You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mynewt.apache.org by Christopher Collins <ch...@runtime.io> on 2016/02/23 01:59:35 UTC
[VOTE] Release Mynewt 0.8.0-b1-incubating
Hello all,
I am pleased to be calling this vote for the source release of
mynewt-0.8.0-b1-incubating.
Apache Mynewt is a community-driven, permissively licensed open source
initiative for constrained, embedded applications.
The release candidate to be voted on is available at:
https://dist.apache.org/repos/dist/dev/incubator/mynewt/mynewt-0.8.0-b1-incubating/
The commits under consideration are as follows:
larva:
repos: https://git-wip-us.apache.org/repos/asf/incubator-mynewt-larva
commit: bd2db03ccbd019a20267459bf46ae1e1428f1f46
tadpole:
repos: https://git-wip-us.apache.org/repos/asf/incubator-mynewt-tadpole
commit: b00813ec355a0bc3681c232503aab92ea9157fa9
newt:
repos: https://git-wip-us.apache.org/repos/asf/incubator-mynewt-newt
commit: 27a92e159926778f24d19b0795307a34e05ec8ed
The release candidate is signed with a GPG key available at:
https://dist.apache.org/repos/dist/dev/incubator/mynewt/KEYS
The vote is open for at least 72 hours and passes if a majority of at least
three +1 PPMC votes are cast.
[ ] +1 Release this package
[ ] 0 I don't feel strongly about it, but don't object
[ ] -1 Do not release this package because...
Anyone can participate in testing and voting, not just committers, please feel
free to try out the release candidate and provide your votes.
A separate [DISCUSS] thread will be opened to talk about this release
candidate.
Thanks,
Chris
Re: [VOTE] Release Mynewt 0.8.0-b1-incubating
Posted by Sterling Hughes <st...@apache.org>.
Well let's hold off then and do a clean vote. I don't think its a good
precedent for a first release to have a mentor vote -1, especially one
who has been as involved/responsive as you have been. If it helps, I'll
also change my vote to -1 :-)
However, just so I know what needs to change to get you to a +1:
- release artifacts must include incubating in their names
- DISCLAIMER must be present
- review of hashes (per your note below)
- NOTICE: question on this one. I said to remove it, as there was an
admonition in the Apache documentation that said NOTICE file should not
include unnecessary legal notices. As far as Runtime is concerned, this
notice is unnecessary -- although if the ASF finds it necessary, we're
fine with it being there.
- Instructions to compile the source repos (this is covered in the
documentation, but it shouldn't be hard to put this in text format in
the source release.)
- Sign the artifacts with an apache email address
- Add apache to the name
Is that right? All of these seem perfectly reasonable to me. I just
want to make sure we're chasing down the list.
Sterling
On 2/22/16 7:50 PM, Justin Mclean wrote:
> Hi,
>
> Sorry but it’s -1 (binding) from me.
>
> To be clear that doesn’t stop other people voting +1, and if you get 3+1 you can still put it up on the IPMC general list for a vote. You’re also welcome to try and change my mind, anyone can change their vote after initial voting. All the -1 means is I wouldn’t release it, but what makes a release good enough quality to release is going to vary form person to person an that’s all OK.
>
> I would however expect that in the currently form it may not pass an IPMC vote. It’s very close however and there only a couple of missing things.
>
> I checked:
> - release artefacts are missing incubating from their names [1][2]
> - signatures OK but not sure re hashes
> - missing DISCLAIMER in release artefacts [3]
> - LICENSE(s) all good
> - NOTICE good but missing original developer (runtime)
> - newt doesn’t have a REAME at the top level
> - no unexpected binary files in the releases
> - all Apache source file have Apache headers / no double headers I could find
> - not sure how to compile the source repos - some instruction on this in the releases would be nice
>
> How were the hashes generated?
>
> I’m seeing this:
> $ openssl sha1 larva-0.8.0-b1.tgz
> SHA1(larva-0.8.0-b1.tgz)= 99b15843d0a5af3f3d7dbdcb52afb80144ee1255
> $ cat larva-0.8.0-b1.tgz.sha
> /Users/ccollins/tmp/rel/bin/larva-0.8.0-b1.tgz:
> 51915329 EE9E17F8 7517C2B6 1C99268B 9AAA478D 2C85AA0B B036276D 4B980A11 9BE18DEB
> 471E762A A80CB4D5 7478390E 60A0EAE1 0481F723 5FFE83A8 6990D700
>
> You probably want to remove "/Users/ccollins/tmp/rel/bin/larva-0.8.0-b1.tgz:” from that file.
>
> Some possible improvements:
> - Re naming it's a good idea to add apache to the name as well as I believe it gives some extra legal protection / shows it’s an apache product.
> - It a good idea to sign the artefacts with an apache email address.
