Hi - > On Apr 3, 2019, at 3:20 PM, Ning Wang <[email protected]> wrote: > > Got it. Thanks. > > My bad. I meant for this version (before the review).
Look into the License of all the dependent code and packages included in the built binary. There will then need to be procedures to understand when new dependencies are added so that those can be tested. Also, for the source itself, I took a look at the rat-excludes and they seem to be generous. Let’s review these too. > > One more question, what exactly we need to do to review license? Inspect every dependency …. > > On Wed, Apr 3, 2019 at 12:13 PM Dave Fisher <[email protected]> wrote: > >> Hi - >> >>> On Apr 3, 2019, at 11:50 AM, Ning Wang <[email protected]> wrote: >>> >>> *Inline. >>> >>> On Wed, Apr 3, 2019 at 11:36 AM Dave Fisher <[email protected]> >> wrote: >>> >>>> Hi - >>>> >>>> See inline: >>>> >>>>>>> >>>>>>> For docker hub image, I published it to >>>>>>> *https://hub.docker.com/r/apacheheron/heron/tags >>>>>>> <https://hub.docker.com/r/apacheheron/heron/tags>. It is not the >> right >>>>>> one? >>>>>>> I got an invite after becoming a committer then I thought this is the >>>>>>> official one. But maybe it isn't?* >>>>>> >>>>>> That one is created and managed by this project, and as such it >> remains >>>> an >>>>>> unofficial location - we’ll need to be careful how it is advertised. >>>>>> >>>>>> The official Apache Docker Hub is https://hub.docker.com/u/apache < >>>>>> https://hub.docker.com/u/apache> >>>>>> >>>>>> https://reference.apache.org/pmc/docker < >>>>>> https://reference.apache.org/pmc/docker> for an example. >>>>>> >>>>>> https://issues.apache.org/jira/browse/LEGAL-270 < >>>>>> https://issues.apache.org/jira/browse/LEGAL-270> for a discussion. >>>>>> >>>>>> Let’s discuss via how the apacheheron docker file is produced. >>>>>> >>>>>> >>>>> Ok. Another permission to request. >>>>> >>>>> The docker image is built with this jenkins job: >>>>> https://builds.apache.org/job/apache-heron-github-docker-image-debian/ >>>>> >>>>> I then downloaded it and load/publish. >>>> >>>> OK, I see this and I see several build jobs. >>>> >>>> And wow - that’s a 1GB archive! >>>> >>>> Yeah. It is 1G~ With --squash flag it is smaller (500m to 600m), but the >>> flag is not available in Apache Jenkins machines. >>> >>> >>> >>>> I wonder how much of these Jenkins scripts should be in Jenkins as >> opposed >>>> to all in the Git repository and then invoked as 1-3 scripts from >> Jenkins >>>> w/ environment variable pick up. This would ultimately benefit those who >>>> are trying to understand how to build Heron and what artifacts are >> brought >>>> into the binary. >>>> >>>> >>> Agreed. The scripts could be refactored/simplifed further. >>> >>> >>> >>>> We must do a careful license review of everything included in a Binary. >>>> If some of the binary artifacts going to the maven repository are much >>>> smaller then we should discuss these separately. >>>> >>>> Until then just make Source releases. >>>> >>> >>> So it means docker images and those convenience binary packages are not >>> allowed on github and dockerhub? >> >> NO! You are missing the point. I have not been clear. We have to know what >> is inside of these packages before they are allowed! We have to go through >> a process to confirm that there are no disallowed licenses and that proper >> notice for certain licenses are followed. It