You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@taverna.apache.org by Stian Soiland-Reyes <st...@apache.org> on 2018/01/08 16:29:29 UTC
[DISCUSS] Release Apache Taverna Server 3.1.0-incubating RC1?
Reply to this thread for any questions/issues for the
Taverna Server 3.1.0 release candidate.
Reply to the separate [VOTE] thread with your formal vote:
https://lists.apache.org/thread.html/319eac1ea18f89d635d3c05bf1dc3f644c5f76f79673f7e0ac141194@%3Cdev.taverna.apache.org%3E
Anyone can participate in testing and voting, not just committers,
please feel free to try out the release candidate and provide your
votes!
How to review a release? https://s.apache.org/review-release
--
Stian Soiland-Reyes
http://orcid.org/0000-0001-9842-9718
Re: [DISCUSS] Release Apache Taverna Server 3.1.0-incubating RC2?
Posted by Stian Soiland-Reyes <st...@apache.org>.
On Tue, 9 Jan 2018 17:33:12 +0000, Andy Seaborne <an...@apache.org> wrote:
> I don't know the dependency flow from module L&N to artifact works.
As far as I understand it's Maven magic from the super-POM of Apache:
http://central.maven.org/maven2/org/apache/apache/18/apache-18.pom
aka
https://github.com/apache/maven-pom/blob/apache-18/pom.xml#L296
which invokes maven-remote-resources-plugin
using a Velocity template from apache-jar-resource-bundle
https://github.com/apache/maven-resources/tree/trunk/apache-jar-resource-bundle/src/main/resources/META-INF
For instance in NOTICE.vm the ## comments are removed by Velocity
template engine, and then properties like
${projectTimespan} are filled in from the effective pom.xml of each
submodule - ending up in target/classes/META-INF
(Note: Apache Commons' super-pom do NOT do this for multimodule builds)
> > We agreed earlier that the "Portions of this software were originally
> > based on... - Copyright 2010-2014 University of Manchester" bit is
> > more of a courtesy and not something legally required by the software
> > grant.
>
> Yes.
>
> While not necessary, when such a large part is granted, it is useful in
> License. There can't be that many large ones - it can't go over 100%!
OK, so let's leave the autogenerated META-INF L/N as they are - but do
shout out folks if you find any module where the autogenerated would be
incomplete.
tl;dr:
If the root NOTICE or LICENSE says "taverna-foo-module includes baz",
then also override the META-INF templates by making sure
taverna-foo-module/src/main/resources/META-INF/ contain equivalent
NOTICE and/or LICENSE files to same effect.
--
Stian Soiland-Reyes
http://orcid.org/0000-0001-9842-9718
Re: [DISCUSS] Release Apache Taverna Server 3.1.0-incubating RC2?
Posted by Andy Seaborne <an...@apache.org>.
On 09/01/18 16:57, Stian Soiland-Reyes wrote:
> On Tue, 9 Jan 2018 16:13:59 +0000, Andy Seaborne <an...@apache.org> wrote:
>> I'm not seeing that the LICENSE and NOTICE files in the jars reflect the
>> NOTICE in the source tree. If source is used to make the jars, they
>> should have the L&N passed on. (not for dependencies)
>
> Did any JARs lack LICENSE or NOTICE? They should generally have the
> autogenerated ones from maven-remote-resources-plugin /
> apache-jar-resource-bundle as is true for JARs in pretty much every
> Maven-based incubator release.
I poked at a couple and they were autogenerated.
I don't know the dependency flow from module L&N to artifact works.
>
>
> It is true that LICENSE/NOTICE overrides must be present in those
> modules that correspond to the affected files, which in this project is
> only in taverna-server-usagerecord:
>
> https://github.com/apache/incubator-taverna-server/tree/master/taverna-server-usagerecord/src/main/resources/META-INF
Good.
>
> (Perhaps a suggestion is for the central NOTICE to refer to
> "taverna-server-usagerecord" rather than just package name)
>
>
> Another example from Taverna Language (needing to modify LICENSE
> for taverna-scufl2-wfdesc):
>
> https://github.com/apache/incubator-taverna-language/blob/master/taverna-scufl2-wfdesc/src/main/resources/META-INF/LICENSE#L208
>
>
> The central NOTICE mentions the historic Manchester copyright, which is
> not in the generated META-INF/NOTICE files.
>
>
> We agreed earlier that the "Portions of this software were originally
> based on... - Copyright 2010-2014 University of Manchester" bit is
> more of a courtesy and not something legally required by the software
> grant.
Yes.
While not necessary, when such a large part is granted, it is useful in
License. There can't be that many large ones - it can't go over 100%!
>
> (code donation didn't have any NOTICE; and in UK copyright is owned even
> when not stated explicitly
> https://github.com/apache/incubator-taverna-server/tree/apache-import-20150223
> )
>
>
>
> Thus the "Manchester" bit is not -- for ASF at least -- required to be
> in NOTICE of individual JARs (as is true for all earlier releases) and
> the maven-generated one should be fine for most modules (as was also
> true for the other Taverna releases)
>
> However, someone else ripping out code would indeed legally have to
> propagate the NOTICE in anything they redistribute, but that
> would be their task. This is similar to if someone else
> redistributing a single of our .java file which copyright header
> says they have to respect the corresponding NOTICE.