>
> Thanks,
> Justin
>
> 1. http://incubator.apache.org/guides/releasemanagement.html#naming
> 2. http://incubator.apache.org/incubation/Incubation_Policy.html#Releases (note the word MUST)
> 3. http://incubator.apache.org/guides/releasemanagement.html#check-list
>
Re: [VOTE] Release Mynewt 0.8.0-b1-incubating
Posted by Justin Mclean <ju...@classsoftware.com>.
Hi,
> These are actually generated using sha512:
>
> gpg2 --print-md SHA512 larva-0.8.0-b1.tgz > larva-0.8.0-b1.tgz.sha
Ah it's sha512. Looks like openssl is a bit more friendly:
openssl dgst -sha512 larva-0.8.0-b1.tgz
SHA512(larva-0.8.0-b1.tgz)= 51915329ee9e17f87517c2b61c99268b9aaa478d2c85aa0bb036276d4b980a119be18deb471e762aa80cb4d57478390e60a0eae10481f7235ffe83a86990d700
It's the signing that’s more important. I’ve seem release without sha hashes.
Thanks,
Justin
Re: [VOTE] Release Mynewt 0.8.0-b1-incubating
Posted by Christopher Collins <ch...@runtime.io>.
On Tue, Feb 23, 2016 at 02:50:37PM +1100, Justin Mclean wrote:
> Hi,
>
> Sorry but it’s -1 (binding) from me.
>
> To be clear that doesn’t stop other people voting +1, and if you get
> 3+1 you can still put it up on the IPMC general list for a vote.
> You’re also welcome to try and change my mind, anyone can change their
> vote after initial voting. All the -1 means is I wouldn’t release it,
> but what makes a release good enough quality to release is going to
> vary form person to person an that’s all OK.
I think it is best to correct the issues you spotted, rather than try to
release something with known noncompliances.
> I checked:
> - release artefacts are missing incubating from their names [1][2]
> - missing DISCLAIMER in release artefacts [3]
> - NOTICE good but missing original developer (runtime)
> - newt doesn’t have a REAME at the top level
> - not sure how to compile the source repos - some instruction on this in the releases would be nice
OK, we will fix all the above (I snipped the criteria that you thought
looked OK).
>
> How were the hashes generated?
>
> I’m seeing this:
> $ openssl sha1 larva-0.8.0-b1.tgz
> SHA1(larva-0.8.0-b1.tgz)= 99b15843d0a5af3f3d7dbdcb52afb80144ee1255
> $ cat larva-0.8.0-b1.tgz.sha
> /Users/ccollins/tmp/rel/bin/larva-0.8.0-b1.tgz:
> 51915329 EE9E17F8 7517C2B6 1C99268B 9AAA478D 2C85AA0B B036276D 4B980A11 9BE18DEB
> 471E762A A80CB4D5 7478390E 60A0EAE1 0481F723 5FFE83A8 6990D700
These are actually generated using sha512:
gpg2 --print-md SHA512 larva-0.8.0-b1.tgz > larva-0.8.0-b1.tgz.sha
Apparently gpg2 inserts the source file path in the SHA output. I agree
that that is not the most helpful behavior, but I hadn't noticed it.
However, "compliance rocks" OKed the SHAs, and the above command is
actually what is recommended by Apache release signing page
(http://www.apache.org/dev/release-signing.html#sha-checksum), so this
might not be an issue. That said, it is probably more user-friendly to
remove the filename, so I will do that this next time.
> Some possible improvements:
> - Re naming it's a good idea to add apache to the name as well as I
> believe it gives some extra legal protection / shows it’s an apache
> product.
> - It a good idea to sign the artefacts with an apache email address.
>
> Thanks,
> Justin
>
> 1. http://incubator.apache.org/guides/releasemanagement.html#naming
> 2. http://incubator.apache.org/incubation/Incubation_Policy.html#Releases (note the word MUST)
> 3. http://incubator.apache.org/guides/releasemanagement.html#check-list
Re: [VOTE] Release Mynewt 0.8.0-b1-incubating
Posted by Justin Mclean <ju...@me.com>.
Hi,
Sorry but it’s -1 (binding) from me.
To be clear that doesn’t stop other people voting +1, and if you get 3+1 you can still put it up on the IPMC general list for a vote. You’re also welcome to try and change my mind, anyone can change their vote after initial voting. All the -1 means is I wouldn’t release it, but what makes a release good enough quality to release is going to vary form person to person an that’s all OK.
I would however expect that in the currently form it may not pass an IPMC vote. It’s very close however and there only a couple of missing things.
I checked:
- release artefacts are missing incubating from their names [1][2]
- signatures OK but not sure re hashes
- missing DISCLAIMER in release artefacts [3]
- LICENSE(s) all good
- NOTICE good but missing original developer (runtime)
- newt doesn’t have a REAME at the top level
- no unexpected binary files in the releases
- all Apache source file have Apache headers / no double headers I could find
- not sure how to compile the source repos - some instruction on this in the releases would be nice
How were the hashes generated?
