[VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Jia Zhai <zh...@apache.org>]

Hi everyone,

Please review and vote on the release candidate #2 for the version
4.6.0, as follows:
[ ] +1, Approve the release
[ ] -1, Do not approve the release (please provide specific comments)

This new release candidate mainly fixed the license issue.

The complete staging area is available for your review, which includes:
* Release notes [1]
* The official Apache source and binary distributions to be deployed
to dist.apache.org [2]
* All artifacts to be deployed to the Maven Central Repository [3]
* Source code tag "release-4.6.0" [4] with sha
0d6c21e0a88749c428749841db59cf53195e556c

BookKeeper's KEYS file contains PGP keys we used to sign this
release:https://dist.apache.org/repos/dist/release/bookkeeper/KEYS

Please download these packages and review this release candidate:

- Review release notes
- Download the source package (verify md5, shasum, and asc) and follow the
instructions to build and run the bookkeeper service.
- Download the binary package (verify md5, shasum, and asc) and follow the
instructions to run the bookkeeper service.
- Review maven repo, release tag, licenses, and any other things you think
it is important to a release.

The vote will be open for at least 72 hours. It is adopted by majority
approval, with at least 3 PMC affirmative votes.

Thanks,
Jia Zhai

[1] *https://github.com/apache/bookkeeper/pull/759
<https://github.com/apache/bookkeeper/pull/759>*
[2] *https://dist.apache.org/repos/dist/dev/bookkeeper/bookkeeper-4.6.0-rc2/
<https://dist.apache.org/repos/dist/dev/bookkeeper/bookkeeper-4.6.0-rc2/>*
[3]
https://repository.apache.org/content/repositories/orgapachebookkeeper-1023/
[4] https://github.com/apache/bookkeeper/tree/release-4.6.0

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Ivan Kelly <iv...@apache.org>]

Here's the source:
https://storage.googleapis.com/google-code-archive-source/v2/code.google.com/jsr-305/source-archive.zip

-Ivan

On Mon, Dec 18, 2017 at 9:49 PM, Ivan Kelly <iv...@apache.org> wrote:
>>> Isn't this ASFv2?
>>> https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305
> No, check out the pom.
>
> http://central.maven.org/maven2/com/google/code/findbugs/jsr305/2.0.3/jsr305-2.0.3.pom
>
> The pom says ASL, but the pom points to a site where you can get the
> original source. It can only be downloaded from a zip from there. The
> zip, which is the only source for this that I could find, is BSD 3
> clause.
>
> It looks like findbugs repackaged the jar, and pushed to maven, but
> ignored the license stuff.
>
>> It is ASLv2. Please check maven:
>> https://mvnrepository.com/artifact/com.twitter/libthrift/0.5.0-7
>
> Again, check the pom,
> http://central.maven.org/maven2/com/twitter/libthrift/0.5.0-7/libthrift-0.5.0-7.pom
>
> "Thrift is a software framework for scalable cross-language services
> development.
>   This fork is due to a concurrency issue in 0.5.0 that we didn't get
> upstreamed."
>
> So where is the source? This one I assume is a ASL, but the source is
> not available anywhere.
>
> -Ivan

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Jia Zhai <zh...@gmail.com>]

Please ignore this email. it has been cancelled, and a new voting email has
been sent. Thanks.

On Tue, Dec 19, 2017 at 9:01 AM, Jia Zhai <zh...@gmail.com> wrote:

> Thanks for the help.
> Since bookkeeper-all package contains jars whose license are unclear,
> would like to cancel this vote thread and will remove bookkeeper-all in the
> new vote thread. The new thread will keep the same rc number.
>
> On Tue, Dec 19, 2017 at 8:25 AM, Sijie Guo <gu...@gmail.com> wrote:
>
>> On Mon, Dec 18, 2017 at 3:32 PM, Ivan Kelly <iv...@apache.org> wrote:
>>
>> > >> The pom says ASL, but the pom points to a site where you can get the
>> > >> original source. It can only be downloaded from a zip from there. The
>> > >> zip, which is the only source for this that I could find, is BSD 3
>> > >> clause.
>> > >>
>> > >
>> > > We do not bundle the source. We bundle the published jar, which is
>> under
>> > > ASLv2 in maven central.
>> > Maven central is not a source of truth. It must be maven central
>> > because findbugs wanted to use it as a dependency, so it published the
>> > jar, even though in the findbugs distribution they don't have the
>> > source. They do have the jar though, and they do get the license right
>> > in their source distribution. They overlooked it when they put it in
>> > maven central, and as such violated the 3 clause BSD license.
>> >
>> > The license covers binary and source form, so we should adhere to the
>> > original license, which is 3 clause BSD.
>>
>>
>> I don't think we should be in the business of checking whether it
>> volatiles
>> 3 clause BSD license or not.
>> The dependency that we pulled in is a bundled binary, which we should use
>> the LICENSE that they associated
>> with the bundled jar that the author pushed to maven central. If it
>> violates BSD license, the author of this jar should address.
>> However I am not the lawyer. so I can't judge what is right and what is
>> wrong.
>>
>>
>> >
>> > >> So where is the source? This one I assume is a ASL, but the source is
>> > >> not available anywhere.
>> > >>
>> > >
>> > > There is no public source about this. We have to use the license in
>> maven
>> > > as the source-of-truth.
>> > By not publishing the NOTICE file from apache thrift, twitter is in
>> > violation of the ASL (clause 4(d)).
>>
>>
>> Same as above.
>>
>> You seem to have strong opinions about these two *problematic*
>> dependencies. And these dependencies were introduced by twitter stats
>> providers for bookkeeper-all packages.
>> In order not to block release 4.6.0, I would suggest removing
>> bookkeeper-all package from release 4.6.0. If people need bookkeeper-all
>> package, they can compile from src package.
>> We can resume the discussion of bookkeeper-all package when licensing
>> concerns are removed.
>>
>>
>>
>>
>> >
>> > -Ivan
>> >
>>
>
>

