You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Sravya Tirukkovalur <sr...@cloudera.com> on 2015/11/28 07:25:14 UTC
[DISCUSS] Sentry maturity assessment document
Hi folks,
Here is the initial draft of Sentry maturity assessment:
https://cwiki.apache.org/confluence/display/SENTRY/Sentry+maturity+assessment
Mentors & community members: Your feedback is valuable here. Looking
forward to constructive criticism if any, which can help the Sentry
community and its graduation.
Also, I had a couple quick questions while drafting this.
1. How do projects usually keep track of list of external dependencies? Is
it just reading through the maven pom file? Or is there a standard way?
2. What is the source of truth for ICLAs? How do we double check all new
committers have ICLAs filed apart from reading through the private mail
archives?
Regards,
--
Sravya Tirukkovalur
Re: [DISCUSS] Sentry maturity assessment document
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
Thanks for the idea Lenni! I did reach out on general@ and looks like[1] we
do not need to deal with licenses of external dependencies as they are not
part of our source release as long as they are Apache compatible. So we are
good.
[1]:
http://mail-archives.apache.org/mod_mbox/incubator-general/201601.mbox/%3C58DC821E-9418-4CD5-B99C-EE51364C2684%40classsoftware.com%3E
On Mon, Jan 25, 2016 at 12:33 PM, Lenni Kuff <ls...@cloudera.com> wrote:
> Hi Sravya,
> You might want to ask this question on general@ to understand how other
> projects handle this and what the requirements are.
>
> Thanks,
> Lenni
>
> On Mon, Jan 25, 2016 at 11:55 AM, Sravya Tirukkovalur <sravya@cloudera.com
> >
> wrote:
>
> > Here is the Apache policy for MIT and BSD licensed dependencies:
> > http://www.apache.org/legal/resolved.html#category-a
> > "Many of these licenses have specific attribution terms that need to be
> > adhered to, for example CC-A, often by adding them to the NOTICE file.
> > Ensure you are doing this when including these works."
> >
> > Do you any of you know what are the specific attribution terms for MIT
> and
> > BSD licenses? And should we follow them for test dependencies? Also, I
> see
> > some of the dependencies are not marked test scoped in the poms, should
> we
> > fix them?
> >
> > And here is the policy for Eclipse:
> > http://www.apache.org/legal/resolved.html#category-b
> > "Each license in this category requires some degree of reciprocity or
> other
> > restriction on use ". Not entirely sure what is required here.
> >
> >
> > On Mon, Jan 25, 2016 at 11:46 AM, Sravya Tirukkovalur <
> sravya@cloudera.com
> > >
> > wrote:
> >
> > > Plugin, "analyze-report" did not work for Sentry, also it generates the
> > > dependencies but not the licenses. Filed Sentry-1029 to track
> automating
> > > this process of generating dependencies as well as their licenses.
> > >
> > > Here is the list of external dependencies which I manually compiled for
> > > now:
> > >
> >
> https://cwiki.apache.org/confluence/display/SENTRY/External+dependencies+and+Licenses
> > >
> > > Can some one please double check the accuracy?
> > >
> > > Looking at the list, looks like would be best to make sure the non
> Apache
> > > licensed dependencies are attributed and handled well? By the way, all
> of
> > > these seem like test dependencies.
> > >
> > > Easymock (MIT)
> > >
> > > Mockito (MIT)
> > >
> > > Slf4j (MIT)
> > >
> > > Hamcrest (BSD)
> > >
> > > Junit (Eclipse)
> > >
> > > One thing to note it Sentry makes source only releases, not sure if it
> > > changes how we handle licenses of dependencies.
> > >
> > > On Fri, Jan 22, 2016 at 5:06 PM, Lenni Kuff <ls...@cloudera.com>
> wrote:
> > >
> > >> Thanks for the updates Sravya, looks good.
> > >>
> > >> Yes, we should document the dependencies someplace putting them on a
> > wiki
> > >> is probably okay for now, but it will likely change fairly frequently.
> > >> Would be good to have some automation around this - the Maven
> dependency
> > >> plugin has support for generating a report on all dependencies:
> > >>
> > >>
> >
> https://maven.apache.org/plugins/maven-dependency-plugin/analyze-report-mojo.html
> > >>
> > >> Example output:
> > >>
> > >>
> >
> https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/dependency-analysis.html
> > >>
> > >> We should consider doing something similar.
> > >>
> > >> Thanks,
> > >> Lenni
> > >>
> > >>
> > >> On Fri, Jan 22, 2016 at 4:54 PM, Sravya Tirukkovalur <
> > sravya@cloudera.com
> > >> >
> > >> wrote:
> > >>
> > >> > Thanks Lenni for your feedback! Added some data points (links) to
> the
> > >> doc.