I’m seeing this:
$ openssl sha1 larva-0.8.0-b1.tgz
SHA1(larva-0.8.0-b1.tgz)= 99b15843d0a5af3f3d7dbdcb52afb80144ee1255
$ cat larva-0.8.0-b1.tgz.sha
/Users/ccollins/tmp/rel/bin/larva-0.8.0-b1.tgz:
51915329 EE9E17F8 7517C2B6 1C99268B 9AAA478D 2C85AA0B B036276D 4B980A11 9BE18DEB
471E762A A80CB4D5 7478390E 60A0EAE1 0481F723 5FFE83A8 6990D700
You probably want to remove "/Users/ccollins/tmp/rel/bin/larva-0.8.0-b1.tgz:” from that file.
Some possible improvements:
- Re naming it's a good idea to add apache to the name as well as I believe it gives some extra legal protection / shows it’s an apache product.
- It a good idea to sign the artefacts with an apache email address.
Thanks,
Justin
1. http://incubator.apache.org/guides/releasemanagement.html#naming
2. http://incubator.apache.org/incubation/Incubation_Policy.html#Releases (note the word MUST)
3. http://incubator.apache.org/guides/releasemanagement.html#check-list
Re: [VOTE] Release Mynewt 0.8.0-b1-incubating
Posted by Sterling Hughes <st...@apache.org>.
On 2/22/16 4:59 PM, Christopher Collins wrote:
> Hello all,
>
> I am pleased to be calling this vote for the source release of
> mynewt-0.8.0-b1-incubating.
>
> Apache Mynewt is a community-driven, permissively licensed open source
> initiative for constrained, embedded applications.
>
> The release candidate to be voted on is available at:
>
> https://dist.apache.org/repos/dist/dev/incubator/mynewt/mynewt-0.8.0-b1-incubating/
>
> The commits under consideration are as follows:
>
> larva:
> repos: https://git-wip-us.apache.org/repos/asf/incubator-mynewt-larva
> commit: bd2db03ccbd019a20267459bf46ae1e1428f1f46
>
> tadpole:
> repos: https://git-wip-us.apache.org/repos/asf/incubator-mynewt-tadpole
> commit: b00813ec355a0bc3681c232503aab92ea9157fa9
>
> newt:
> repos: https://git-wip-us.apache.org/repos/asf/incubator-mynewt-newt
> commit: 27a92e159926778f24d19b0795307a34e05ec8ed
>
> The release candidate is signed with a GPG key available at:
>
> https://dist.apache.org/repos/dist/dev/incubator/mynewt/KEYS
>
> The vote is open for at least 72 hours and passes if a majority of at least
> three +1 PPMC votes are cast.
>
> [ ] +1 Release this package
+1 release it!
Sterling
[VOTE][CANCEL] Release Mynewt 0.8.0-b1-incubating
Posted by Christopher Collins <ch...@runtime.io>.
Voting for the release of 0.8.0-b1-incubating has been canceled due to
some compliance issues. A new vote will be called later today.
Thanks,
Chris
On Mon, Feb 22, 2016 at 04:59:35PM -0800, Christopher Collins wrote:
> Hello all,
>
> I am pleased to be calling this vote for the source release of
> mynewt-0.8.0-b1-incubating.
>
> Apache Mynewt is a community-driven, permissively licensed open source
> initiative for constrained, embedded applications.
>
> The release candidate to be voted on is available at:
>
> https://dist.apache.org/repos/dist/dev/incubator/mynewt/mynewt-0.8.0-b1-incubating/
>
> The commits under consideration are as follows:
>
> larva:
> repos: https://git-wip-us.apache.org/repos/asf/incubator-mynewt-larva
> commit: bd2db03ccbd019a20267459bf46ae1e1428f1f46
>
> tadpole:
> repos: https://git-wip-us.apache.org/repos/asf/incubator-mynewt-tadpole
> commit: b00813ec355a0bc3681c232503aab92ea9157fa9
>
> newt:
> repos: https://git-wip-us.apache.org/repos/asf/incubator-mynewt-newt
> commit: 27a92e159926778f24d19b0795307a34e05ec8ed
>
> The release candidate is signed with a GPG key available at:
>
> https://dist.apache.org/repos/dist/dev/incubator/mynewt/KEYS
>
> The vote is open for at least 72 hours and passes if a majority of at least
> three +1 PPMC votes are cast.
>
> [ ] +1 Release this package
> [ ] 0 I don't feel strongly about it, but don't object
> [ ] -1 Do not release this package because...
>
> Anyone can participate in testing and voting, not just committers, please feel
> free to try out the release candidate and provide your votes.
>
> A separate [DISCUSS] thread will be opened to talk about this release
> candidate.
>
> Thanks,
> Chris