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Jia Zhai <zh...@gmail.com>]

Thanks for the help.
Since bookkeeper-all package contains jars whose license are unclear, would
like to cancel this vote thread and will remove bookkeeper-all in the new
vote thread. The new thread will keep the same rc number.

On Tue, Dec 19, 2017 at 8:25 AM, Sijie Guo <gu...@gmail.com> wrote:

> On Mon, Dec 18, 2017 at 3:32 PM, Ivan Kelly <iv...@apache.org> wrote:
>
> > >> The pom says ASL, but the pom points to a site where you can get the
> > >> original source. It can only be downloaded from a zip from there. The
> > >> zip, which is the only source for this that I could find, is BSD 3
> > >> clause.
> > >>
> > >
> > > We do not bundle the source. We bundle the published jar, which is
> under
> > > ASLv2 in maven central.
> > Maven central is not a source of truth. It must be maven central
> > because findbugs wanted to use it as a dependency, so it published the
> > jar, even though in the findbugs distribution they don't have the
> > source. They do have the jar though, and they do get the license right
> > in their source distribution. They overlooked it when they put it in
> > maven central, and as such violated the 3 clause BSD license.
> >
> > The license covers binary and source form, so we should adhere to the
> > original license, which is 3 clause BSD.
>
>
> I don't think we should be in the business of checking whether it volatiles
> 3 clause BSD license or not.
> The dependency that we pulled in is a bundled binary, which we should use
> the LICENSE that they associated
> with the bundled jar that the author pushed to maven central. If it
> violates BSD license, the author of this jar should address.
> However I am not the lawyer. so I can't judge what is right and what is
> wrong.
>
>
> >
> > >> So where is the source? This one I assume is a ASL, but the source is
> > >> not available anywhere.
> > >>
> > >
> > > There is no public source about this. We have to use the license in
> maven
> > > as the source-of-truth.
> > By not publishing the NOTICE file from apache thrift, twitter is in
> > violation of the ASL (clause 4(d)).
>
>
> Same as above.
>
> You seem to have strong opinions about these two *problematic*
> dependencies. And these dependencies were introduced by twitter stats
> providers for bookkeeper-all packages.
> In order not to block release 4.6.0, I would suggest removing
> bookkeeper-all package from release 4.6.0. If people need bookkeeper-all
> package, they can compile from src package.
> We can resume the discussion of bookkeeper-all package when licensing
> concerns are removed.
>
>
>
>
> >
> > -Ivan
> >
>

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Ivan Kelly <iv...@apache.org>]

>> The license covers binary and source form, so we should adhere to the
>> original license, which is 3 clause BSD.
>
> I don't think we should be in the business of checking whether it volatiles
> 3 clause BSD license or not.
> The dependency that we pulled in is a bundled binary, which we should use
> the LICENSE that they associated
> with the bundled jar that the author pushed to maven central. If it
> violates BSD license, the author of this jar should address.
> However I am not the lawyer. so I can't judge what is right and what is
> wrong.
Just because findbugs violated the license doesn't mean were are in
the clear if we do the same.
Findbugs is dead, so there's no hope of them actually addressing it.

Ideally we could just remove this dependency, but the annotations have
runtime retention, so it's unlikely to result in good things
happening.
So we should include the correct license, which is available on google code.

> You seem to have strong opinions about these two *problematic*
> dependencies. And these dependencies were introduced by twitter stats
> providers for bookkeeper-all packages.
libthrift comes as part of twitter-server, but yes, they're not in the
default bookkeeper-server package.

> In order not to block release 4.6.0, I would suggest removing
> bookkeeper-all package from release 4.6.0. If people need bookkeeper-all
> package, they can compile from src package.
Sounds good to me.

> We can resume the discussion of bookkeeper-all package when licensing
> concerns are removed.
I've asked on the finagle github issues about getting the source or
notice for libthrift.

