You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by James Sirota <js...@hortonworks.com> on 2016/07/27 16:32:01 UTC
[VOTE] Releasing Apache Metron 0.2.0BETA-RC3
This release is exactly the same as RC2, but the Mozilla licensed file was removed so it doesn’t cause problems for us on the incubator general boards. We no longer use it so we just removed it.
This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating
Full list of changes in this release:
https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/CHANGES
The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:
<https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb
The source archive being voted upon can be found here:
https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz
Other release files, signatures and digests can be found here:
https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/
<https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/>
The release artifacts are signed with the following key:
<https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a2312ead3eb>https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a2312ead3eb
Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3 incubating
When voting, please list the actions taken to verify the release.
Recommended build validation and verification instructions are posted here:
https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
This vote will be open for at least 72 hours.
[ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
[ ] 0 No opinion
[ ] -1 Do not release this package because...
Re: [VOTE] Releasing Apache Metron 0.2.0BETA-RC3
Posted by "Debo Dutta (dedutta)" <de...@cisco.com>.
+1
Sent from my iPhone
> On Jul 27, 2016, at 9:32 AM, James Sirota <js...@hortonworks.com> wrote:
>
> This release is exactly the same as RC2, but the Mozilla licensed file was removed so it doesn’t cause problems for us on the incubator general boards. We no longer use it so we just removed it.
>
> This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating
>
> Full list of changes in this release:
>
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/CHANGES
>
> The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:
>
> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb
>
> The source archive being voted upon can be found here:
>
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz
>
> Other release files, signatures and digests can be found here:
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/
> <https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/>
> The release artifacts are signed with the following key:
>
> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a2312ead3eb>https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a2312ead3eb
>
>
> Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3 incubating
>
> When voting, please list the actions taken to verify the release.
> Recommended build validation and verification instructions are posted here:
> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
>
> This vote will be open for at least 72 hours.
>
> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
> [ ] 0 No opinion
> [ ] -1 Do not release this package because...
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Releasing Apache Metron 0.2.0BETA-RC3
Posted by David Lyle <dl...@gmail.com>.
Thanks Billie and Taylor,
We've got https://issues.apache.org/jira/browse/METRON-297 opened to
address this.
Thanks again,
-David..
On Thu, Aug 11, 2016 at 2:05 PM, P. Taylor Goetz <pt...@gmail.com> wrote:
> +1 (binding)
>
> Checked:
> - signatures
> - “incubating” in filename
> - ALv2 license headers
> - build from source
> - DISCLAIMER exists
> - LICENCE and NOTICE look okay
>
> As Billie mentioned, the license issue for the STIX extractor code still
> needs to be addressed. Can you add a lira for that and correct it in your
> next release?
>
> -Taylor
>
> > On Jul 27, 2016, at 12:32 PM, James Sirota <js...@hortonworks.com>
> wrote:
> >
> > This release is exactly the same as RC2, but the Mozilla licensed file
> was removed so it doesn’t cause problems for us on the incubator general
> boards. We no longer use it so we just removed it.
> >
> > This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3
> incubating
> >
> > Full list of changes in this release:
> >
> > https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
> 0BETA-RC3-incubating/CHANGES
> >
> > The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:
> >
> > <https://git-wip-us.apache.org/repos/asf?p=incubator-
> metron.git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>
> https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=
> 75642001803396e8884385b0fc297a2312ead3eb
> >
> > The source archive being voted upon can be found here:
> >
> > https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
> 0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz
> >
> > Other release files, signatures and digests can be found here:
> > https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
> 0BETA-RC3-incubating/
> > <https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-
> incubating/>
> > The release artifacts are signed with the following key:
> >
> > <https://git-wip-us.apache.org/repos/asf?p=incubator-
> metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=
> 75642001803396e8884385b0fc297a2312ead3eb>https://git-wip-us.
> apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=
> c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a
> 2312ead3eb
> >
> >
> > Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3
> incubating
> >
> > When voting, please list the actions taken to verify the release.
