You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by James Sirota <js...@hortonworks.com> on 2016/10/03 21:04:37 UTC
[VOTE] Releasing Apache Metron 0.2.1BETA-RC2
This is a call to vote on releasing Apache Metron 0.2.1BETA-RC2 incubating
Full list of changes in this release:
https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.1BETA-RC2-incubating/CHANGES
The tag/commit to be voted upon is Metron_0.2.1BETA_rc2:
https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=3e278cdc2c60d6d193d53157512c68b2a3ed58de
The source archive being voted upon can be found here:
https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.1BETA-RC2-incubating/apache-metron-0.2.1BETA-RC2-incubating.tar.gz
Other release files, signatures and digests can be found here:
https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.1BETA-RC2-incubating/
The release artifacts are signed with the following key:
https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=3e278cdc2c60d6d193d53157512c68b2a3ed58de
Please vote on releasing this package as Apache Metron 0.2.1BETA-RC2 incubating
When voting, please list the actions taken to verify the release.
Recommended build validation and verification instructions are posted here:
https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
This vote will be open for at least 72 hours.
[ ] +1 Release this package as Apache Metron 0.2.0BETA-RC2 incubating
[ ] 0 No opinion
[ ] -1 Do not release this package because...
Re: [VOTE] Releasing Apache Metron 0.2.1BETA-RC2
Posted by Josh Elser <el...@apache.org>.
Hi David,
Typically, if you want to have to separately-released software packages
under Metron, you would either have separate repositories or separate
Maven builds (in the same repository). It seems strange to me that
you're essentially "releasing" the MPack (with a SNAPSHOT version?) with
Metron 0.2.1BETA-incubating...
So, the real concern I have is that this MPack-1.0.0.0-SNAPSHOT is now
being released with the Metron-0.2.1BETA-incubating artifacts. It seems
like you're suggesting it is not meant to be released now..
David Lyle wrote:
> Hi Josh,
>
> Thanks for taking a peek at the release. On the MPack- we'd like to version
> it separately from the Metron release. Does that create any issue (other
> than unintended confusion :) ) ?
>
> Thanks again!
>
> -David...
>
>
> On Thu, Oct 6, 2016 at 12:32 AM, Josh Elser<el...@apache.org> wrote:
>
>> +1 (binding)
>>
>> * xsums/sigs OK (I think this is the second release, I think both from
>> Metron, where firefox butchers the SHA xsum -- I have no idea why though.
>> wget is fine)
>> * L&N are OK. Some extra cruft in LICENSE file, but the main content is
>> there.
>> * Can build from source
>> * Found no binaries in source-release
>> * DISCLAIMER is present
>> * KEYS is appropriate
>>
>> Other observations:
>>
>> * Kudos to Justin on catching StixExtractorTest.java
>> * Looks like the version in the pom is 0.2.1BETA, but I would have
>> expected to see 0.2.1BETA-incubating.
>> * Nit: contents of the source-release artifact could also be named
>> similarly. It's "incubator-metron-Metron_0.2.1BETA_rc2", I would expect
>> to see something like "apache-metron-0.2.1BETA-incubating".
>> * I picked out one JAR generated by the source release and inspected it
>> for proper L&N (metron-platform/metron-common/target/metron-common-0.2.1BETA.jar)
>> and it does not appear to be correct to me. It would be good to have this
>> on your radar to verify across the board -- make sure that L&N inside the
>> artifacts your source-release creates (shaded JARs) is properly licensed
>> just like the source-release is.
>> * What's going on with the Metron Ambari Management Pack? It has a
>> different version than the rest of the code (Metron Ambari Management Pack
>> 1.0.0.0-SNAPSHOT). Is this intentional?
>>
>> - Josh
>>
>> James Sirota wrote:
>>
>>> This is a call to vote on releasing Apache Metron 0.2.1BETA-RC2 incubating
>>>
>>> Full list of changes in this release:
>>>
>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>> 1BETA-RC2-incubating/CHANGES
>>>
>>> The tag/commit to be voted upon is Metron_0.2.1BETA_rc2:
>>>
>>> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.g
>>> it;a=commit;h=3e278cdc2c60d6d193d53157512c68b2a3ed58de
>>>
>>> The source archive being voted upon can be found here:
>>>
>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>> 1BETA-RC2-incubating/apache-metron-0.2.1BETA-RC2-incubating.tar.gz
>>>
>>> Other release files, signatures and digests can be found here:
>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>> 1BETA-RC2-incubating/
>>>
>>> The release artifacts are signed with the following key:
>>>
>>> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.g
>>> it;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;
>>> hb=3e278cdc2c60d6d193d53157512c68b2a3ed58de
>>>
>>>
>>> Please vote on releasing this package as Apache Metron 0.2.1BETA-RC2
>>> incubating
>>>
>>> When voting, please list the actions taken to verify the release.