>
Re: [DISCUSS] Release Apache Taverna Server 3.1.0-incubating RC2?
Posted by Stian Soiland-Reyes <st...@apache.org>.
On Tue, 9 Jan 2018 16:13:59 +0000, Andy Seaborne <an...@apache.org> wrote:
> I'm not seeing that the LICENSE and NOTICE files in the jars reflect the
> NOTICE in the source tree. If source is used to make the jars, they
> should have the L&N passed on. (not for dependencies)
Did any JARs lack LICENSE or NOTICE? They should generally have the
autogenerated ones from maven-remote-resources-plugin /
apache-jar-resource-bundle as is true for JARs in pretty much every
Maven-based incubator release.
It is true that LICENSE/NOTICE overrides must be present in those
modules that correspond to the affected files, which in this project is
only in taverna-server-usagerecord:
https://github.com/apache/incubator-taverna-server/tree/master/taverna-server-usagerecord/src/main/resources/META-INF
(Perhaps a suggestion is for the central NOTICE to refer to
"taverna-server-usagerecord" rather than just package name)
Another example from Taverna Language (needing to modify LICENSE
for taverna-scufl2-wfdesc):
https://github.com/apache/incubator-taverna-language/blob/master/taverna-scufl2-wfdesc/src/main/resources/META-INF/LICENSE#L208
The central NOTICE mentions the historic Manchester copyright, which is
not in the generated META-INF/NOTICE files.
We agreed earlier that the "Portions of this software were originally
based on... - Copyright 2010-2014 University of Manchester" bit is
more of a courtesy and not something legally required by the software
grant.
(code donation didn't have any NOTICE; and in UK copyright is owned even
when not stated explicitly
https://github.com/apache/incubator-taverna-server/tree/apache-import-20150223
)
Thus the "Manchester" bit is not -- for ASF at least -- required to be
in NOTICE of individual JARs (as is true for all earlier releases) and
the maven-generated one should be fine for most modules (as was also
true for the other Taverna releases)
However, someone else ripping out code would indeed legally have to
propagate the NOTICE in anything they redistribute, but that
would be their task. This is similar to if someone else
redistributing a single of our .java file which copyright header
says they have to respect the corresponding NOTICE.
--
Stian Soiland-Reyes
The University of Manchester
http://www.esciencelab.org.uk/
http://orcid.org/0000-0001-9842-9718
Re: [DISCUSS] Release Apache Taverna Server 3.1.0-incubating RC2?
Posted by Andy Seaborne <an...@apache.org>.
I'm not seeing that the LICENSE and NOTICE files in the jars reflect the
NOTICE in the source tree. If source is used to make the jars, they
should have the L&N passed on. (not for dependencies)
(
Stian - the discussion on legal@ prompted me to look:
"Including "modified code" dependencies in LICENSE or NOTICE"
)
Andy
On 08/01/18 17:33, Stian Soiland-Reyes wrote:
> As RC1 broke without .git - here's RC2:
> https://lists.apache.org/thread.html/00b8faaa002b6708bdfd7846b16078be06ad781e49535bcc397b4758@%3Cdev.taverna.apache.org%3E
>
>
> On Mon, 8 Jan 2018 16:29:29 +0000, Stian Soiland-Reyes <st...@apache.org> wrote:
>> Reply to this thread for any questions/issues for the
>> Taverna Server 3.1.0 release candidate.
>>
>> Reply to the separate [VOTE] thread with your formal vote:
>> https://lists.apache.org/thread.html/319eac1ea18f89d635d3c05bf1dc3f644c5f76f79673f7e0ac141194@%3Cdev.taverna.apache.org%3E
>>
>>
>> Anyone can participate in testing and voting, not just committers,
>> please feel free to try out the release candidate and provide your
>> votes!
>>
>> How to review a release? https://s.apache.org/review-release
>>
>> --
>> Stian Soiland-Reyes
>> http://orcid.org/0000-0001-9842-9718
>>
Re: [DISCUSS] Release Apache Taverna Server 3.1.0-incubating RC3?
Posted by Stian Soiland-Reyes <st...@apache.org>.
Thanks for the votes so far on RC3!
https://lists.apache.org/thread.html/5cde355f427de0ff7be68002c578387ef7116573d197a6cafc1ad94b@%3Cdev.taverna.apache.org%3E
I'll be tallying the count tomorrow, so still time if anyone else would
like to have a go! ;)
BTW -- I noticed we had not included a Export Restriction section in the
README of Taverna Server
https://issues.apache.org/jira/browse/TAVERNA-1031
Added now in
https://github.com/apache/incubator-taverna-server/#export-restrictions
The new README section is for user guidance only (e.g. for
redistribution) and not a legal requirement - personally I don't think
that this missing from 3.1.0 RC3 should hold up the release, as
taverna-server was already in our 2016 security review and in the formal
ECCN registration with US authorities back then; your views are welcome!