> > Recommended build validation and verification instructions are posted
> here:
> > https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
> >
> > This vote will be open for at least 72 hours.
> >
> > [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
> > [ ] 0 No opinion
> > [ ] -1 Do not release this package because...
>
>
Re: [VOTE] Releasing Apache Metron 0.2.0BETA-RC3
Posted by "P. Taylor Goetz" <pt...@gmail.com>.
+1 (binding)
Checked:
- signatures
- “incubating” in filename
- ALv2 license headers
- build from source
- DISCLAIMER exists
- LICENCE and NOTICE look okay
As Billie mentioned, the license issue for the STIX extractor code still needs to be addressed. Can you add a lira for that and correct it in your next release?
-Taylor
> On Jul 27, 2016, at 12:32 PM, James Sirota <js...@hortonworks.com> wrote:
>
> This release is exactly the same as RC2, but the Mozilla licensed file was removed so it doesn’t cause problems for us on the incubator general boards. We no longer use it so we just removed it.
>
> This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating
>
> Full list of changes in this release:
>
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/CHANGES
>
> The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:
>
> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb
>
> The source archive being voted upon can be found here:
>
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz
>
> Other release files, signatures and digests can be found here:
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/
> <https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/>
> The release artifacts are signed with the following key:
>
> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a2312ead3eb>https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a2312ead3eb
>
>
> Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3 incubating
>
> When voting, please list the actions taken to verify the release.
> Recommended build validation and verification instructions are posted here:
> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
>
> This vote will be open for at least 72 hours.
>
> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
> [ ] 0 No opinion
> [ ] -1 Do not release this package because...
Re: [VOTE] Releasing Apache Metron 0.2.0BETA-RC3
Posted by Josh Elser <el...@apache.org>.
Casey,
Thanks so much for the quick turn-around on JIRA issues. Great to see :)
Re: findbug's jsr305 jar, yup, that is precisely the confusion I have
with it. I would encourage use of
https://github.com/stephenc/findbugs-annotations/ just to avoid any
potential issues. This person has done a few clean-room impls which are
ASLv2 licensed which are super helpful. I know of two projects now which
have successfully swapped these jars and have not faced any issues.
- Josh
Casey Stella wrote:
> Josh,
>
> You are of course correct on all points.
>
> - We neglected to be careful about the implications of binary bundling
> and transitive dependencies (JIRA
> <https://issues.apache.org/jira/browse/METRON-374>).
> - It's a good idea to use ephemeral ports on our integration test
> components (JIRA<https://issues.apache.org/jira/browse/METRON-375>).
> - We should correct the issues with the webpage (JIRA
> <https://issues.apache.org/jira/browse/METRON-376>)
>
> Regarding Findbugs, if you open up the pom
> <http://central.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.pom>
> from com.google.code.findbugs:jsr305-1.3.9 the ASLv2 is referenced. That
> being said, it's pretty clear that findbugs itself is lgpl, so I am also
> confused. Regardless, a more careful inspection and handling of our
> transitive dependencies is obviously called for. Thanks for the careful
> attention. :)
>
> Casey
>
> On Wed, Aug 17, 2016 at 1:27 AM, Josh Elser<el...@apache.org> wrote:
>
>> +1 with reservations (binding)
>>
>> * DISCLAIMER present
>> * LICENSE/NOTICE seem reasonable
>> * xsums/sigs OK
>> * Can build from source
>> * Unit tests pass (after I stopped my local hbase instance, maybe you
>> could use random ports from the ephemeral range for your test services
>> instead of the default service ports)
>> * Integration tests didn't (I stopped after a failure in
>> BulkLoadMapperIntegrationTest)
>> * Tag is deployed and matches VOTE
>> * Overly aggressive RAT exclusions, but it passes and seems ok. Would
>> strongly recommend you prune this list in the future to make sure you don't
>> start shipping files which do not have a license header. You presently have
>> many exclusions for files which don't even exist in the codebase.