>>> Recommended build validation and verification instructions are posted
>>> here:
>>> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
>>>
>>> This vote will be open for at least 72 hours.
>>>
>>> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC2 incubating
>>> [ ] 0 No opinion
>>> [ ] -1 Do not release this package because...
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Releasing Apache Metron 0.2.1BETA-RC2
Posted by David Lyle <dl...@gmail.com>.
Hi Josh,
Thanks for taking a peek at the release. On the MPack- we'd like to version
it separately from the Metron release. Does that create any issue (other
than unintended confusion :) ) ?
Thanks again!
-David...
On Thu, Oct 6, 2016 at 12:32 AM, Josh Elser <el...@apache.org> wrote:
> +1 (binding)
>
> * xsums/sigs OK (I think this is the second release, I think both from
> Metron, where firefox butchers the SHA xsum -- I have no idea why though.
> wget is fine)
> * L&N are OK. Some extra cruft in LICENSE file, but the main content is
> there.
> * Can build from source
> * Found no binaries in source-release
> * DISCLAIMER is present
> * KEYS is appropriate
>
> Other observations:
>
> * Kudos to Justin on catching StixExtractorTest.java
> * Looks like the version in the pom is 0.2.1BETA, but I would have
> expected to see 0.2.1BETA-incubating.
> * Nit: contents of the source-release artifact could also be named
> similarly. It's "incubator-metron-Metron_0.2.1BETA_rc2", I would expect
> to see something like "apache-metron-0.2.1BETA-incubating".
> * I picked out one JAR generated by the source release and inspected it
> for proper L&N (metron-platform/metron-common/target/metron-common-0.2.1BETA.jar)
> and it does not appear to be correct to me. It would be good to have this
> on your radar to verify across the board -- make sure that L&N inside the
> artifacts your source-release creates (shaded JARs) is properly licensed
> just like the source-release is.
> * What's going on with the Metron Ambari Management Pack? It has a
> different version than the rest of the code (Metron Ambari Management Pack
> 1.0.0.0-SNAPSHOT). Is this intentional?
>
> - Josh
>
> James Sirota wrote:
>
>> This is a call to vote on releasing Apache Metron 0.2.1BETA-RC2 incubating
>>
>> Full list of changes in this release:
>>
>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>> 1BETA-RC2-incubating/CHANGES
>>
>> The tag/commit to be voted upon is Metron_0.2.1BETA_rc2:
>>
>> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.g
>> it;a=commit;h=3e278cdc2c60d6d193d53157512c68b2a3ed58de
>>
>> The source archive being voted upon can be found here:
>>
>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>> 1BETA-RC2-incubating/apache-metron-0.2.1BETA-RC2-incubating.tar.gz
>>
>> Other release files, signatures and digests can be found here:
>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>> 1BETA-RC2-incubating/
>>
>> The release artifacts are signed with the following key:
>>
>> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.g
>> it;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;
>> hb=3e278cdc2c60d6d193d53157512c68b2a3ed58de
>>
>>
>> Please vote on releasing this package as Apache Metron 0.2.1BETA-RC2
>> incubating
>>
>> When voting, please list the actions taken to verify the release.
>> Recommended build validation and verification instructions are posted
>> here:
>> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
>>
>> This vote will be open for at least 72 hours.
>>
>> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC2 incubating
>> [ ] 0 No opinion
>> [ ] -1 Do not release this package because...
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
Re: [VOTE] Releasing Apache Metron 0.2.1BETA-RC2
Posted by Josh Elser <el...@apache.org>.
Hi Casey,
I noticed two things in my casual glance:
1) META-INF/NOTICE says "Curator Service Discovery", not "Apache Metron"
(and META-INF/NOTICE.txt is for commons-cli)
2) I see that commons-math3 is included, and I am nearly 100% positive
that there ware are NOTICE entries that need to be propagated from that
artifact into your NOTICE
Obviously, this is not an exhaustive "fix x, y, and z", but we can help
with that if there is confusion. The L&N on the tarball is good, so I
assume ya'll on are the path to being experts :)
Casey Stella wrote:
> Hey Josh,
>
> Thanks for looking so carefully again. Regarding the metron-common jar,
> could you be more specific how it's not correct? We placed a licenses
> file[1] in the META-INF directory for all of the jars which bundle
> components that have blurbs mentioning the permissive licenses. Is there
> something that we missed?
>
> 1.
> https://github.com/apache/incubator-metron/blob/master/metron-platform/metron-common/src/main/resources/META-INF/LICENSE
> is the one for metron-common
>
> On Thu, Oct 6, 2016 at 12:32 AM, Josh Elser<el...@apache.org> wrote:
>
>> +1 (binding)
>>
>> * xsums/sigs OK (I think this is the second release, I think both from
>> Metron, where firefox butchers the SHA xsum -- I have no idea why though.