> > >> >
> > >> > For the external dependencies, here is the list I got using "mvn
> clean
> > >> > dependency:list -DexcludeTransitive=true" and doing some cleaning up
> > for
> > >> > duplicates:
> > >> >
> > >> > ant-contrib
> > >> >
> > >> > cglib
> > >> >
> > >> > com.google.guava
> > >> >
> > >> > com.jolbox
> > >> >
> > >> > commons-cli
> > >> >
> > >> > commons-lang
> > >> >
> > >> > commons-logging
> > >> >
> > >> > io.dropwizard.metrics
> > >> >
> > >> > javax.jdo
> > >> >
> > >> > joda-time
> > >> >
> > >> > junit
> > >> >
> > >> > log4j
> > >> >
> > >> > org.apache.commons
> > >> >
> > >> > org.apache.curator
> > >> >
> > >> > org.apache.derby
> > >> >
> > >> > org.apache.hadoop
> > >> >
> > >> > org.apache.hive.hcatalog
> > >> >
> > >> > org.apache.hive
> > >> >
> > >> > org.apache.pig
> > >> >
> > >> > org.apache.sentry
> > >> >
> > >> > org.apache.shiro
> > >> >
> > >> > org.apache.solr
> > >> >
> > >> > org.apache.sqoop
> > >> >
> > >> > org.apache.thrift
> > >> >
> > >> > org.apache.zookeeper
> > >> >
> > >> > org.datanucleus
> > >> >
> > >> > org.easymock
> > >> >
> > >> > org.easytesting
> > >> >
> > >> > org.eclipse.jetty
> > >> >
> > >> > org.hamcrest
> > >> >
> > >> > org.mockito
> > >> >
> > >> > org.objenesis
> > >> > org.slf4j
> > >> >
> > >> > I do not see anything except for junit in our proposal document. I
> > >> think we
> > >> > should document these dependencies and their licenses some where?
> > >> >
> > >> > Thanks!
> > >> >
> > >> > On Wed, Jan 20, 2016 at 4:41 PM, Lenni Kuff <ls...@cloudera.com>
> > >> wrote:
> > >> >
> > >> > > Hi Sravya,
> > >> > > Thanks for putting together this document, it's very useful. With
> > >> respect
> > >> > > to your comments:
> > >> > >
> > >> > > 1) Dependencies - Not sure if there is a better way, but you can
> run
> > >> > > something like:
> > >> > > *>* *mvn clean dependency:list
> -DexcludeTransitive=true*
> > >> > > to get a listing of all the current dependencies specified in
> > the
> > >> > > project.
> > >> > >
> > >> > >
> > >> > > 2) Only comments in the doc are to point out links to backup your
> > >> point
> > >> > > where relevant.
> > >> > >
> > >> > > Thanks,
> > >> > > Lenni
> > >> > >
> > >> > > On Wed, Jan 20, 2016 at 2:53 PM, Sravya Tirukkovalur <
> > >> > sravya@cloudera.com>
> > >> > > wrote:
> > >> > >
> > >> > > > Hello all,
> > >> > > >
> > >> > > > Bumping up this thread after the holiday season. Please take a
> > look
> > >> and
> > >> > > > provide feedback.
> > >> > > >
> > >> > > > Also I updated the doc to capture the vote for Committer ==
> PPMC.
> > >> > > >
> > >> > > > I still have one outstanding question:
> > >> > > > - How do projects usually keep track of list of external
> > >> dependencies
> > >> > for
> > >> > > > license checking? Is it just reading through the maven pom file?
> > Or
> > >> is
> > >> > > > there a standard way?
> > >> > > >
> > >> > > > I think I figured the answer for this question - What is the
> > source
> > >> of
> > >> > > > truth for ICLAs? How do we double check all new committers have
> > >> ICLAs
> > >> > > > filed?
> > >> > > > - Members with ICLAs filed and in Sentry group should appear
> here:
> > >> > > > http://people.apache.org/committers-by-project.html#sentry
> > >> > > >
> > >> > > > On Fri, Nov 27, 2015 at 10:25 PM, Sravya Tirukkovalur <
> > >> > > sravya@cloudera.com
> > >> > > > >
> > >> > > > wrote:
> > >> > > >
> > >> > > > > Hi folks,
> > >> > > > >
> > >> > > > > Here is the initial draft of Sentry maturity assessment:
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+maturity+assessment
> > >> > > > >
> > >> > > > > Mentors & community members: Your feedback is valuable here.
> > >> Looking
> > >> > > > > forward to constructive criticism if any, which can help the
> > >> Sentry
> > >> > > > > community and its graduation.
> > >> > > > >
> > >> > > > > Also, I had a couple quick questions while drafting this.
> > >> > > > > 1. How do projects usually keep track of list of external
> > >> > dependencies?
> > >> > > > Is
> > >> > > > > it just reading through the maven pom file? Or is there a
> > standard
> > >> > way?
> > >> > > > > 2. What is the source of truth for ICLAs? How do we double
> check
> > >> all
> > >> > > new
> > >> > > > > committers have ICLAs filed apart from reading through the
> > private
> > >> > mail
> > >> > > > > archives?
> > >> > > > >
> > >> > > > > Regards,
> > >> > > > > --
> > >> > > > > Sravya Tirukkovalur
> > >> > > > >
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > --
> > >> > > > Sravya Tirukkovalur
> > >> > > >
> > >> > >
> > >> >
> > >> >
> > >> >
> > >> > --
> > >> > Sravya Tirukkovalur
> > >> >
> > >>
> > >
> > >
> > >
> > > --
> > > Sravya Tirukkovalur
> > >
> >
> >
> >
> > --
> > Sravya Tirukkovalur
> >
>
--
Sravya Tirukkovalur
Re: [DISCUSS] Sentry maturity assessment document
Posted by Lenni Kuff <ls...@cloudera.com>.
Hi Sravya,
You might want to ask this question on general@ to understand how other
projects handle this and what the requirements are.