>>
>> Reservations:
>>
>> It is important to make sure that not only is the source-release artifact
>> properly licensed, but the resulting artifacts that source-release creates
>> are also properly licensed (in other words: the jars your build creates).
>>
>> Your shaded jars are not correctly licensed. For example, you include
>> org.abego.treelayout:org.abego.treelayout.core:jar:1.0.1 in
>> metron-common-0.2.0BETA.jar which is 3-clause BSD licensed, yet the
>> contained META-INF/LICENSE file has no mention of this. I also see a number
>> of CDDL licensed jars being included.
>>
>> The most worrisome artifact I see included is
>> com.google.code.findbugs:jsr305-1.3.9 in multiple artifacts
>> (metron-pcap-backend-0.2.0BETA.jar for one). This artifact befuddles me
>> because it is completely unclear whether it is GPL'ed or ASLv2 (last I
>> checked, documentation was not clear at all). Ironically, you also have
>> com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1 included
>> which is a clearly ASLv2 licensed implementation of the same spec (we won't
>> get into me asking "why" both are included *winks*).
>>
>> I don't think you need to fix these for this release, but you should make
>> an effort to do this before your next release. Yes, it sucks. Yes, you're
>> not the only one who has done it/will do it again.
>>
>> Branding:
>>
>> Took a look at your website too.
>>
>> * Your required ASF navigation links are not present
>> http://www.apache.org/foundation/marks/pmcs.html#navigation
>> * Incubator disclaimer and logo are present (yay)
>> * Noticed "Ambari" and not "Apache Ambari" on
>> http://metron.incubator.apache.org/documentation/. Would be good to make
>> sure you're using proper names for ASF projects.
>>
>>
>>
>> James Sirota wrote:
>>
>>> This release is exactly the same as RC2, but the Mozilla licensed file
>>> was removed so it doesn\u2019t cause problems for us on the incubator general
>>> boards. We no longer use it so we just removed it.
>>>
>>> This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating
>>>
>>> Full list of changes in this release:
>>>
>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>> 0BETA-RC3-incubating/CHANGES
>>>
>>> The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:
>>>
>>> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.
>>> git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>http
>>> s://git-wip-us.apache.org/repos/asf?p=incubator-metron.
>>> git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb
>>>
>>> The source archive being voted upon can be found here:
>>>
>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>> 0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz
>>>
>>> Other release files, signatures and digests can be found here:
>>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>>> 0BETA-RC3-incubating/
>>> <https://dist.apache.org/repos/dist/dev/incubator/metron/0.
>>> 2.0BETA-RC3-incubating/>
>>> The release artifacts are signed with the following key:
>>>
>>> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.
>>> git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18
>>> ;hb=75642001803396e8884385b0fc297a2312ead3eb>https://git-
>>> wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=
>>> KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=756420018
>>> 03396e8884385b0fc297a2312ead3eb
>>>
>>>
>>> Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3
>>> incubating
>>>
>>> When voting, please list the actions taken to verify the release.
>>> Recommended build validation and verification instructions are posted
>>> here:
>>> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
>>>
>>> This vote will be open for at least 72 hours.
>>>
>>> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
>>> [ ] 0 No opinion
>>> [ ] -1 Do not release this package because...
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [VOTE] Releasing Apache Metron 0.2.0BETA-RC3
Posted by Casey Stella <ce...@gmail.com>.
Josh,
You are of course correct on all points.
- We neglected to be careful about the implications of binary bundling
and transitive dependencies (JIRA
<https://issues.apache.org/jira/browse/METRON-374>).
- It's a good idea to use ephemeral ports on our integration test
components (JIRA <https://issues.apache.org/jira/browse/METRON-375>).