>> wget is fine)
>> * L&N are OK. Some extra cruft in LICENSE file, but the main content is
>> there.
>> * Can build from source
>> * Found no binaries in source-release
>> * DISCLAIMER is present
>> * KEYS is appropriate
>>
>> Other observations:
>>
>> * Kudos to Justin on catching StixExtractorTest.java
>> * Looks like the version in the pom is 0.2.1BETA, but I would have
>> expected to see 0.2.1BETA-incubating.
>> * Nit: contents of the source-release artifact could also be named
>> similarly. It's "incubator-metron-Metron_0.2.1BETA_rc2", I would expect
>> to see something like "apache-metron-0.2.1BETA-incubating".
>> * I picked out one JAR generated by the source release and inspected it
>> for proper L&N (metron-platform/metron-common/target/metron-common-0.2.1BETA.jar)
>> and it does not appear to be correct to me. It would be good to have this
>> on your radar to verify across the board -- make sure that L&N inside the
>> artifacts your source-release creates (shaded JARs) is properly licensed
>> just like the source-release is.
>> * What's going on with the Metron Ambari Management Pack? It has a
>> different version than the rest of the code (Metron Ambari Management Pack
>> 1.0.0.0-SNAPSHOT). Is this intentional?
>>
>> - Josh
>>
>>
>> James Sirota wrote:
>>
>>> This is a call to vote on releasing Apache Metron 0.2.1BETA-RC2 incubating
>>>
>>> Full list of changes in this release:
>>>
>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>> 1BETA-RC2-incubating/CHANGES
>>>
>>> The tag/commit to be voted upon is Metron_0.2.1BETA_rc2:
>>>
>>> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.g
>>> it;a=commit;h=3e278cdc2c60d6d193d53157512c68b2a3ed58de
>>>
>>> The source archive being voted upon can be found here:
>>>
>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>> 1BETA-RC2-incubating/apache-metron-0.2.1BETA-RC2-incubating.tar.gz
>>>
>>> Other release files, signatures and digests can be found here:
>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>> 1BETA-RC2-incubating/
>>>
>>> The release artifacts are signed with the following key:
>>>
>>> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.g
>>> it;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;
>>> hb=3e278cdc2c60d6d193d53157512c68b2a3ed58de
>>>
>>>
>>> Please vote on releasing this package as Apache Metron 0.2.1BETA-RC2
>>> incubating
>>>
>>> When voting, please list the actions taken to verify the release.
>>> Recommended build validation and verification instructions are posted
>>> here:
>>> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
>>>
>>> This vote will be open for at least 72 hours.
>>>
>>> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC2 incubating
>>> [ ] 0 No opinion
>>> [ ] -1 Do not release this package because...
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Releasing Apache Metron 0.2.1BETA-RC2
Posted by Casey Stella <ce...@gmail.com>.
Hey Josh,
Thanks for looking so carefully again. Regarding the metron-common jar,
could you be more specific how it's not correct? We placed a licenses
file[1] in the META-INF directory for all of the jars which bundle
components that have blurbs mentioning the permissive licenses. Is there
something that we missed?
1.
https://github.com/apache/incubator-metron/blob/master/metron-platform/metron-common/src/main/resources/META-INF/LICENSE
is the one for metron-common
On Thu, Oct 6, 2016 at 12:32 AM, Josh Elser <el...@apache.org> wrote:
> +1 (binding)
>
> * xsums/sigs OK (I think this is the second release, I think both from
> Metron, where firefox butchers the SHA xsum -- I have no idea why though.
> wget is fine)
> * L&N are OK. Some extra cruft in LICENSE file, but the main content is
> there.
> * Can build from source
> * Found no binaries in source-release
> * DISCLAIMER is present
> * KEYS is appropriate
>
> Other observations:
>
> * Kudos to Justin on catching StixExtractorTest.java
> * Looks like the version in the pom is 0.2.1BETA, but I would have
> expected to see 0.2.1BETA-incubating.
> * Nit: contents of the source-release artifact could also be named
> similarly. It's "incubator-metron-Metron_0.2.1BETA_rc2", I would expect
> to see something like "apache-metron-0.2.1BETA-incubating".
> * I picked out one JAR generated by the source release and inspected it
> for proper L&N (metron-platform/metron-common/target/metron-common-0.2.1BETA.jar)
> and it does not appear to be correct to me. It would be good to have this
> on your radar to verify across the board -- make sure that L&N inside the
> artifacts your source-release creates (shaded JARs) is properly licensed
> just like the source-release is.
> * What's going on with the Metron Ambari Management Pack? It has a
> different version than the rest of the code (Metron Ambari Management Pack
> 1.0.0.0-SNAPSHOT). Is this intentional?