-Ivan

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Sijie Guo <gu...@gmail.com>]

On Mon, Dec 18, 2017 at 3:32 PM, Ivan Kelly <iv...@apache.org> wrote:

> >> The pom says ASL, but the pom points to a site where you can get the
> >> original source. It can only be downloaded from a zip from there. The
> >> zip, which is the only source for this that I could find, is BSD 3
> >> clause.
> >>
> >
> > We do not bundle the source. We bundle the published jar, which is under
> > ASLv2 in maven central.
> Maven central is not a source of truth. It must be maven central
> because findbugs wanted to use it as a dependency, so it published the
> jar, even though in the findbugs distribution they don't have the
> source. They do have the jar though, and they do get the license right
> in their source distribution. They overlooked it when they put it in
> maven central, and as such violated the 3 clause BSD license.
>
> The license covers binary and source form, so we should adhere to the
> original license, which is 3 clause BSD.


I don't think we should be in the business of checking whether it volatiles
3 clause BSD license or not.
The dependency that we pulled in is a bundled binary, which we should use
the LICENSE that they associated
with the bundled jar that the author pushed to maven central. If it
violates BSD license, the author of this jar should address.
However I am not the lawyer. so I can't judge what is right and what is
wrong.


>
> >> So where is the source? This one I assume is a ASL, but the source is
> >> not available anywhere.
> >>
> >
> > There is no public source about this. We have to use the license in maven
> > as the source-of-truth.
> By not publishing the NOTICE file from apache thrift, twitter is in
> violation of the ASL (clause 4(d)).


Same as above.

You seem to have strong opinions about these two *problematic*
dependencies. And these dependencies were introduced by twitter stats
providers for bookkeeper-all packages.
In order not to block release 4.6.0, I would suggest removing
bookkeeper-all package from release 4.6.0. If people need bookkeeper-all
package, they can compile from src package.
We can resume the discussion of bookkeeper-all package when licensing
concerns are removed.




>
> -Ivan
>

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Ivan Kelly <iv...@apache.org>]

>> The pom says ASL, but the pom points to a site where you can get the
>> original source. It can only be downloaded from a zip from there. The
>> zip, which is the only source for this that I could find, is BSD 3
>> clause.
>>
>
> We do not bundle the source. We bundle the published jar, which is under
> ASLv2 in maven central.
Maven central is not a source of truth. It must be maven central
because findbugs wanted to use it as a dependency, so it published the
jar, even though in the findbugs distribution they don't have the
source. They do have the jar though, and they do get the license right
in their source distribution. They overlooked it when they put it in
maven central, and as such violated the 3 clause BSD license.

The license covers binary and source form, so we should adhere to the
original license, which is 3 clause BSD.

>> So where is the source? This one I assume is a ASL, but the source is
>> not available anywhere.
>>
>
> There is no public source about this. We have to use the license in maven
> as the source-of-truth.
By not publishing the NOTICE file from apache thrift, twitter is in
violation of the ASL (clause 4(d)).

-Ivan

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Sijie Guo <gu...@gmail.com>]

On Mon, Dec 18, 2017 at 12:49 PM, Ivan Kelly <iv...@apache.org> wrote:

> >> Isn't this ASFv2?
> >> https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305
> No, check out the pom.
>
> http://central.maven.org/maven2/com/google/code/
> findbugs/jsr305/2.0.3/jsr305-2.0.3.pom
>
> The pom says ASL, but the pom points to a site where you can get the
> original source. It can only be downloaded from a zip from there. The
> zip, which is the only source for this that I could find, is BSD 3
> clause.
>

We do not bundle the source. We bundle the published jar, which is under
ASLv2 in maven central.



>
> It looks like findbugs repackaged the jar, and pushed to maven, but
> ignored the license stuff.
>
> > It is ASLv2. Please check maven:
> > https://mvnrepository.com/artifact/com.twitter/libthrift/0.5.0-7
>
> Again, check the pom,
> http://central.maven.org/maven2/com/twitter/libthrift/
> 0.5.0-7/libthrift-0.5.0-7.pom
>
> "Thrift is a software framework for scalable cross-language services
> development.
>   This fork is due to a concurrency issue in 0.5.0 that we didn't get
> upstreamed."
>
> So where is the source? This one I assume is a ASL, but the source is
> not available anywhere.
>

There is no public source about this. We have to use the license in maven
as the source-of-truth.


>
> -Ivan
>

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Ivan Kelly <iv...@apache.org>]

>> Isn't this ASFv2?
>> https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305
No, check out the pom.

http://central.maven.org/maven2/com/google/code/findbugs/jsr305/2.0.3/jsr305-2.0.3.pom

The pom says ASL, but the pom points to a site where you can get the
original source. It can only be downloaded from a zip from there. The
zip, which is the only source for this that I could find, is BSD 3
clause.

It looks like findbugs repackaged the jar, and pushed to maven, but
ignored the license stuff.