Thanks,
Lenni
On Mon, Jan 25, 2016 at 11:55 AM, Sravya Tirukkovalur <sr...@cloudera.com>
wrote:
> Here is the Apache policy for MIT and BSD licensed dependencies:
> http://www.apache.org/legal/resolved.html#category-a
> "Many of these licenses have specific attribution terms that need to be
> adhered to, for example CC-A, often by adding them to the NOTICE file.
> Ensure you are doing this when including these works."
>
> Do you any of you know what are the specific attribution terms for MIT and
> BSD licenses? And should we follow them for test dependencies? Also, I see
> some of the dependencies are not marked test scoped in the poms, should we
> fix them?
>
> And here is the policy for Eclipse:
> http://www.apache.org/legal/resolved.html#category-b
> "Each license in this category requires some degree of reciprocity or other
> restriction on use ". Not entirely sure what is required here.
>
>
> On Mon, Jan 25, 2016 at 11:46 AM, Sravya Tirukkovalur <sravya@cloudera.com
> >
> wrote:
>
> > Plugin, "analyze-report" did not work for Sentry, also it generates the
> > dependencies but not the licenses. Filed Sentry-1029 to track automating
> > this process of generating dependencies as well as their licenses.
> >
> > Here is the list of external dependencies which I manually compiled for
> > now:
> >
> https://cwiki.apache.org/confluence/display/SENTRY/External+dependencies+and+Licenses
> >
> > Can some one please double check the accuracy?
> >
> > Looking at the list, looks like would be best to make sure the non Apache
> > licensed dependencies are attributed and handled well? By the way, all of
> > these seem like test dependencies.
> >
> > Easymock (MIT)
> >
> > Mockito (MIT)
> >
> > Slf4j (MIT)
> >
> > Hamcrest (BSD)
> >
> > Junit (Eclipse)
> >
> > One thing to note it Sentry makes source only releases, not sure if it
> > changes how we handle licenses of dependencies.
> >
> > On Fri, Jan 22, 2016 at 5:06 PM, Lenni Kuff <ls...@cloudera.com> wrote:
> >
> >> Thanks for the updates Sravya, looks good.
> >>
> >> Yes, we should document the dependencies someplace putting them on a
> wiki
> >> is probably okay for now, but it will likely change fairly frequently.
> >> Would be good to have some automation around this - the Maven dependency
> >> plugin has support for generating a report on all dependencies:
> >>
> >>
> https://maven.apache.org/plugins/maven-dependency-plugin/analyze-report-mojo.html
> >>
> >> Example output:
> >>
> >>
> https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/dependency-analysis.html
> >>
> >> We should consider doing something similar.
> >>
> >> Thanks,
> >> Lenni
> >>
> >>
> >> On Fri, Jan 22, 2016 at 4:54 PM, Sravya Tirukkovalur <
> sravya@cloudera.com
> >> >
> >> wrote:
> >>
> >> > Thanks Lenni for your feedback! Added some data points (links) to the
> >> doc.
> >> >
> >> > For the external dependencies, here is the list I got using "mvn clean
> >> > dependency:list -DexcludeTransitive=true" and doing some cleaning up
> for
> >> > duplicates:
> >> >
> >> > ant-contrib
> >> >
> >> > cglib
> >> >
> >> > com.google.guava
> >> >
> >> > com.jolbox
> >> >
> >> > commons-cli
> >> >
> >> > commons-lang
> >> >
> >> > commons-logging
> >> >
> >> > io.dropwizard.metrics
> >> >
> >> > javax.jdo
> >> >
> >> > joda-time
> >> >
> >> > junit
> >> >
> >> > log4j
> >> >
> >> > org.apache.commons
> >> >
> >> > org.apache.curator
> >> >
> >> > org.apache.derby
> >> >
> >> > org.apache.hadoop
> >> >
> >> > org.apache.hive.hcatalog
> >> >
> >> > org.apache.hive
> >> >
> >> > org.apache.pig
> >> >
> >> > org.apache.sentry
> >> >
> >> > org.apache.shiro
> >> >
> >> > org.apache.solr
> >> >
> >> > org.apache.sqoop
> >> >
> >> > org.apache.thrift
> >> >
> >> > org.apache.zookeeper
> >> >
> >> > org.datanucleus
> >> >
> >> > org.easymock
> >> >
> >> > org.easytesting
> >> >
> >> > org.eclipse.jetty
> >> >
> >> > org.hamcrest
> >> >
> >> > org.mockito
> >> >
> >> > org.objenesis
> >> > org.slf4j
> >> >
> >> > I do not see anything except for junit in our proposal document. I
> >> think we
> >> > should document these dependencies and their licenses some where?
> >> >
> >> > Thanks!
> >> >
> >> > On Wed, Jan 20, 2016 at 4:41 PM, Lenni Kuff <ls...@cloudera.com>
> >> wrote:
> >> >
> >> > > Hi Sravya,
> >> > > Thanks for putting together this document, it's very useful. With
> >> respect
> >> > > to your comments:
> >> > >
> >> > > 1) Dependencies - Not sure if there is a better way, but you can run
> >> > > something like:
> >> > > *>* *mvn clean dependency:list -DexcludeTransitive=true*
> >> > > to get a listing of all the current dependencies specified in
> the
> >> > > project.
> >> > >
> >> > >
> >> > > 2) Only comments in the doc are to point out links to backup your
> >> point
> >> > > where relevant.