- We should correct the issues with the webpage (JIRA
<https://issues.apache.org/jira/browse/METRON-376>)
Regarding Findbugs, if you open up the pom
<http://central.maven.org/maven2/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.pom>
from com.google.code.findbugs:jsr305-1.3.9 the ASLv2 is referenced. That
being said, it's pretty clear that findbugs itself is lgpl, so I am also
confused. Regardless, a more careful inspection and handling of our
transitive dependencies is obviously called for. Thanks for the careful
attention. :)
Casey
On Wed, Aug 17, 2016 at 1:27 AM, Josh Elser <el...@apache.org> wrote:
> +1 with reservations (binding)
>
> * DISCLAIMER present
> * LICENSE/NOTICE seem reasonable
> * xsums/sigs OK
> * Can build from source
> * Unit tests pass (after I stopped my local hbase instance, maybe you
> could use random ports from the ephemeral range for your test services
> instead of the default service ports)
> * Integration tests didn't (I stopped after a failure in
> BulkLoadMapperIntegrationTest)
> * Tag is deployed and matches VOTE
> * Overly aggressive RAT exclusions, but it passes and seems ok. Would
> strongly recommend you prune this list in the future to make sure you don't
> start shipping files which do not have a license header. You presently have
> many exclusions for files which don't even exist in the codebase.
>
> Reservations:
>
> It is important to make sure that not only is the source-release artifact
> properly licensed, but the resulting artifacts that source-release creates
> are also properly licensed (in other words: the jars your build creates).
>
> Your shaded jars are not correctly licensed. For example, you include
> org.abego.treelayout:org.abego.treelayout.core:jar:1.0.1 in
> metron-common-0.2.0BETA.jar which is 3-clause BSD licensed, yet the
> contained META-INF/LICENSE file has no mention of this. I also see a number
> of CDDL licensed jars being included.
>
> The most worrisome artifact I see included is
> com.google.code.findbugs:jsr305-1.3.9 in multiple artifacts
> (metron-pcap-backend-0.2.0BETA.jar for one). This artifact befuddles me
> because it is completely unclear whether it is GPL'ed or ASLv2 (last I
> checked, documentation was not clear at all). Ironically, you also have
> com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1 included
> which is a clearly ASLv2 licensed implementation of the same spec (we won't
> get into me asking "why" both are included *winks*).
>
> I don't think you need to fix these for this release, but you should make
> an effort to do this before your next release. Yes, it sucks. Yes, you're
> not the only one who has done it/will do it again.
>
> Branding:
>
> Took a look at your website too.
>
> * Your required ASF navigation links are not present
> http://www.apache.org/foundation/marks/pmcs.html#navigation
> * Incubator disclaimer and logo are present (yay)
> * Noticed "Ambari" and not "Apache Ambari" on
> http://metron.incubator.apache.org/documentation/. Would be good to make
> sure you're using proper names for ASF projects.
>
>
>
> James Sirota wrote:
>
>> This release is exactly the same as RC2, but the Mozilla licensed file
>> was removed so it doesn’t cause problems for us on the incubator general
>> boards. We no longer use it so we just removed it.
>>
>> This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating
>>
>> Full list of changes in this release:
>>
>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>> 0BETA-RC3-incubating/CHANGES
>>
>> The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:
>>
>> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.
>> git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>http
>> s://git-wip-us.apache.org/repos/asf?p=incubator-metron.
>> git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb
>>
>> The source archive being voted upon can be found here:
>>
>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>> 0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz
>>
>> Other release files, signatures and digests can be found here:
>> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.
>> 0BETA-RC3-incubating/
>> <https://dist.apache.org/repos/dist/dev/incubator/metron/0.
>> 2.0BETA-RC3-incubating/>
>> The release artifacts are signed with the following key:
>>
>> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.
>> git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18
>> ;hb=75642001803396e8884385b0fc297a2312ead3eb>https://git-
>> wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=
>> KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=756420018
>> 03396e8884385b0fc297a2312ead3eb
>>
>>
>> Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3
>> incubating
>>
>> When voting, please list the actions taken to verify the release.
>> Recommended build validation and verification instructions are posted
>> here:
>> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
>>
>> This vote will be open for at least 72 hours.