> It is ASLv2. Please check maven:
> https://mvnrepository.com/artifact/com.twitter/libthrift/0.5.0-7

Again, check the pom,
http://central.maven.org/maven2/com/twitter/libthrift/0.5.0-7/libthrift-0.5.0-7.pom

"Thrift is a software framework for scalable cross-language services
development.
  This fork is due to a concurrency issue in 0.5.0 that we didn't get
upstreamed."

So where is the source? This one I assume is a ASL, but the source is
not available anywhere.

-Ivan

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Jia Zhai <zh...@gmail.com>]

Oh, Thanks you guys. Seems it is Apache 2.0 as Sijie mentioned. @Ivan,
Would you please help confirm it?

On Tue, Dec 19, 2017 at 12:21 AM, Sijie Guo <gu...@gmail.com> wrote:

> Isn't this ASFv2?
> https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305
>
> Sijie
>
>
>
> On Dec 18, 2017 7:20 AM, "Ivan Kelly" <iv...@apache.org> wrote:
>
> -1 again I'm afraid. The JSR305 jar is unaccounted for. Source code is
> hard to track down, but it turn up at
> https://code.google.com/archive/p/jsr-305/source/default/source
>
> This jar is New BSD licensed, but also has some files under Creative
> commons Attribution License, though they don't mention this in their
> own LICENSE, which is strange and annoying.
>
> Do we even need this jar?
>
> -Ivan
>
> On Mon, Dec 18, 2017 at 2:57 PM, Enrico Olivelli <eo...@gmail.com>
> wrote:
> > 2017-12-18 2:00 GMT+01:00 Jia Zhai <zh...@apache.org>:
> >
> >> Hi everyone,
> >>
> >> Please review and vote on the release candidate #2 for the version
> >> 4.6.0, as follows:
> >> [ ] +1, Approve the release
> >> [ ] -1, Do not approve the release (please provide specific comments)
> >>
> >
> >
> > +1 (non binding)
> > Run tests from source package
> > Checked signatures and md5/sha1 for staged artifacts
> > Run test from my projects
> > Run basic commands in the shell with a single machine cluster
> > Started bookie with Prometheus stats provider
> >
> > I noticed an ephemeral port opened by the bookie but I can't remember the
> > reason
> >
> > Thank you Jia
> > Enrico
> >
> >
> >
> >>
> >> This new release candidate mainly fixed the license issue.
> >>
> >> The complete staging area is available for your review, which includes:
> >> * Release notes [1]
> >> * The official Apache source and binary distributions to be deployed
> >> to dist.apache.org [2]
> >> * All artifacts to be deployed to the Maven Central Repository [3]
> >> * Source code tag "release-4.6.0" [4] with sha
> >> 0d6c21e0a88749c428749841db59cf53195e556c
> >>
> >> BookKeeper's KEYS file contains PGP keys we used to sign this
> >> release:https://dist.apache.org/repos/dist/release/bookkeeper/KEYS
> >>
> >> Please download these packages and review this release candidate:
> >>
> >> - Review release notes
> >> - Download the source package (verify md5, shasum, and asc) and follow
> the
> >> instructions to build and run the bookkeeper service.
> >> - Download the binary package (verify md5, shasum, and asc) and follow
> the
> >> instructions to run the bookkeeper service.
> >> - Review maven repo, release tag, licenses, and any other things you
> think
> >> it is important to a release.
> >>
> >> The vote will be open for at least 72 hours. It is adopted by majority
> >> approval, with at least 3 PMC affirmative votes.
> >>
> >> Thanks,
> >> Jia Zhai
> >>
> >> [1] *https://github.com/apache/bookkeeper/pull/759
> >> <https://github.com/apache/bookkeeper/pull/759>*
> >> [2] *https://dist.apache.org/repos/dist/dev/bookkeeper/
> >> bookkeeper-4.6.0-rc2/
> >> <https://dist.apache.org/repos/dist/dev/bookkeeper/
> bookkeeper-4.6.0-rc2/
> >*
> >> [3]
> >> https://repository.apache.org/content/repositories/
> >> orgapachebookkeeper-1023/
> >> [4] https://github.com/apache/bookkeeper/tree/release-4.6.0
> >>
>

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Sijie Guo <gu...@gmail.com>]

Isn't this ASFv2?
https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305

Sijie



On Dec 18, 2017 7:20 AM, "Ivan Kelly" <iv...@apache.org> wrote:

-1 again I'm afraid. The JSR305 jar is unaccounted for. Source code is
hard to track down, but it turn up at
https://code.google.com/archive/p/jsr-305/source/default/source

This jar is New BSD licensed, but also has some files under Creative
commons Attribution License, though they don't mention this in their
own LICENSE, which is strange and annoying.

Do we even need this jar?