> >> > >
> >> > > Thanks,
> >> > > Lenni
> >> > >
> >> > > On Wed, Jan 20, 2016 at 2:53 PM, Sravya Tirukkovalur <
> >> > sravya@cloudera.com>
> >> > > wrote:
> >> > >
> >> > > > Hello all,
> >> > > >
> >> > > > Bumping up this thread after the holiday season. Please take a
> look
> >> and
> >> > > > provide feedback.
> >> > > >
> >> > > > Also I updated the doc to capture the vote for Committer == PPMC.
> >> > > >
> >> > > > I still have one outstanding question:
> >> > > > - How do projects usually keep track of list of external
> >> dependencies
> >> > for
> >> > > > license checking? Is it just reading through the maven pom file?
> Or
> >> is
> >> > > > there a standard way?
> >> > > >
> >> > > > I think I figured the answer for this question - What is the
> source
> >> of
> >> > > > truth for ICLAs? How do we double check all new committers have
> >> ICLAs
> >> > > > filed?
> >> > > > - Members with ICLAs filed and in Sentry group should appear here:
> >> > > > http://people.apache.org/committers-by-project.html#sentry
> >> > > >
> >> > > > On Fri, Nov 27, 2015 at 10:25 PM, Sravya Tirukkovalur <
> >> > > sravya@cloudera.com
> >> > > > >
> >> > > > wrote:
> >> > > >
> >> > > > > Hi folks,
> >> > > > >
> >> > > > > Here is the initial draft of Sentry maturity assessment:
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+maturity+assessment
> >> > > > >
> >> > > > > Mentors & community members: Your feedback is valuable here.
> >> Looking
> >> > > > > forward to constructive criticism if any, which can help the
> >> Sentry
> >> > > > > community and its graduation.
> >> > > > >
> >> > > > > Also, I had a couple quick questions while drafting this.
> >> > > > > 1. How do projects usually keep track of list of external
> >> > dependencies?
> >> > > > Is
> >> > > > > it just reading through the maven pom file? Or is there a
> standard
> >> > way?
> >> > > > > 2. What is the source of truth for ICLAs? How do we double check
> >> all
> >> > > new
> >> > > > > committers have ICLAs filed apart from reading through the
> private
> >> > mail
> >> > > > > archives?
> >> > > > >
> >> > > > > Regards,
> >> > > > > --
> >> > > > > Sravya Tirukkovalur
> >> > > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > > --
> >> > > > Sravya Tirukkovalur
> >> > > >
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > Sravya Tirukkovalur
> >> >
> >>
> >
> >
> >
> > --
> > Sravya Tirukkovalur
> >
>
>
>
> --
> Sravya Tirukkovalur
>
Re: [DISCUSS] Sentry maturity assessment document
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
Here is the Apache policy for MIT and BSD licensed dependencies:
http://www.apache.org/legal/resolved.html#category-a
"Many of these licenses have specific attribution terms that need to be
adhered to, for example CC-A, often by adding them to the NOTICE file.
Ensure you are doing this when including these works."
Do you any of you know what are the specific attribution terms for MIT and
BSD licenses? And should we follow them for test dependencies? Also, I see
some of the dependencies are not marked test scoped in the poms, should we
fix them?
And here is the policy for Eclipse:
http://www.apache.org/legal/resolved.html#category-b
"Each license in this category requires some degree of reciprocity or other
restriction on use ". Not entirely sure what is required here.
On Mon, Jan 25, 2016 at 11:46 AM, Sravya Tirukkovalur <sr...@cloudera.com>
wrote:
> Plugin, "analyze-report" did not work for Sentry, also it generates the
> dependencies but not the licenses. Filed Sentry-1029 to track automating
> this process of generating dependencies as well as their licenses.
>
> Here is the list of external dependencies which I manually compiled for
> now:
> https://cwiki.apache.org/confluence/display/SENTRY/External+dependencies+and+Licenses
>
> Can some one please double check the accuracy?
>
> Looking at the list, looks like would be best to make sure the non Apache
> licensed dependencies are attributed and handled well? By the way, all of
> these seem like test dependencies.
>
> Easymock (MIT)
>
> Mockito (MIT)
>
> Slf4j (MIT)
>
> Hamcrest (BSD)
>
> Junit (Eclipse)
>
> One thing to note it Sentry makes source only releases, not sure if it
> changes how we handle licenses of dependencies.
>
> On Fri, Jan 22, 2016 at 5:06 PM, Lenni Kuff <ls...@cloudera.com> wrote:
>
>> Thanks for the updates Sravya, looks good.
>>
>> Yes, we should document the dependencies someplace putting them on a wiki
>> is probably okay for now, but it will likely change fairly frequently.
>> Would be good to have some automation around this - the Maven dependency
>> plugin has support for generating a report on all dependencies:
>>
>> https://maven.apache.org/plugins/maven-dependency-plugin/analyze-report-mojo.html
>>
>> Example output:
>>
>> https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/dependency-analysis.html
>>
>> We should consider doing something similar.
>>
>> Thanks,
>> Lenni
>>
>>
>> On Fri, Jan 22, 2016 at 4:54 PM, Sravya Tirukkovalur <sravya@cloudera.com
>> >
>> wrote:
>>
>> > Thanks Lenni for your feedback! Added some data points (links) to the
>> doc.
