+1 for this release
On 1/6/22, 9:22 AM, "Dan Smith" <[email protected]> wrote:
Quibbles:
- artifact naming does not follow standard naming convention of
THING-VERSION.tgz and THING-VERSION-src.tgz (also Geode decided to stop
distributing .zip files years ago)
- not based on the latest Geode 1.12 patch. I would like to see Geode
1.12.8 picked up once it's available later this month.
- the log4j version 2.16.0 advertised in this release fixes only 2 of the 4
recent log4j vulnerabilities. I would prefer to see log4j 2.17.1.
- vote email is missing a link to release notes and a link to the KEYS file
used to sign the release.
- artifact paths and email subject are missing "RC1" qualifier
Agreed, I think we'll want to do another release later to pickup the latest
geode and log4j. The lack of RC1 is intentional - this is creating an official
release based on what was already linked from the confluent hub.
Concerns:
- NOTICE and LICENSE are found inside a "doc" folder instead of at the top
level of the artifact
- Some dependencies are missing from LICENSE. While most deps are Apache2
and don't require a mention, LatencyUtils is BSD-2 and should be mentioned, and
likely a few others from Geode's LICENSE need to be there as well because they
are incorporated in source form into geode-core.
Good catch! I created GEODE-9925 for the missing dependencies.
Looking at the list of things to do and conflicts with Geode / Confluent
requirements. We can remove it from the Apache domain and move it to internal
open source repo like gpdb or rabbitMQ while keeping the Apache License.
Alternatives can be the VMware or VMware-labs opensource orgs in Github.
Can you clarify which things are in conflict? I think the file name for
geode is not a hard requirement, just a convention we picked. Also the location
of LICENSE and NOTICE files - is there some confluent requirement? Apache says
those files should be at the top level for a source distribution, but I'm not
clear about a binary distribution. For example, our jar files put them under
META-INF, which I think is the java convention.
My inclination is to continue with this release as is and create a follow
up release that updates log4j and the LICENSE, NOTICE files, so I'm leaving
this VOTE open in hopes of getting some more votes.
-Dan
________________________________
From: Nabarun Nag <[email protected]>
Sent: Tuesday, January 4, 2022 5:13 PM
To: [email protected] <[email protected]>
Subject: Re: [VOTE] - Apache Geode Kafka Connector 1.1.0 - Take 2
As it is primarily created for Confluent Marketplace we need to follow the
steps required for hosting in the marketplace, which included how things are to
be named, folder structure etc.
Looking at the list of things to do and conflicts with Geode / Confluent
requirements. We can remove it from the Apache domain and move it to internal
open source repo like gpdb or rabbitMQ while keeping the Apache License.
Alternatives can be the VMware or VMware-labs opensource orgs in Github.
We can definitely add the missing licenses and wait for 1.12.8 release of
Apache Geode to update those dependencies.
Regards
Naba
________________________________
From: Owen Nichols <[email protected]>
Sent: Tuesday, January 4, 2022 4:45 PM
To: [email protected] <[email protected]>
Subject: Re: [VOTE] - Apache Geode Kafka Connector 1.1.0 - Take 2
Quibbles:
- artifact naming does not follow standard naming convention of
THING-VERSION.tgz and THING-VERSION-src.tgz (also Geode decided to stop
distributing .zip files years ago)
- not based on the latest Geode 1.12 patch. I would like to see Geode
1.12.8 picked up once it's available later this month.
- the log4j version 2.16.0 advertised in this release fixes only 2 of the 4
recent log4j vulnerabilities. I would prefer to see log4j 2.17.1.
- vote email is missing a link to release notes and a link to the KEYS file
used to sign the release.
- artifact paths and email subject are missing "RC1" qualifier
Concerns:
- NOTICE and LICENSE are found inside a "doc" folder instead of at the top
level of the artifact
- Some dependencies are missing from LICENSE. While most deps are Apache2
and don't require a mention, LatencyUtils is BSD-2 and should be mentioned, and
likely a few others from Geode's LICENSE need to be there as well because they
are incorporated in source form into geode-core.
Please consider above suggestions for next time.
+0
On 1/4/22, 2:19 PM, "Dan Smith" <[email protected]> wrote:
Hello Geode Dev Community,
This is a release candidate for Apache Geode Kafka Connector version
1.1.0.
This contains a bump to log4j 2.16.
Please do a review and give your feedback.
Voting deadline:
3PM PST Tuesday, Jan 11, 2022.
Please note that we are voting upon the source tag: rel/v1.1.0
Source and Binary Distributions:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fgeode%2Fkafka-connector-1.1.0%2F&data=04%7C01%7Cjhuynh%40vmware.com%7C1f122071bf754da6e1a708d9d1392a6e%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637770865743234863%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=21hMiDE0ic2UWBF%2BSWpVHntucBuyYaP2bVXI0%2BRcw2A%3D&reserved=0
Github:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fgeode-kafka-connector%2Ftree%2Frel%2Fv1.1.0&data=04%7C01%7Cjhuynh%40vmware.com%7C1f122071bf754da6e1a708d9d1392a6e%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637770865743234863%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BWDnc06%2FJt3cEA93cYD7NisPscbL27jtent22T1UEgM%3D&reserved=0
Command to build the connector:
mvn package
Thanks!
-Dan
