which a  symmetric encryption algorithm and it supports 256
>bit encryption.  (That’s more than the 56 bits mentions in [2]). I’d ask
>on legal to be sure.
>
>Thanks,
>Justin
>
>1. 
>https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_State
>s#Classification
>2. http://www.apache.org/dev/crypto.html#classify
>3. 
>https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_State
>s#Current_status

Re: [VOTE] Release Apache FlexJS 0.6.0 RC2

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> It’s wasn’t the closure library, as I don’t know of any other project bundling that. It was the MADlib project which use Blowfish [1] which is similar (and mostly replaced by) AES [2].

Sorry it was HAWQ not MabLib, Roman Shaposhnik is involved with both it may be best to ask him.

Thanks,
Justin

Re: [VOTE] Release Apache FlexJS 0.6.0 RC2

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> Which podling removed Google closure library? I'd to read their reasons.

It’s wasn’t the closure library, as I don’t know of any other project bundling that. It was the MADlib project which use Blowfish [1] which is similar (and mostly replaced by) AES [2].

Thanks,
Justin

1. https://en.wikipedia.org/wiki/Blowfish_(cipher)
2. https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Re: [VOTE] Release Apache FlexJS 0.6.0 RC2

[Alex Harui <ah...@adobe.com>]

Which podling removed Google closure library? I'd to read their reasons.


Sent from my LG G3, an AT&T 4G LTE smartphone


------ Original message------

From: Justin Mclean

Date: Thu, Mar 31, 2016 2:43 PM

To: dev@flex.apache.org;

Subject:Re: [VOTE] Release Apache FlexJS 0.6.0 RC2


Hi,

> Those files are bundled from Google Closure Library.  I opened a ticket
> [13] to see if they have or require an ECCN.  In looking at the code, it
> doesn’t.

How do you come to that conclusion? [1][2]

>  Did you see anything that would require it?

As I said I’m not 100% sure. [3] Another project in incubation with similar code removed it recently. I can see it does contain pbkdf2 which is used to create keys for asymmetric encryption algorithms. It also contains AES which a  symmetric encryption algorithm and it supports 256 bit encryption.  (That’s more than the 56 bits mentions in [2]). I’d ask on legal to be sure.

Thanks,
Justin

1. https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Classification
2. http://www.apache.org/dev/crypto.html#classify
3. https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status

Re: [VOTE] Release Apache FlexJS 0.6.0 RC2

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> Those files are bundled from Google Closure Library.  I opened a ticket
> [13] to see if they have or require an ECCN.  In looking at the code, it
> doesn’t.

How do you come to that conclusion? [1][2]

>  Did you see anything that would require it? 

As I said I’m not 100% sure. [3] Another project in incubation with similar code removed it recently. I can see it does contain pbkdf2 which is used to create keys for asymmetric encryption algorithms. It also contains AES which a  symmetric encryption algorithm and it supports 256 bit encryption.  (That’s more than the 56 bits mentions in [2]). I’d ask on legal to be sure.

Thanks,
Justin

1. https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Classification
2. http://www.apache.org/dev/crypto.html#classify
3. https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status

Re: [VOTE] Release Apache FlexJS 0.6.0 RC2

[Michael Schmalle <te...@gmail.com>]

I won't vote with a binding vote but I did use the installer to install
RC2, ran the installer script and compiled an app in IntelliJ.

All worked fine.

Mike

On Thu, Mar 31, 2016 at 11:40 AM, Alex Harui <ah...@adobe.com> wrote:

>
>
> On 3/31/16, 4:03 AM, "Justin Mclean" <ju...@me.com> wrote:
> >
> >The bigger issue is that is looks like there is crypto code bundled here
> >[11]. I’m not 100% sure if it required but have we followed the policy
> >here [12] and informed the US government?
> >11. ./js/lib/google/closure-library/closure/goog/crypt
> >12. http://www.apache.org/dev/crypto.html
> >
>
> Those files are bundled from Google Closure Library.  I opened a ticket
> [13] to see if they have or require an ECCN.  In looking at the code, it
> doesn't.  Did you see anything that would require it?  So, I think we're
> ok. I will also ask on legal-discuss.
>
> -Alex
>
> [13] https://github.com/google/closure-library/issues/690
>
>

Re: [VOTE] Release Apache FlexJS 0.6.0 RC2

[Alex Harui <ah...@adobe.com>]

On 3/31/16, 4:03 AM, "Justin Mclean" <ju...@me.com> wrote:
>
>The bigger issue is that is looks like there is crypto code bundled here
>[11]. I’m not 100% sure if it required but have we followed the policy
>here [12] and informed the US government?
>11. ./js/lib/google/closure-library/closure/goog/crypt
>12. http://www.apache.org/dev/crypto.html
>

Those files are bundled from Google Closure Library.  I opened a ticket
[13] to see if they have or require an ECCN.  In looking at the code, it
doesn't.  Did you see anything that would require it?  So, I think we're
ok. I will also ask on legal-discuss.

-Alex

[13] https://github.com/google/closure-library/issues/690

Re: [VOTE] Release Apache FlexJS 0.6.0 RC2

[Justin Mclean <ju...@me.com>]

Hi,

-1 binding due to crypto code included in binary. If that resolved I would be +0 as I still can’t compile from the source package. If that was resolved I’d vote +1. 

I checked the following:
- Signatures and hashes good
- Source NOTICE+ LICENSE is OK
- Binary NOTICE is OK
- Binary LICENSE has some minor issues
- Docs LICENSE + NOTICE is OK
- All source files have Apache headers
- Still unable to compile from source

Binary LICENSE has some minor issues:
- Could have Apache licensed Google Caja project [1][2][3] While not required by current policy it seem odd to mention one 3rd party Apache licence software in LICENSE but not another.
- Contains code from Apache Shindig [4], this has a NOTICE file [5] which would liekly effect our binary NOTICE file.
- This file [6] is based on BSD license code [7]
- This file [8] contains code from http://www.json.org/json2.js which is public domain.
- This file [9]contains code from http://webfx.eae.net/dhtml/slider/js/range.js which is Apache licensed.
- The BSD licensed file [10] contains code from http://www.bytestrom.eu/blog/2009/1120a_jpeg_encoder_for_javascript (unknown license).

These can be fixed in the next release.

There probably a few other things bundled in there as well as I’ve not looked at everything.

The bigger issue is that is looks like there is crypto code bundled here [11]. I’m not 100% sure if it required but have we followed the policy here [12] and informed the US government?

Thanks,
Justin

1. ./js/lib/google/closure-library/third_party/closure/goog/caja/string/html/htmlparser.js
2. ./js/lib/google/closure-library/third_party/closure/goog/caja/string/html/htmlsanitizer.js
3. https://github.com/google/caja/blob/master/LICENSE.txt
4. ./js/lib/google/closure-library/third_party/closure/goog/osapi/osapi.js
5. http://svn.apache.org/repos/asf/shindig/trunk/NOTICE
6. ./js/lib/google/closure-library/third_party/closure/goog/loremipsum/text/loremipsum.js
7. https://code.google.com/archive/p/lorem-ipsum-generator/
8. ./js/lib/google/closure-library/closure/goog/json/json.js
9 ./js/lib/google/closure-library/closure/goog/ui/rangemodel.js
10. ./js/lib/google/closure-library/third_party/closure/goog/jpeg_encoder/jpeg_encoder_basic.js
11. ./js/lib/google/closure-library/closure/goog/crypt
12. http://www.apache.org/dev/crypto.html