>> >
>> > For the external dependencies, here is the list I got using "mvn clean
>> > dependency:list -DexcludeTransitive=true" and doing some cleaning up for
>> > duplicates:
>> >
>> > ant-contrib
>> >
>> > cglib
>> >
>> > com.google.guava
>> >
>> > com.jolbox
>> >
>> > commons-cli
>> >
>> > commons-lang
>> >
>> > commons-logging
>> >
>> > io.dropwizard.metrics
>> >
>> > javax.jdo
>> >
>> > joda-time
>> >
>> > junit
>> >
>> > log4j
>> >
>> > org.apache.commons
>> >
>> > org.apache.curator
>> >
>> > org.apache.derby
>> >
>> > org.apache.hadoop
>> >
>> > org.apache.hive.hcatalog
>> >
>> > org.apache.hive
>> >
>> > org.apache.pig
>> >
>> > org.apache.sentry
>> >
>> > org.apache.shiro
>> >
>> > org.apache.solr
>> >
>> > org.apache.sqoop
>> >
>> > org.apache.thrift
>> >
>> > org.apache.zookeeper
>> >
>> > org.datanucleus
>> >
>> > org.easymock
>> >
>> > org.easytesting
>> >
>> > org.eclipse.jetty
>> >
>> > org.hamcrest
>> >
>> > org.mockito
>> >
>> > org.objenesis
>> > org.slf4j
>> >
>> > I do not see anything except for junit in our proposal document. I
>> think we
>> > should document these dependencies and their licenses some where?
>> >
>> > Thanks!
>> >
>> > On Wed, Jan 20, 2016 at 4:41 PM, Lenni Kuff <ls...@cloudera.com>
>> wrote:
>> >
>> > > Hi Sravya,
>> > > Thanks for putting together this document, it's very useful. With
>> respect
>> > > to your comments:
>> > >
>> > > 1) Dependencies - Not sure if there is a better way, but you can run
>> > > something like:
>> > > *>* *mvn clean dependency:list -DexcludeTransitive=true*
>> > > to get a listing of all the current dependencies specified in the
>> > > project.
>> > >
>> > >
>> > > 2) Only comments in the doc are to point out links to backup your
>> point
>> > > where relevant.
>> > >
>> > > Thanks,
>> > > Lenni
>> > >
>> > > On Wed, Jan 20, 2016 at 2:53 PM, Sravya Tirukkovalur <
>> > sravya@cloudera.com>
>> > > wrote:
>> > >
>> > > > Hello all,
>> > > >
>> > > > Bumping up this thread after the holiday season. Please take a look
>> and
>> > > > provide feedback.
>> > > >
>> > > > Also I updated the doc to capture the vote for Committer == PPMC.
>> > > >
>> > > > I still have one outstanding question:
>> > > > - How do projects usually keep track of list of external
>> dependencies
>> > for
>> > > > license checking? Is it just reading through the maven pom file? Or
>> is
>> > > > there a standard way?
>> > > >
>> > > > I think I figured the answer for this question - What is the source
>> of
>> > > > truth for ICLAs? How do we double check all new committers have
>> ICLAs
>> > > > filed?
>> > > > - Members with ICLAs filed and in Sentry group should appear here:
>> > > > http://people.apache.org/committers-by-project.html#sentry
>> > > >
>> > > > On Fri, Nov 27, 2015 at 10:25 PM, Sravya Tirukkovalur <
>> > > sravya@cloudera.com
>> > > > >
>> > > > wrote:
>> > > >
>> > > > > Hi folks,
>> > > > >
>> > > > > Here is the initial draft of Sentry maturity assessment:
>> > > > >
>> > > >
>> > >
>> >
>> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+maturity+assessment
>> > > > >
>> > > > > Mentors & community members: Your feedback is valuable here.
>> Looking
>> > > > > forward to constructive criticism if any, which can help the
>> Sentry
>> > > > > community and its graduation.
>> > > > >
>> > > > > Also, I had a couple quick questions while drafting this.
>> > > > > 1. How do projects usually keep track of list of external
>> > dependencies?
>> > > > Is
>> > > > > it just reading through the maven pom file? Or is there a standard
>> > way?
>> > > > > 2. What is the source of truth for ICLAs? How do we double check
>> all
>> > > new
>> > > > > committers have ICLAs filed apart from reading through the private
>> > mail
>> > > > > archives?
>> > > > >
>> > > > > Regards,
>> > > > > --
>> > > > > Sravya Tirukkovalur
>> > > > >
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > Sravya Tirukkovalur
>> > > >
>> > >
>> >
>> >
>> >
>> > --
>> > Sravya Tirukkovalur
>> >
>>
>
>
>
> --
> Sravya Tirukkovalur
>
--
Sravya Tirukkovalur
Re: [DISCUSS] Sentry maturity assessment document
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
Plugin, "analyze-report" did not work for Sentry, also it generates the
dependencies but not the licenses. Filed Sentry-1029 to track automating
this process of generating dependencies as well as their licenses.
Here is the list of external dependencies which I manually compiled for
now:
https://cwiki.apache.org/confluence/display/SENTRY/External+dependencies+and+Licenses
Can some one please double check the accuracy?
Looking at the list, looks like would be best to make sure the non Apache
licensed dependencies are attributed and handled well? By the way, all of
these seem like test dependencies.
Easymock (MIT)
Mockito (MIT)
Slf4j (MIT)
Hamcrest (BSD)
Junit (Eclipse)
One thing to note it Sentry makes source only releases, not sure if it
changes how we handle licenses of dependencies.
On Fri, Jan 22, 2016 at 5:06 PM, Lenni Kuff <ls...@cloudera.com> wrote:
> Thanks for the updates Sravya, looks good.
