You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by GitBox <gi...@apache.org> on 2023/01/05 18:12:19 UTC

[GitHub] [avro] dongjoon-hyun opened a new pull request, #2046: AVRO-3700: Publish SBOM artifacts

dongjoon-hyun opened a new pull request, #2046:
URL: https://github.com/apache/avro/pull/2046

   <!--
   
   *Thank you very much for contributing to Apache Avro - we are happy that you want to help us improve Avro. To help the community review your contribution in the best possible way, please go through the checklist below, which will get the contribution into a shape in which it can be best reviewed.*
   
   *Please understand that we do not do this to make contributions to Avro a hassle. In order to uphold a high standard of quality for code contributions, while at the same time managing a large number of contributions, we need contributors to prepare the contributions well, and give reviewers enough contextual information for the review. Please also understand that contributions that do not follow this guide will take longer to review and thus typically be picked up with lower priority by the community.*
   
   ## Contribution Checklist
   
     - Make sure that the pull request corresponds to a [JIRA issue](https://issues.apache.org/jira/projects/AVRO/issues). Exceptions are made for typos in JavaDoc or documentation files, which need no JIRA issue.
     
     - Name the pull request in the form "AVRO-XXXX: [component] Title of the pull request", where *AVRO-XXXX* should be replaced by the actual issue number. 
       The *component* is optional, but can help identify the correct reviewers faster: either the language ("java", "python") or subsystem such as "build" or "doc" are good candidates.  
   
     - Fill out the template below to describe the changes contributed by the pull request. That will give reviewers the context they need to do the review.
     
     - Make sure that the change passes the automated tests. You can [build the entire project](https://github.com/apache/avro/blob/master/BUILD.md) or just the [language-specific SDK](https://avro.apache.org/project/how-to-contribute/#unit-tests).
   
     - Each pull request should address only one issue, not mix up code from multiple issues.
     
     - Each commit in the pull request has a meaningful commit message (including the JIRA id)
   
     - Every commit message references Jira issues in their subject lines. In addition, commits follow the guidelines from [How to write a good git commit message](https://chris.beams.io/posts/git-commit/)
       1. Subject is separated from body by a blank line
       1. Subject is limited to 50 characters (not including Jira issue reference)
       1. Subject does not end with a period
       1. Subject uses the imperative mood ("add", not "adding")
       1. Body wraps at 72 characters
       1. Body explains "what" and "why", not "how"
   
   -->
   
   ## What is the purpose of the change
   
   *(For example: This pull request improves file read performance by buffering data, fixing AVRO-XXXX.)*
   
   
   ## Verifying this change
   
   *(Please pick one of the following options)*
   
   This change is a trivial rework / code cleanup without any test coverage.
   
   *(or)*
   
   This change is already covered by existing tests, such as *(please describe tests)*.
   
   *(or)*
   
   This change added tests and can be verified as follows:
   
   *(example:)*
   - *Extended interop tests to verify consistent valid schema names between SDKs*
   - *Added test that validates that Java throws an AvroRuntimeException on invalid binary data*
   - *Manually verified the change by building the website and checking the new redirect*
   
   
   ## Documentation
   
   - Does this pull request introduce a new feature? (yes / no)
   - If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] dongjoon-hyun commented on pull request #2046: AVRO-3700: Publish SBOM artifacts

Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on PR #2046:
URL: https://github.com/apache/avro/pull/2046#issuecomment-1372630984

   Could you review this, @dkulp , @iemejia , @martin-g ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] dongjoon-hyun commented on pull request #2046: AVRO-3700: Publish SBOM artifacts

Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on PR #2046:
URL: https://github.com/apache/avro/pull/2046#issuecomment-1372730709

   Thank you, @martin-g and @iemejia .


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] dongjoon-hyun commented on pull request #2046: AVRO-3700: Publish Java SBOM artifacts with CycloneDX

Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on PR #2046:
URL: https://github.com/apache/avro/pull/2046#issuecomment-1373886242

   Oh, thank you for that info. @iemejia 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] dongjoon-hyun commented on pull request #2046: AVRO-3700: Publish SBOM artifacts

Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on PR #2046:
URL: https://github.com/apache/avro/pull/2046#issuecomment-1372966207

   Yes, among those three standards, `CycloneDX` and `SPDX` formats are proper for us and Maven plugins exist in the same way.
   - https://github.com/CycloneDX/cyclonedx-maven-plugin
   - https://github.com/spdx/spdx-maven-plugin
   
   Although this PR delivers `CycloneDX`-style BOM files first, we may want to add `SDPX`-style BOM files additionally later. They are not exclusive. The reason why I choose `CycloneDX` is simpler and focuses on mostly for application security and supply-chain component analysis, @iemejia . This fits my needs first.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] iemejia merged pull request #2046: AVRO-3700: Publish Java SBOM artifacts with CycloneDX

Posted by GitBox <gi...@apache.org>.
iemejia merged PR #2046:
URL: https://github.com/apache/avro/pull/2046


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] iemejia commented on pull request #2046: AVRO-3700: Publish SBOM artifacts

Posted by GitBox <gi...@apache.org>.
iemejia commented on PR #2046:
URL: https://github.com/apache/avro/pull/2046#issuecomment-1372914189

   One question @dongjoon-hyun I am kind of new in the SBOM world but looking around it seems like there are like 3 big standards, any reason to choose the Cyclone one over SPDX (which seems to be the one being pushed by the Linux Foundation)? I am ok with merging this as it is, just curious. Better to have one that none :)
   
   I am also wondering what other Apache projects use. Just from a quick look it seems not even Log4j with all the mess of the last year is publishing their SBOM and there are not recommendations yet from the security group at the ASF
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] dongjoon-hyun commented on pull request #2046: AVRO-3700: Publish SBOM artifacts

Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on PR #2046:
URL: https://github.com/apache/avro/pull/2046#issuecomment-1372975753

   For the second question, I also searched some references in ASF foundation, but I could not find. So, I'm proposing and leading in the following way, @iemejia .
   
   - ORC-1342: Publish SBOM artifacts (Merged, https://github.com/apache/orc/pull/1353)
   - AVRO-3700: Publish SBOM artifacts (Approved, This PR, https://github.com/apache/avro/pull/2046)
   - PARQUET-2224: Publish SBOM artifacts (Open, https://github.com/apache/parquet-mr/pull/1017)
   - SPARK-41893: Publish SBOM artifacts (Merged, https://github.com/apache/spark/pull/39401)
   - FLINK-30578: Publish SBOM artifacts (Open, https://github.com/apache/flink/pull/21606)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org