-Ivan

On Mon, Dec 18, 2017 at 2:57 PM, Enrico Olivelli <eo...@gmail.com>
wrote:
> 2017-12-18 2:00 GMT+01:00 Jia Zhai <zh...@apache.org>:
>
>> Hi everyone,
>>
>> Please review and vote on the release candidate #2 for the version
>> 4.6.0, as follows:
>> [ ] +1, Approve the release
>> [ ] -1, Do not approve the release (please provide specific comments)
>>
>
>
> +1 (non binding)
> Run tests from source package
> Checked signatures and md5/sha1 for staged artifacts
> Run test from my projects
> Run basic commands in the shell with a single machine cluster
> Started bookie with Prometheus stats provider
>
> I noticed an ephemeral port opened by the bookie but I can't remember the
> reason
>
> Thank you Jia
> Enrico
>
>
>
>>
>> This new release candidate mainly fixed the license issue.
>>
>> The complete staging area is available for your review, which includes:
>> * Release notes [1]
>> * The official Apache source and binary distributions to be deployed
>> to dist.apache.org [2]
>> * All artifacts to be deployed to the Maven Central Repository [3]
>> * Source code tag "release-4.6.0" [4] with sha
>> 0d6c21e0a88749c428749841db59cf53195e556c
>>
>> BookKeeper's KEYS file contains PGP keys we used to sign this
>> release:https://dist.apache.org/repos/dist/release/bookkeeper/KEYS
>>
>> Please download these packages and review this release candidate:
>>
>> - Review release notes
>> - Download the source package (verify md5, shasum, and asc) and follow
the
>> instructions to build and run the bookkeeper service.
>> - Download the binary package (verify md5, shasum, and asc) and follow
the
>> instructions to run the bookkeeper service.
>> - Review maven repo, release tag, licenses, and any other things you
think
>> it is important to a release.
>>
>> The vote will be open for at least 72 hours. It is adopted by majority
>> approval, with at least 3 PMC affirmative votes.
>>
>> Thanks,
>> Jia Zhai
>>
>> [1] *https://github.com/apache/bookkeeper/pull/759
>> <https://github.com/apache/bookkeeper/pull/759>*
>> [2] *https://dist.apache.org/repos/dist/dev/bookkeeper/
>> bookkeeper-4.6.0-rc2/
>> <https://dist.apache.org/repos/dist/dev/bookkeeper/bookkeeper-4.6.0-rc2/
>*
>> [3]
>> https://repository.apache.org/content/repositories/
>> orgapachebookkeeper-1023/
>> [4] https://github.com/apache/bookkeeper/tree/release-4.6.0
>>

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Sijie Guo <gu...@gmail.com>]

It is ASLv2. Please check maven:
https://mvnrepository.com/artifact/com.twitter/libthrift/0.5.0-7

Sijie

On Dec 18, 2017 7:47 AM, "Ivan Kelly" <iv...@apache.org> wrote:

Also, I can't find the source for libthrift. It seems to be a twitter
fork of the original apache libthrift, but there's nothing on
twitter's github. It is presumably ASL, but there's nothing to confirm
this.

-Ivan

On Mon, Dec 18, 2017 at 4:22 PM, Enrico Olivelli <eo...@gmail.com>
wrote:
> 2017-12-18 16:20 GMT+01:00 Ivan Kelly <iv...@apache.org>:
>
>> -1 again I'm afraid. The JSR305 jar is unaccounted for. Source code is
>> hard to track down, but it turn up at
>> https://code.google.com/archive/p/jsr-305/source/default/source
>>
>> This jar is New BSD licensed, but also has some files under Creative
>> commons Attribution License, though they don't mention this in their
>> own LICENSE, which is strange and annoying.
>>
>> Do we even need this jar?
>>
>
> No, I am fighting against JSR305 in these days in my projects, it is a
> clone of javax.annotations and it is imported from findbugs/spotbugs
> annotations
> We can exclude it from the packaging
>
>
>
>>
>> -Ivan
>>
>> On Mon, Dec 18, 2017 at 2:57 PM, Enrico Olivelli <eo...@gmail.com>
>> wrote:
>> > 2017-12-18 2:00 GMT+01:00 Jia Zhai <zh...@apache.org>:
>> >
>> >> Hi everyone,
>> >>
>> >> Please review and vote on the release candidate #2 for the version
>> >> 4.6.0, as follows:
>> >> [ ] +1, Approve the release
>> >> [ ] -1, Do not approve the release (please provide specific comments)
>> >>
>> >
>> >
>> > +1 (non binding)
>> > Run tests from source package
>> > Checked signatures and md5/sha1 for staged artifacts
>> > Run test from my projects
>> > Run basic commands in the shell with a single machine cluster
>> > Started bookie with Prometheus stats provider
>> >
>> > I noticed an ephemeral port opened by the bookie but I can't remember
the
>> > reason
>> >
>> > Thank you Jia
>> > Enrico
>> >
>> >
>> >
>> >>
>> >> This new release candidate mainly fixed the license issue.
>> >>
>> >> The complete staging area is available for your review, which
includes:
>> >> * Release notes [1]
>> >> * The official Apache source and binary distributions to be deployed
>> >> to dist.apache.org [2]
>> >> * All artifacts to be deployed to the Maven Central Repository [3]
>> >> * Source code tag "release-4.6.0" [4] with sha
>> >> 0d6c21e0a88749c428749841db59cf53195e556c
>> >>
>> >> BookKeeper's KEYS file contains PGP keys we used to sign this
>> >> release:https://dist.apache.org/repos/dist/release/bookkeeper/KEYS
>> >>
>> >> Please download these packages and review this release candidate:
>> >>
>> >> - Review release notes
>> >> - Download the source package (verify md5, shasum, and asc) and follow
>> the
>> >> instructions to build and run the bookkeeper service.
>> >> - Download the binary package (verify md5, shasum, and asc) and follow
>> the
>> >> instructions to run the bookkeeper service.
>> >> - Review maven repo, release tag, licenses, and any other things you
>> think
>> >> it is important to a release.
>> >>
>> >> The vote will be open for at least 72 hours. It is adopted by majority
>> >> approval, with at least 3 PMC affirmative votes.
>> >>
>> >> Thanks,
>> >> Jia Zhai
>> >>
>> >> [1] *https://github.com/apache/bookkeeper/pull/759
>> >> <https://github.com/apache/bookkeeper/pull/759>*
>> >> [2] *https://dist.apache.org/repos/dist/dev/bookkeeper/
>> >> bookkeeper-4.6.0-rc2/
>> >> <https://dist.apache.org/repos/dist/dev/bookkeeper/
>> bookkeeper-4.6.0-rc2/>*
>> >> [3]
>> >> https://repository.apache.org/content/repositories/
>> >> orgapachebookkeeper-1023/
>> >> [4] https://github.com/apache/bookkeeper/tree/release-4.6.0
>> >>
>>