>
> Yes, we should document the dependencies someplace putting them on a wiki
> is probably okay for now, but it will likely change fairly frequently.
> Would be good to have some automation around this - the Maven dependency
> plugin has support for generating a report on all dependencies:
>
> https://maven.apache.org/plugins/maven-dependency-plugin/analyze-report-mojo.html
>
> Example output:
>
> https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/dependency-analysis.html
>
> We should consider doing something similar.
>
> Thanks,
> Lenni
>
>
> On Fri, Jan 22, 2016 at 4:54 PM, Sravya Tirukkovalur <sr...@cloudera.com>
> wrote:
>
> > Thanks Lenni for your feedback! Added some data points (links) to the
> doc.
> >
> > For the external dependencies, here is the list I got using "mvn clean
> > dependency:list -DexcludeTransitive=true" and doing some cleaning up for
> > duplicates:
> >
> > ant-contrib
> >
> > cglib
> >
> > com.google.guava
> >
> > com.jolbox
> >
> > commons-cli
> >
> > commons-lang
> >
> > commons-logging
> >
> > io.dropwizard.metrics
> >
> > javax.jdo
> >
> > joda-time
> >
> > junit
> >
> > log4j
> >
> > org.apache.commons
> >
> > org.apache.curator
> >
> > org.apache.derby
> >
> > org.apache.hadoop
> >
> > org.apache.hive.hcatalog
> >
> > org.apache.hive
> >
> > org.apache.pig
> >
> > org.apache.sentry
> >
> > org.apache.shiro
> >
> > org.apache.solr
> >
> > org.apache.sqoop
> >
> > org.apache.thrift
> >
> > org.apache.zookeeper
> >
> > org.datanucleus
> >
> > org.easymock
> >
> > org.easytesting
> >
> > org.eclipse.jetty
> >
> > org.hamcrest
> >
> > org.mockito
> >
> > org.objenesis
> > org.slf4j
> >
> > I do not see anything except for junit in our proposal document. I think
> we
> > should document these dependencies and their licenses some where?
> >
> > Thanks!
> >
> > On Wed, Jan 20, 2016 at 4:41 PM, Lenni Kuff <ls...@cloudera.com> wrote:
> >
> > > Hi Sravya,
> > > Thanks for putting together this document, it's very useful. With
> respect
> > > to your comments:
> > >
> > > 1) Dependencies - Not sure if there is a better way, but you can run
> > > something like:
> > > *>* *mvn clean dependency:list -DexcludeTransitive=true*
> > > to get a listing of all the current dependencies specified in the
> > > project.
> > >
> > >
> > > 2) Only comments in the doc are to point out links to backup your point
> > > where relevant.
> > >
> > > Thanks,
> > > Lenni
> > >
> > > On Wed, Jan 20, 2016 at 2:53 PM, Sravya Tirukkovalur <
> > sravya@cloudera.com>
> > > wrote:
> > >
> > > > Hello all,
> > > >
> > > > Bumping up this thread after the holiday season. Please take a look
> and
> > > > provide feedback.
> > > >
> > > > Also I updated the doc to capture the vote for Committer == PPMC.
> > > >
> > > > I still have one outstanding question:
> > > > - How do projects usually keep track of list of external dependencies
> > for
> > > > license checking? Is it just reading through the maven pom file? Or
> is
> > > > there a standard way?
> > > >
> > > > I think I figured the answer for this question - What is the source
> of
> > > > truth for ICLAs? How do we double check all new committers have ICLAs
> > > > filed?
> > > > - Members with ICLAs filed and in Sentry group should appear here:
> > > > http://people.apache.org/committers-by-project.html#sentry
> > > >
> > > > On Fri, Nov 27, 2015 at 10:25 PM, Sravya Tirukkovalur <
> > > sravya@cloudera.com
> > > > >
> > > > wrote:
> > > >
> > > > > Hi folks,
> > > > >
> > > > > Here is the initial draft of Sentry maturity assessment:
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+maturity+assessment
> > > > >
> > > > > Mentors & community members: Your feedback is valuable here.
> Looking
> > > > > forward to constructive criticism if any, which can help the Sentry
> > > > > community and its graduation.
> > > > >
> > > > > Also, I had a couple quick questions while drafting this.
> > > > > 1. How do projects usually keep track of list of external
> > dependencies?
> > > > Is
> > > > > it just reading through the maven pom file? Or is there a standard
> > way?
> > > > > 2. What is the source of truth for ICLAs? How do we double check
> all
> > > new
> > > > > committers have ICLAs filed apart from reading through the private
> > mail
> > > > > archives?
> > > > >
> > > > > Regards,
> > > > > --
> > > > > Sravya Tirukkovalur
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Sravya Tirukkovalur
> > > >
> > >
> >
> >
> >
> > --
> > Sravya Tirukkovalur
> >
>
--
Sravya Tirukkovalur
Re: [DISCUSS] Sentry maturity assessment document
Posted by Lenni Kuff <ls...@cloudera.com>.
Thanks for the updates Sravya, looks good.
Yes, we should document the dependencies someplace putting them on a wiki
is probably okay for now, but it will likely change fairly frequently.
Would be good to have some automation around this - the Maven dependency
plugin has support for generating a report on all dependencies:
https://maven.apache.org/plugins/maven-dependency-plugin/analyze-report-mojo.html
Example output:
https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/dependency-analysis.html
We should consider doing something similar.