On Mon, 8 Jan 2018 17:33:15 +0000, Stian Soiland-Reyes <st...@apache.org> wrote:
> As RC1 broke without .git - here's RC2:
> https://lists.apache.org/thread.html/00b8faaa002b6708bdfd7846b16078be06ad781e49535bcc397b4758@%3Cdev.taverna.apache.org%3E
>
>
> On Mon, 8 Jan 2018 16:29:29 +0000, Stian Soiland-Reyes <st...@apache.org> wrote:
> > Reply to this thread for any questions/issues for the
> > Taverna Server 3.1.0 release candidate.
> >
> > Reply to the separate [VOTE] thread with your formal vote:
> > https://lists.apache.org/thread.html/319eac1ea18f89d635d3c05bf1dc3f644c5f76f79673f7e0ac141194@%3Cdev.taverna.apache.org%3E
> >
> >
> > Anyone can participate in testing and voting, not just committers,
> > please feel free to try out the release candidate and provide your
> > votes!
> >
> > How to review a release? https://s.apache.org/review-release
> >
> > --
> > Stian Soiland-Reyes
> > http://orcid.org/0000-0001-9842-9718
> >
Re: [DISCUSS] Release Apache Taverna Server 3.1.0-incubating RC2?
Posted by Stian Soiland-Reyes <st...@apache.org>.
To verify the keys, see
> > Release candidates are signed with a GPG key available at:
> > https://dist.apache.org/repos/dist/release/incubator/taverna/KEYS
aka which would equal (After 12 hours)
https://www.apache.org/dist/incubator/taverna/KEYS
aka
curl https://dist.apache.org/repos/dist/release/incubator/taverna/KEYS |
gpg --import -
see also https://www.apache.org/info/verification.html
Note that this does not mean your PGP keychain trusts my public key,
just so it knows about it, hence you should still get a warning.
BTW - PGP-way to trust it you would need to also have your own private
key, then do for instance:
gpg --fingerprint A0FFD119
Meet me and compare fingerprint in person or trusted channel.
(important - blind trust is pointless here :)
gpg --sign-key A0FFD119
gpg --keyserver pgpkeys.mit.edu --send-key A0FFD119
(Now you announce to the world this trust - and others can use it in a
chain of trust)
In ASF we kind of by-pass this by just downloading the KEYS file, which
in a way is just verifying that the person is someone (who knows the
password) to SVN write access to it (in incubator about 2678 ppl)
On Mon, 8 Jan 2018 17:33:15 +0000, Stian Soiland-Reyes <st...@apache.org> wrote:
> As RC1 broke without .git - here's RC2:
> https://lists.apache.org/thread.html/00b8faaa002b6708bdfd7846b16078be06ad781e49535bcc397b4758@%3Cdev.taverna.apache.org%3E
>
>
> On Mon, 8 Jan 2018 16:29:29 +0000, Stian Soiland-Reyes <st...@apache.org> wrote:
> > Reply to this thread for any questions/issues for the
> > Taverna Server 3.1.0 release candidate.
> >
> > Reply to the separate [VOTE] thread with your formal vote:
> > https://lists.apache.org/thread.html/319eac1ea18f89d635d3c05bf1dc3f644c5f76f79673f7e0ac141194@%3Cdev.taverna.apache.org%3E
> >
> >
> > Anyone can participate in testing and voting, not just committers,
> > please feel free to try out the release candidate and provide your
> > votes!
> >
> > How to review a release? https://s.apache.org/review-release
> >
> > --
> > Stian Soiland-Reyes
> > http://orcid.org/0000-0001-9842-9718
> >
Re: [DISCUSS] Release Apache Taverna Server 3.1.0-incubating RC2?
Posted by Stian Soiland-Reyes <st...@apache.org>.
As RC1 broke without .git - here's RC2:
https://lists.apache.org/thread.html/00b8faaa002b6708bdfd7846b16078be06ad781e49535bcc397b4758@%3Cdev.taverna.apache.org%3E
On Mon, 8 Jan 2018 16:29:29 +0000, Stian Soiland-Reyes <st...@apache.org> wrote:
> Reply to this thread for any questions/issues for the
> Taverna Server 3.1.0 release candidate.
>
> Reply to the separate [VOTE] thread with your formal vote:
> https://lists.apache.org/thread.html/319eac1ea18f89d635d3c05bf1dc3f644c5f76f79673f7e0ac141194@%3Cdev.taverna.apache.org%3E
>
>
> Anyone can participate in testing and voting, not just committers,
> please feel free to try out the release candidate and provide your
> votes!
>
> How to review a release? https://s.apache.org/review-release
>
> --
> Stian Soiland-Reyes
> http://orcid.org/0000-0001-9842-9718
>