>
> - Josh
>
>
> James Sirota wrote:
>
>> This is a call to vote on releasing Apache Metron 0.2.1BETA-RC2 incubating
>>
>> Full list of changes in this release:
>>
>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>> 1BETA-RC2-incubating/CHANGES
>>
>> The tag/commit to be voted upon is Metron_0.2.1BETA_rc2:
>>
>> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.g
>> it;a=commit;h=3e278cdc2c60d6d193d53157512c68b2a3ed58de
>>
>> The source archive being voted upon can be found here:
>>
>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>> 1BETA-RC2-incubating/apache-metron-0.2.1BETA-RC2-incubating.tar.gz
>>
>> Other release files, signatures and digests can be found here:
>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>> 1BETA-RC2-incubating/
>>
>> The release artifacts are signed with the following key:
>>
>> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.g
>> it;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;
>> hb=3e278cdc2c60d6d193d53157512c68b2a3ed58de
>>
>>
>> Please vote on releasing this package as Apache Metron 0.2.1BETA-RC2
>> incubating
>>
>> When voting, please list the actions taken to verify the release.
>> Recommended build validation and verification instructions are posted
>> here:
>> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
>>
>> This vote will be open for at least 72 hours.
>>
>> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC2 incubating
>> [ ] 0 No opinion
>> [ ] -1 Do not release this package because...
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
Re: [VOTE] Releasing Apache Metron 0.2.1BETA-RC2
Posted by Josh Elser <el...@apache.org>.
+1 (binding)
* xsums/sigs OK (I think this is the second release, I think both from
Metron, where firefox butchers the SHA xsum -- I have no idea why
though. wget is fine)
* L&N are OK. Some extra cruft in LICENSE file, but the main content is
there.
* Can build from source
* Found no binaries in source-release
* DISCLAIMER is present
* KEYS is appropriate
Other observations:
* Kudos to Justin on catching StixExtractorTest.java
* Looks like the version in the pom is 0.2.1BETA, but I would have
expected to see 0.2.1BETA-incubating.
* Nit: contents of the source-release artifact could also be named
similarly. It's "incubator-metron-Metron_0.2.1BETA_rc2", I would expect
to see something like "apache-metron-0.2.1BETA-incubating".
* I picked out one JAR generated by the source release and inspected it
for proper L&N
(metron-platform/metron-common/target/metron-common-0.2.1BETA.jar) and
it does not appear to be correct to me. It would be good to have this on
your radar to verify across the board -- make sure that L&N inside the
artifacts your source-release creates (shaded JARs) is properly licensed
just like the source-release is.
* What's going on with the Metron Ambari Management Pack? It has a
different version than the rest of the code (Metron Ambari Management
Pack 1.0.0.0-SNAPSHOT). Is this intentional?
- Josh
James Sirota wrote:
> This is a call to vote on releasing Apache Metron 0.2.1BETA-RC2 incubating
>
> Full list of changes in this release:
>
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.1BETA-RC2-incubating/CHANGES
>
> The tag/commit to be voted upon is Metron_0.2.1BETA_rc2:
>
> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=3e278cdc2c60d6d193d53157512c68b2a3ed58de
>
> The source archive being voted upon can be found here:
>
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.1BETA-RC2-incubating/apache-metron-0.2.1BETA-RC2-incubating.tar.gz
>
> Other release files, signatures and digests can be found here:
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.1BETA-RC2-incubating/
>
> The release artifacts are signed with the following key:
>
> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=3e278cdc2c60d6d193d53157512c68b2a3ed58de
>
>
> Please vote on releasing this package as Apache Metron 0.2.1BETA-RC2 incubating
>
> When voting, please list the actions taken to verify the release.
> Recommended build validation and verification instructions are posted here:
> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
>
> This vote will be open for at least 72 hours.
>
> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC2 incubating
> [ ] 0 No opinion
> [ ] -1 Do not release this package because...
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Releasing Apache Metron 0.2.1BETA-RC2
Posted by Justin Mclean <ju...@classsoftware.com>.
Hi,
+1 binding
I checked:
- name includes incubating
- signatures and hashed are good
- LICENSE is missing a licence (see below)
- NOTICE is good
- A file are missing apache headers [4], all others are good
- No unexpected binary files in release
- Can compile from source
This file [1] incorrectly (IMO) has an Apache header and it’s permissive license [2][3] (which I assumes is BSD?) is missing from LICENSE. Please fix this in the next release.
Thanks,
Justin
1. ./metron-platform/metron-data-management/src/test/java/org/apache/metron/dataloads/extractor/stix/StixExtractorTest.java
2. http://stix.mitre.org/about/termsofuse.html
3. http://stixproject.github.io/legal/
4. ./metron-analytics/metron-maas-service/src/test/resources/maas/dummy_rest.sh
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org