Thanks,
Lenni
On Fri, Jan 22, 2016 at 4:54 PM, Sravya Tirukkovalur <sr...@cloudera.com>
wrote:
> Thanks Lenni for your feedback! Added some data points (links) to the doc.
>
> For the external dependencies, here is the list I got using "mvn clean
> dependency:list -DexcludeTransitive=true" and doing some cleaning up for
> duplicates:
>
> ant-contrib
>
> cglib
>
> com.google.guava
>
> com.jolbox
>
> commons-cli
>
> commons-lang
>
> commons-logging
>
> io.dropwizard.metrics
>
> javax.jdo
>
> joda-time
>
> junit
>
> log4j
>
> org.apache.commons
>
> org.apache.curator
>
> org.apache.derby
>
> org.apache.hadoop
>
> org.apache.hive.hcatalog
>
> org.apache.hive
>
> org.apache.pig
>
> org.apache.sentry
>
> org.apache.shiro
>
> org.apache.solr
>
> org.apache.sqoop
>
> org.apache.thrift
>
> org.apache.zookeeper
>
> org.datanucleus
>
> org.easymock
>
> org.easytesting
>
> org.eclipse.jetty
>
> org.hamcrest
>
> org.mockito
>
> org.objenesis
> org.slf4j
>
> I do not see anything except for junit in our proposal document. I think we
> should document these dependencies and their licenses some where?
>
> Thanks!
>
> On Wed, Jan 20, 2016 at 4:41 PM, Lenni Kuff <ls...@cloudera.com> wrote:
>
> > Hi Sravya,
> > Thanks for putting together this document, it's very useful. With respect
> > to your comments:
> >
> > 1) Dependencies - Not sure if there is a better way, but you can run
> > something like:
> > *>* *mvn clean dependency:list -DexcludeTransitive=true*
> > to get a listing of all the current dependencies specified in the
> > project.
> >
> >
> > 2) Only comments in the doc are to point out links to backup your point
> > where relevant.
> >
> > Thanks,
> > Lenni
> >
> > On Wed, Jan 20, 2016 at 2:53 PM, Sravya Tirukkovalur <
> sravya@cloudera.com>
> > wrote:
> >
> > > Hello all,
> > >
> > > Bumping up this thread after the holiday season. Please take a look and
> > > provide feedback.
> > >
> > > Also I updated the doc to capture the vote for Committer == PPMC.
> > >
> > > I still have one outstanding question:
> > > - How do projects usually keep track of list of external dependencies
> for
> > > license checking? Is it just reading through the maven pom file? Or is
> > > there a standard way?
> > >
> > > I think I figured the answer for this question - What is the source of
> > > truth for ICLAs? How do we double check all new committers have ICLAs
> > > filed?
> > > - Members with ICLAs filed and in Sentry group should appear here:
> > > http://people.apache.org/committers-by-project.html#sentry
> > >
> > > On Fri, Nov 27, 2015 at 10:25 PM, Sravya Tirukkovalur <
> > sravya@cloudera.com
> > > >
> > > wrote:
> > >
> > > > Hi folks,
> > > >
> > > > Here is the initial draft of Sentry maturity assessment:
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+maturity+assessment
> > > >
> > > > Mentors & community members: Your feedback is valuable here. Looking
> > > > forward to constructive criticism if any, which can help the Sentry
> > > > community and its graduation.
> > > >
> > > > Also, I had a couple quick questions while drafting this.
> > > > 1. How do projects usually keep track of list of external
> dependencies?
> > > Is
> > > > it just reading through the maven pom file? Or is there a standard
> way?
> > > > 2. What is the source of truth for ICLAs? How do we double check all
> > new
> > > > committers have ICLAs filed apart from reading through the private
> mail
> > > > archives?
> > > >
> > > > Regards,
> > > > --
> > > > Sravya Tirukkovalur
> > > >
> > >
> > >
> > >
> > > --
> > > Sravya Tirukkovalur
> > >
> >
>
>
>
> --
> Sravya Tirukkovalur
>
Re: [DISCUSS] Sentry maturity assessment document
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
Thanks Lenni for your feedback! Added some data points (links) to the doc.
For the external dependencies, here is the list I got using "mvn clean
dependency:list -DexcludeTransitive=true" and doing some cleaning up for
duplicates:
ant-contrib
cglib
com.google.guava
com.jolbox
commons-cli
commons-lang
commons-logging
io.dropwizard.metrics
javax.jdo
joda-time
junit
log4j
org.apache.commons
org.apache.curator
org.apache.derby
org.apache.hadoop
org.apache.hive.hcatalog
org.apache.hive
org.apache.pig
org.apache.sentry
org.apache.shiro
org.apache.solr
org.apache.sqoop
org.apache.thrift
org.apache.zookeeper
org.datanucleus
org.easymock
org.easytesting
org.eclipse.jetty
org.hamcrest
org.mockito
org.objenesis
org.slf4j
I do not see anything except for junit in our proposal document. I think we
should document these dependencies and their licenses some where?
Thanks!
On Wed, Jan 20, 2016 at 4:41 PM, Lenni Kuff <ls...@cloudera.com> wrote:
> Hi Sravya,
> Thanks for putting together this document, it's very useful. With respect
> to your comments:
>
> 1) Dependencies - Not sure if there is a better way, but you can run
> something like:
> *>* *mvn clean dependency:list -DexcludeTransitive=true*
> to get a listing of all the current dependencies specified in the
> project.