>>
>> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
>> [ ] 0 No opinion
>> [ ] -1 Do not release this package because...
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
Re: [VOTE] Releasing Apache Metron 0.2.0BETA-RC3
Posted by Josh Elser <el...@apache.org>.
+1 with reservations (binding)
* DISCLAIMER present
* LICENSE/NOTICE seem reasonable
* xsums/sigs OK
* Can build from source
* Unit tests pass (after I stopped my local hbase instance, maybe you
could use random ports from the ephemeral range for your test services
instead of the default service ports)
* Integration tests didn't (I stopped after a failure in
BulkLoadMapperIntegrationTest)
* Tag is deployed and matches VOTE
* Overly aggressive RAT exclusions, but it passes and seems ok. Would
strongly recommend you prune this list in the future to make sure you
don't start shipping files which do not have a license header. You
presently have many exclusions for files which don't even exist in the
codebase.
Reservations:
It is important to make sure that not only is the source-release
artifact properly licensed, but the resulting artifacts that
source-release creates are also properly licensed (in other words: the
jars your build creates).
Your shaded jars are not correctly licensed. For example, you include
org.abego.treelayout:org.abego.treelayout.core:jar:1.0.1 in
metron-common-0.2.0BETA.jar which is 3-clause BSD licensed, yet the
contained META-INF/LICENSE file has no mention of this. I also see a
number of CDDL licensed jars being included.
The most worrisome artifact I see included is
com.google.code.findbugs:jsr305-1.3.9 in multiple artifacts
(metron-pcap-backend-0.2.0BETA.jar for one). This artifact befuddles me
because it is completely unclear whether it is GPL'ed or ASLv2 (last I
checked, documentation was not clear at all). Ironically, you also have
com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1 included
which is a clearly ASLv2 licensed implementation of the same spec (we
won't get into me asking "why" both are included *winks*).
I don't think you need to fix these for this release, but you should
make an effort to do this before your next release. Yes, it sucks. Yes,
you're not the only one who has done it/will do it again.
Branding:
Took a look at your website too.
* Your required ASF navigation links are not present
http://www.apache.org/foundation/marks/pmcs.html#navigation
* Incubator disclaimer and logo are present (yay)
* Noticed "Ambari" and not "Apache Ambari" on
http://metron.incubator.apache.org/documentation/. Would be good to make
sure you're using proper names for ASF projects.
James Sirota wrote:
> This release is exactly the same as RC2, but the Mozilla licensed file was removed so it doesn\u2019t cause problems for us on the incubator general boards. We no longer use it so we just removed it.
>
> This is a call to vote on releasing Apache Metron 0.2.0BETA-RC3 incubating
>
> Full list of changes in this release:
>
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/CHANGES
>
> The tag/commit to be voted upon is Metron_0.2.0BETA_rc3:
>
> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb>https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=commit;h=75642001803396e8884385b0fc297a2312ead3eb
>
> The source archive being voted upon can be found here:
>
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/apache-metron-0.2.0BETA-RC3-incubating.tar.gz
>
> Other release files, signatures and digests can be found here:
> https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/
> <https://dist.apache.org/repos/dist/dev/incubator/metron/0.2.0BETA-RC3-incubating/>
> The release artifacts are signed with the following key:
>
> <https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a2312ead3eb>https://git-wip-us.apache.org/repos/asf?p=incubator-metron.git;a=blob;f=KEYS;h=c11bcb9b7385b4d155501aa097afd890f1070a18;hb=75642001803396e8884385b0fc297a2312ead3eb
>
>
> Please vote on releasing this package as Apache Metron 0.2.0BETA-RC3 incubating
>
> When voting, please list the actions taken to verify the release.
> Recommended build validation and verification instructions are posted here:
> https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds
>
> This vote will be open for at least 72 hours.
>
> [ ] +1 Release this package as Apache Metron 0.2.0BETA-RC3 incubating
> [ ] 0 No opinion
> [ ] -1 Do not release this package because...
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org