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Ivan Kelly <iv...@apache.org>]

Also, I can't find the source for libthrift. It seems to be a twitter
fork of the original apache libthrift, but there's nothing on
twitter's github. It is presumably ASL, but there's nothing to confirm
this.

-Ivan

On Mon, Dec 18, 2017 at 4:22 PM, Enrico Olivelli <eo...@gmail.com> wrote:
> 2017-12-18 16:20 GMT+01:00 Ivan Kelly <iv...@apache.org>:
>
>> -1 again I'm afraid. The JSR305 jar is unaccounted for. Source code is
>> hard to track down, but it turn up at
>> https://code.google.com/archive/p/jsr-305/source/default/source
>>
>> This jar is New BSD licensed, but also has some files under Creative
>> commons Attribution License, though they don't mention this in their
>> own LICENSE, which is strange and annoying.
>>
>> Do we even need this jar?
>>
>
> No, I am fighting against JSR305 in these days in my projects, it is a
> clone of javax.annotations and it is imported from findbugs/spotbugs
> annotations
> We can exclude it from the packaging
>
>
>
>>
>> -Ivan
>>
>> On Mon, Dec 18, 2017 at 2:57 PM, Enrico Olivelli <eo...@gmail.com>
>> wrote:
>> > 2017-12-18 2:00 GMT+01:00 Jia Zhai <zh...@apache.org>:
>> >
>> >> Hi everyone,
>> >>
>> >> Please review and vote on the release candidate #2 for the version
>> >> 4.6.0, as follows:
>> >> [ ] +1, Approve the release
>> >> [ ] -1, Do not approve the release (please provide specific comments)
>> >>
>> >
>> >
>> > +1 (non binding)
>> > Run tests from source package
>> > Checked signatures and md5/sha1 for staged artifacts
>> > Run test from my projects
>> > Run basic commands in the shell with a single machine cluster
>> > Started bookie with Prometheus stats provider
>> >
>> > I noticed an ephemeral port opened by the bookie but I can't remember the
>> > reason
>> >
>> > Thank you Jia
>> > Enrico
>> >
>> >
>> >
>> >>
>> >> This new release candidate mainly fixed the license issue.
>> >>
>> >> The complete staging area is available for your review, which includes:
>> >> * Release notes [1]
>> >> * The official Apache source and binary distributions to be deployed
>> >> to dist.apache.org [2]
>> >> * All artifacts to be deployed to the Maven Central Repository [3]
>> >> * Source code tag "release-4.6.0" [4] with sha
>> >> 0d6c21e0a88749c428749841db59cf53195e556c
>> >>
>> >> BookKeeper's KEYS file contains PGP keys we used to sign this
>> >> release:https://dist.apache.org/repos/dist/release/bookkeeper/KEYS
>> >>
>> >> Please download these packages and review this release candidate:
>> >>
>> >> - Review release notes
>> >> - Download the source package (verify md5, shasum, and asc) and follow
>> the
>> >> instructions to build and run the bookkeeper service.
>> >> - Download the binary package (verify md5, shasum, and asc) and follow
>> the
>> >> instructions to run the bookkeeper service.
>> >> - Review maven repo, release tag, licenses, and any other things you
>> think
>> >> it is important to a release.
>> >>
>> >> The vote will be open for at least 72 hours. It is adopted by majority
>> >> approval, with at least 3 PMC affirmative votes.
>> >>
>> >> Thanks,
>> >> Jia Zhai
>> >>
>> >> [1] *https://github.com/apache/bookkeeper/pull/759
>> >> <https://github.com/apache/bookkeeper/pull/759>*
>> >> [2] *https://dist.apache.org/repos/dist/dev/bookkeeper/
>> >> bookkeeper-4.6.0-rc2/
>> >> <https://dist.apache.org/repos/dist/dev/bookkeeper/
>> bookkeeper-4.6.0-rc2/>*
>> >> [3]
>> >> https://repository.apache.org/content/repositories/
>> >> orgapachebookkeeper-1023/
>> >> [4] https://github.com/apache/bookkeeper/tree/release-4.6.0
>> >>
>>