>
>
> 2) Only comments in the doc are to point out links to backup your point
> where relevant.
>
> Thanks,
> Lenni
>
> On Wed, Jan 20, 2016 at 2:53 PM, Sravya Tirukkovalur <sr...@cloudera.com>
> wrote:
>
> > Hello all,
> >
> > Bumping up this thread after the holiday season. Please take a look and
> > provide feedback.
> >
> > Also I updated the doc to capture the vote for Committer == PPMC.
> >
> > I still have one outstanding question:
> > - How do projects usually keep track of list of external dependencies for
> > license checking? Is it just reading through the maven pom file? Or is
> > there a standard way?
> >
> > I think I figured the answer for this question - What is the source of
> > truth for ICLAs? How do we double check all new committers have ICLAs
> > filed?
> > - Members with ICLAs filed and in Sentry group should appear here:
> > http://people.apache.org/committers-by-project.html#sentry
> >
> > On Fri, Nov 27, 2015 at 10:25 PM, Sravya Tirukkovalur <
> sravya@cloudera.com
> > >
> > wrote:
> >
> > > Hi folks,
> > >
> > > Here is the initial draft of Sentry maturity assessment:
> > >
> >
> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+maturity+assessment
> > >
> > > Mentors & community members: Your feedback is valuable here. Looking
> > > forward to constructive criticism if any, which can help the Sentry
> > > community and its graduation.
> > >
> > > Also, I had a couple quick questions while drafting this.
> > > 1. How do projects usually keep track of list of external dependencies?
> > Is
> > > it just reading through the maven pom file? Or is there a standard way?
> > > 2. What is the source of truth for ICLAs? How do we double check all
> new
> > > committers have ICLAs filed apart from reading through the private mail
> > > archives?
> > >
> > > Regards,
> > > --
> > > Sravya Tirukkovalur
> > >
> >
> >
> >
> > --
> > Sravya Tirukkovalur
> >
>
--
Sravya Tirukkovalur
Re: [DISCUSS] Sentry maturity assessment document
Posted by Lenni Kuff <ls...@cloudera.com>.
Hi Sravya,
Thanks for putting together this document, it's very useful. With respect
to your comments:
1) Dependencies - Not sure if there is a better way, but you can run
something like:
*>* *mvn clean dependency:list -DexcludeTransitive=true*
to get a listing of all the current dependencies specified in the
project.
2) Only comments in the doc are to point out links to backup your point
where relevant.
Thanks,
Lenni
On Wed, Jan 20, 2016 at 2:53 PM, Sravya Tirukkovalur <sr...@cloudera.com>
wrote:
> Hello all,
>
> Bumping up this thread after the holiday season. Please take a look and
> provide feedback.
>
> Also I updated the doc to capture the vote for Committer == PPMC.
>
> I still have one outstanding question:
> - How do projects usually keep track of list of external dependencies for
> license checking? Is it just reading through the maven pom file? Or is
> there a standard way?
>
> I think I figured the answer for this question - What is the source of
> truth for ICLAs? How do we double check all new committers have ICLAs
> filed?
> - Members with ICLAs filed and in Sentry group should appear here:
> http://people.apache.org/committers-by-project.html#sentry
>
> On Fri, Nov 27, 2015 at 10:25 PM, Sravya Tirukkovalur <sravya@cloudera.com
> >
> wrote:
>
> > Hi folks,
> >
> > Here is the initial draft of Sentry maturity assessment:
> >
> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+maturity+assessment
> >
> > Mentors & community members: Your feedback is valuable here. Looking
> > forward to constructive criticism if any, which can help the Sentry
> > community and its graduation.
> >
> > Also, I had a couple quick questions while drafting this.
> > 1. How do projects usually keep track of list of external dependencies?
> Is
> > it just reading through the maven pom file? Or is there a standard way?
> > 2. What is the source of truth for ICLAs? How do we double check all new
> > committers have ICLAs filed apart from reading through the private mail
> > archives?
> >
> > Regards,
> > --
> > Sravya Tirukkovalur
> >
>
>
>
> --
> Sravya Tirukkovalur
>
Re: [DISCUSS] Sentry maturity assessment document
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
Hello all,
Bumping up this thread after the holiday season. Please take a look and
provide feedback.
Also I updated the doc to capture the vote for Committer == PPMC.
I still have one outstanding question:
- How do projects usually keep track of list of external dependencies for
license checking? Is it just reading through the maven pom file? Or is
there a standard way?
I think I figured the answer for this question - What is the source of
truth for ICLAs? How do we double check all new committers have ICLAs filed?
- Members with ICLAs filed and in Sentry group should appear here:
http://people.apache.org/committers-by-project.html#sentry
On Fri, Nov 27, 2015 at 10:25 PM, Sravya Tirukkovalur <sr...@cloudera.com>
wrote:
> Hi folks,
>
> Here is the initial draft of Sentry maturity assessment:
> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+maturity+assessment
>
> Mentors & community members: Your feedback is valuable here. Looking
> forward to constructive criticism if any, which can help the Sentry
> community and its graduation.
>
> Also, I had a couple quick questions while drafting this.
> 1. How do projects usually keep track of list of external dependencies? Is
> it just reading through the maven pom file? Or is there a standard way?
> 2. What is the source of truth for ICLAs? How do we double check all new
> committers have ICLAs filed apart from reading through the private mail
> archives?
>
> Regards,
> --
> Sravya Tirukkovalur
>
--
Sravya Tirukkovalur