Hi,
I have uploaded the PR for pinning the submodule commit SHA.
https://github.com/apache/cloudberry/pull/1084

And I put the discussion here:

https://github.com/apache/cloudberry/discussions/1083

On Tue, Apr 29, 2025 at 4:00 PM Ed Espino <esp...@apache.org> wrote:

> As we need to track a specific versions of the modules, I prefer
> submodules. Let me know if you have any questions.
>
> Thank you for taking a look at this.
>
> -=e
>
> Ed Espino
> 925.389.4640
>
>
> On Mon, Apr 28, 2025 at 9:23 PM Jun Sheng <chaoseter...@gmail.com> wrote:
>
> > I can take them. Any prerequisite?
> >
> > By the way, shall we switch to subtree instead of submodule?
> >
> > On Tue, Apr 29, 2025 at 11:01 AM Ed Espino <esp...@apache.org> wrote:
> >
> > > Hi all,
> > >
> > > As part of the recent PAX feature work, several new Git submodules have
> > > been introduced into the Apache Cloudberry (Incubating) repository.
> After
> > > reviewing these additions, I noticed two important issues that should
> be
> > > addressed before finalizing the v2.0.0 release:
> > >
> > > 1. Submodule Pinning
> > >    - Several submodules are currently pulling from `main` or an active
> > > branch (`v1.15.x`), rather than being pinned to a specific commit SHA.
> > >    - This could lead to non-reproducible builds over time, as upstream
> > > changes may alter the submodule contents unexpectedly.
> > >    - To ensure reproducibility and long-term stability, the submodules
> > > should be updated to point to specific SHAs.
> > >
> > > 2. License Management
> > >    - Each submodule introduces third-party code, and the corresponding
> > > license files need to be collected.
> > >    - The license texts should be added to the `licenses/` directory,
> and
> > > the top-level `LICENSE` file updated to reference each included
> > dependency
> > > and its license type.
> > >
> > > Submodules involved:
> > > - `gpcontrib/gpcloud/test/googletest`
> > > - `contrib/pax_storage/src/cpp/contrib/googletest`
> > > - `contrib/pax_storage/src/cpp/contrib/tabulate`
> > > - `contrib/pax_storage/src/cpp/contrib/googlebench`
> > > - `contrib/pax_storage/src/cpp/contrib/cpp-stub`
> > > - `dependency/yyjson`
> > >
> > > Call for Volunteer:
> > > Would someone be willing to volunteer to investigate and address these
> > two
> > > items?
> > > Taking care of this now will help us avoid potential issues during the
> > > v2.0.0 release process.
> > >
> > > Please reply here if you are able to help. I am happy to assist or help
> > > review any proposed updates.
> > >
> > > Thanks in advance,
> > > -=e
> > >
> > > --
> > > Ed Espino
> > > Apache Cloudberry (Incubating) & MADlib
> > >
> >
>

Reply via email to