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Enrico Olivelli <eo...@gmail.com>]

2017-12-18 16:20 GMT+01:00 Ivan Kelly <iv...@apache.org>:

> -1 again I'm afraid. The JSR305 jar is unaccounted for. Source code is
> hard to track down, but it turn up at
> https://code.google.com/archive/p/jsr-305/source/default/source
>
> This jar is New BSD licensed, but also has some files under Creative
> commons Attribution License, though they don't mention this in their
> own LICENSE, which is strange and annoying.
>
> Do we even need this jar?
>

No, I am fighting against JSR305 in these days in my projects, it is a
clone of javax.annotations and it is imported from findbugs/spotbugs
annotations
We can exclude it from the packaging



>
> -Ivan
>
> On Mon, Dec 18, 2017 at 2:57 PM, Enrico Olivelli <eo...@gmail.com>
> wrote:
> > 2017-12-18 2:00 GMT+01:00 Jia Zhai <zh...@apache.org>:
> >
> >> Hi everyone,
> >>
> >> Please review and vote on the release candidate #2 for the version
> >> 4.6.0, as follows:
> >> [ ] +1, Approve the release
> >> [ ] -1, Do not approve the release (please provide specific comments)
> >>
> >
> >
> > +1 (non binding)
> > Run tests from source package
> > Checked signatures and md5/sha1 for staged artifacts
> > Run test from my projects
> > Run basic commands in the shell with a single machine cluster
> > Started bookie with Prometheus stats provider
> >
> > I noticed an ephemeral port opened by the bookie but I can't remember the
> > reason
> >
> > Thank you Jia
> > Enrico
> >
> >
> >
> >>
> >> This new release candidate mainly fixed the license issue.
> >>
> >> The complete staging area is available for your review, which includes:
> >> * Release notes [1]
> >> * The official Apache source and binary distributions to be deployed
> >> to dist.apache.org [2]
> >> * All artifacts to be deployed to the Maven Central Repository [3]
> >> * Source code tag "release-4.6.0" [4] with sha
> >> 0d6c21e0a88749c428749841db59cf53195e556c
> >>
> >> BookKeeper's KEYS file contains PGP keys we used to sign this
> >> release:https://dist.apache.org/repos/dist/release/bookkeeper/KEYS
> >>
> >> Please download these packages and review this release candidate:
> >>
> >> - Review release notes
> >> - Download the source package (verify md5, shasum, and asc) and follow
> the
> >> instructions to build and run the bookkeeper service.
> >> - Download the binary package (verify md5, shasum, and asc) and follow
> the
> >> instructions to run the bookkeeper service.
> >> - Review maven repo, release tag, licenses, and any other things you
> think
> >> it is important to a release.
> >>
> >> The vote will be open for at least 72 hours. It is adopted by majority
> >> approval, with at least 3 PMC affirmative votes.
> >>
> >> Thanks,
> >> Jia Zhai
> >>
> >> [1] *https://github.com/apache/bookkeeper/pull/759
> >> <https://github.com/apache/bookkeeper/pull/759>*
> >> [2] *https://dist.apache.org/repos/dist/dev/bookkeeper/
> >> bookkeeper-4.6.0-rc2/
> >> <https://dist.apache.org/repos/dist/dev/bookkeeper/
> bookkeeper-4.6.0-rc2/>*
> >> [3]
> >> https://repository.apache.org/content/repositories/
> >> orgapachebookkeeper-1023/
> >> [4] https://github.com/apache/bookkeeper/tree/release-4.6.0
> >>
>

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Ivan Kelly <iv...@apache.org>]

-1 again I'm afraid. The JSR305 jar is unaccounted for. Source code is
hard to track down, but it turn up at
https://code.google.com/archive/p/jsr-305/source/default/source

This jar is New BSD licensed, but also has some files under Creative
commons Attribution License, though they don't mention this in their
own LICENSE, which is strange and annoying.

Do we even need this jar?

-Ivan

On Mon, Dec 18, 2017 at 2:57 PM, Enrico Olivelli <eo...@gmail.com> wrote:
> 2017-12-18 2:00 GMT+01:00 Jia Zhai <zh...@apache.org>:
>
>> Hi everyone,
>>
>> Please review and vote on the release candidate #2 for the version
>> 4.6.0, as follows:
>> [ ] +1, Approve the release
>> [ ] -1, Do not approve the release (please provide specific comments)
>>
>
>
> +1 (non binding)
> Run tests from source package
> Checked signatures and md5/sha1 for staged artifacts
> Run test from my projects
> Run basic commands in the shell with a single machine cluster
> Started bookie with Prometheus stats provider
>
> I noticed an ephemeral port opened by the bookie but I can't remember the
> reason
>
> Thank you Jia
> Enrico
>
>
>
>>
>> This new release candidate mainly fixed the license issue.
>>
>> The complete staging area is available for your review, which includes:
>> * Release notes [1]
>> * The official Apache source and binary distributions to be deployed
>> to dist.apache.org [2]
>> * All artifacts to be deployed to the Maven Central Repository [3]
>> * Source code tag "release-4.6.0" [4] with sha
>> 0d6c21e0a88749c428749841db59cf53195e556c
>>
>> BookKeeper's KEYS file contains PGP keys we used to sign this
>> release:https://dist.apache.org/repos/dist/release/bookkeeper/KEYS
>>
>> Please download these packages and review this release candidate:
>>
>> - Review release notes
>> - Download the source package (verify md5, shasum, and asc) and follow the
>> instructions to build and run the bookkeeper service.
>> - Download the binary package (verify md5, shasum, and asc) and follow the
>> instructions to run the bookkeeper service.
>> - Review maven repo, release tag, licenses, and any other things you think
>> it is important to a release.
>>
>> The vote will be open for at least 72 hours. It is adopted by majority
>> approval, with at least 3 PMC affirmative votes.
>>
>> Thanks,
>> Jia Zhai
>>
>> [1] *https://github.com/apache/bookkeeper/pull/759
>> <https://github.com/apache/bookkeeper/pull/759>*
>> [2] *https://dist.apache.org/repos/dist/dev/bookkeeper/
>> bookkeeper-4.6.0-rc2/
>> <https://dist.apache.org/repos/dist/dev/bookkeeper/bookkeeper-4.6.0-rc2/>*
>> [3]
>> https://repository.apache.org/content/repositories/
>> orgapachebookkeeper-1023/
>> [4] https://github.com/apache/bookkeeper/tree/release-4.6.0
>>

Re: [VOTE] Apache BookKeeper Release 4.6.0, release candidate #2

[Enrico Olivelli <eo...@gmail.com>]

2017-12-18 2:00 GMT+01:00 Jia Zhai <zh...@apache.org>:

> Hi everyone,
>
> Please review and vote on the release candidate #2 for the version
> 4.6.0, as follows:
> [ ] +1, Approve the release
> [ ] -1, Do not approve the release (please provide specific comments)
>


+1 (non binding)
Run tests from source package
Checked signatures and md5/sha1 for staged artifacts
Run test from my projects
Run basic commands in the shell with a single machine cluster
Started bookie with Prometheus stats provider

I noticed an ephemeral port opened by the bookie but I can't remember the
reason

Thank you Jia
Enrico



>
> This new release candidate mainly fixed the license issue.
>
> The complete staging area is available for your review, which includes:
> * Release notes [1]
> * The official Apache source and binary distributions to be deployed
> to dist.apache.org [2]
> * All artifacts to be deployed to the Maven Central Repository [3]
> * Source code tag "release-4.6.0" [4] with sha
> 0d6c21e0a88749c428749841db59cf53195e556c
>
> BookKeeper's KEYS file contains PGP keys we used to sign this
> release:https://dist.apache.org/repos/dist/release/bookkeeper/KEYS
>
> Please download these packages and review this release candidate:
>
> - Review release notes
> - Download the source package (verify md5, shasum, and asc) and follow the
> instructions to build and run the bookkeeper service.
> - Download the binary package (verify md5, shasum, and asc) and follow the
> instructions to run the bookkeeper service.
> - Review maven repo, release tag, licenses, and any other things you think
> it is important to a release.
>
> The vote will be open for at least 72 hours. It is adopted by majority
> approval, with at least 3 PMC affirmative votes.
>
> Thanks,
> Jia Zhai
>
> [1] *https://github.com/apache/bookkeeper/pull/759
> <https://github.com/apache/bookkeeper/pull/759>*
> [2] *https://dist.apache.org/repos/dist/dev/bookkeeper/
> bookkeeper-4.6.0-rc2/
> <https://dist.apache.org/repos/dist/dev/bookkeeper/bookkeeper-4.6.0-rc2/>*
> [3]
> https://repository.apache.org/content/repositories/
> orgapachebookkeeper-1023/
> [4] https://github.com/apache/bookkeeper/tree/release-4.6.0
>