is tedious, but it is required. >> >> http://www.apache.org/legal/release-policy.html >> >> Here is the guide to understand if a license is allowed. >> >> http://www.apache.org/legal/resolved.html >> >> For example, Apache Releases must not include GPL! >> >>> >>> So the action items for the binary packages are: >>> 1. remove them from github, resume the 0.20.1 rc2 vote with updated info. >>> 2. optimize the binary package sizes. >>> 3. request permission to uploaded them to Apache dist repo. >>> 4. license review >> >> 4. is 1.5 >> >>> >>> >>> >>>> >>>> BTW - The apacheheron Docker Hub still appears to be from the project >> and >>>> Apache and that means it is not allowed unless it can be VOTED on. >>>> >>> >>> My understanding is: >>> - remove the docker image from apacheheron >>> - wait for the works on the binary packages are done. >>> - build and publish to apache docker hub. >> >> That would be preferred. >> >> Regards, >> Dave >> >>> >>> >>> >>>> >>>> Please see the VP, Legal and VP, Brand comments on >>>> https://issues.apache.org/jira/browse/LEGAL-427 >>>> >>>> (This is a better and more direct answer than on >>>> https://issues.apache.org/jira/browse/LEGAL-270 ) >>>> >>>> >>> >>> >>>> Does this make sense? >>>> >>> >>> Yeah. Thanks. >>> >>> >>>> Regards, >>>> Dave >>>>> >>>>> >>>>>> >>>>>>> >>>>>>> I thought maven artifacts are on repository.apache.org and source >>>>>> release >>>>>>> (may include binary release as well in future) should be in >>>>>> dist.apache.org. >>>>>>> Seems I am wrong. I can add the artifacts to dist.apache.org. >>>>>> >>>>>> All released artifacts should be on dist.apache.org < >>>>>> http://dist.apache.org/> first in dev and once the vote is approved >>>> then >>>>>> they can be moved. >>>>>> >>>>>> For repository.apache.org <http://repository.apache.org/> there is an >>>>>> ability to stage, but it may be that you burn a release version if the >>>> vote >>>>>> fails. >>>>>> >>>>>> My suggestion is that we wait to put deploy packages to maven / >>>>>> repository.apache.org <http://repository.apache.org/> until the vote >> is >>>>>> completed. >>>> >>>> This is just a suggestion on my part. >>>> >>>>>> >>>>> >>>>> Ok. Sounds good. Thanks. >>>>> >>>>> Also, how about the convenience binary and docker packages? Just to >>>> confirm >>>>> that they should or should not be built before the vote? >>>>> >>>>> >>>>>> The VOTE thread should be: >>>>>> (0) KEYS path - can already update the release location. >>>>>> (1) For each artifact on dist. >>>>>> - URL for artifact >>>>>> - URL for asc signature >>>>>> - URL for SHA512 hash >>>>>> >>>>>> It should be very clear and in plain text. >>>>>> >>>>>> It would be helpful on the binary artifacts to make sure there are >> clear >>>>>> build instructions. >>>>>> >>>>> >>>>> Got it. >>>>> >>>>> >>>>>> We never discussed the large binary release. >>>>>> >>>>>> >>>>> Right. Currently we are keeping these files in github for now and we >> will >>>>> try to move them to Apache dist after reducing the file sizes in >> future. >>>>> >>>>> >>>>> >>>>>>> >>>>>>> Is there anything else we are missing? >>>>>>> >>>>>>> Thanks in advance. >>>>>> >>>>>> Regards, >>>>>> Dave >>>>>> >>>>>>> >>>>>>> On Mon, Apr 1, 2019 at 2:17 PM Ning Wang <[email protected]> >> wrote: >>>>>>> >>>>>>>> And - general@incubator mailing list. >>>>>>>> >>>>>>>> On Mon, Apr 1, 2019 at 1:53 PM Ning Wang <[email protected]> >>>> wrote: >>>>>>>> >>>>>>>>> Ok. Thanks! >>>>>>>>> >>>>>>>>> On Mon, Apr 1, 2019 at 11:55 AM Dave Fisher <[email protected] >>> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> -1 - we need to carefully discuss this on dev@heron. >>>>>>>>>> >>>>>>>>>> I seem to be the only Heron Mentor paying attention. We need more >>>> than >>>>>>>>>> me! >>>>>>>>>> >>>>>>>>>> (1) I cannot really follow this email >>>>>>>>>> (2) We still need to discuss the docker hub image. (I suggest that >>>>>> this >>>>>>>>>> be unofficial for this round.) >>>>>>>>>> (3) The binaries on repository.apache.org < >>>>>> http://repository.apache.org/> >>>>>>>>>> are not on dist.apache.org <http://dist.apache.org/>. >>>>>>>>>> >>>>>>>>>> Apologies, let’s rewind what is included for this release. It >> needs >>>> to >>>>>>>>>> be discussed on dev@ in advance. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Dave >>>>>>>>>> >>>>>>>>>>> On Apr 1, 2019, at 11:08 AM, Ning Wang <[email protected]> >>>> wrote: >>>>>>>>>>> >>>>>>>>>>> *Hello, dear IPMC members,This is a call for a vote to release >>>> Apache >>>>>>>>>> Heron >>>>>>>>>>> (Incubating) version 0.20.1.The Apache Heron Community has voted >> to >>>>>>>>>> make >>>>>>>>>>> the Heron Release 0.20.1-incubating release. We kindly request >> the >>>>>>>>>>> Incubator PMC members review and vote on this incubator >> release.The >>>>>> dev >>>>>>>>>>> voting thread is >>>>>>>>>>> here: >>>>>>>>>> >>>>>> >>>> >> https://lists.apache.org/thread.html/7c61de9884bda8f95b798b40ce0bb90b7c768e05f1a90d45e164a7cf@%3Cdev.heron.apache.org%3E >>>>>>>>>>> < >>>>>>>>>> >>>>>> >>>> >> https://lists.apache.org/thread.html/7c61de9884bda8f95b798b40ce0bb90b7c768e05f1a90d45e164a7cf@%3Cdev.heron.apache.org%3E >>>>>>>>>>> Apache >>>>>>>>>>> Heron(incubating) is a realtime, distributed, fault-tolerant >> stream >>>>>>>>>>> processing engine. This release include source code, maven >>>> artifacts. >>>>>>>>>>> Convenience binary packages are also included but not relevant >> for >>>>>>>>>> voting >>>>>>>>>>> purposes.The tag to be voted upon:0.20.1-incubating-rc2 >>>>>>>>>>> (e6134da336fa290fa1b40972bc747a7507948d8a)The full list of >> changes >>>>>> and >>>>>>>>>>> release notes are available >>>>>>>>>>> at: >>>>>>>>>> >>>>>> >>>> >> https://github.com/apache/incubator-heron/releases/tag/0.20.1-incubating-rc2 >>>>>>>>>>> < >>>>>>>>>> >>>>>> >>>> >> https://github.com/apache/incubator-heron/releases/tag/0.20.1-incubating-rc2 >>>>>>>>>>> Source >>>>>>>>>>> files can be found in dist.apache.org <http://dist.apache.org> >>>>>>>>>>> site: >>>>>>>>>> >>>>>> >>>> >> https://dist.apache.org/repos/dist/dev/incubator/heron/heron-0.20.1-incubating-candidate-2/ >>>>>>>>>>> < >>>>>>>>>> >>>>>> >>>> >> https://dist.apache.org/repos/dist/dev/incubator/heron/heron-0.20.1-incubating-candidate-2/ >>>>>>>>>>> Docker >>>>>>>>>>> image is available at: >>>>>> https://hub.docker.com/r/apacheheron/heron/tags >>>>>>>>>>> <https://hub.docker.com/r/apacheheron/heron/tags>The generated >>>>>>>>>> packages, >>>>>>>>>>> including maven artifacts, installers and docker image are >>>> available >>>>>>>>>> here >>>>>>>>>>> on GitHub: >>>>>>>>>>> < >>>>>>>>>> >>>>>> >>>> >> https://dist.apache.org/repos/dist/dev/incubator/heron/heron-0.20.0-incubating-candidate-5/ >>>>>>>>>>> >>>>>>>>>> >>>>>> >>>> >> https://github.com/apache/incubator-heron/releases/tag/0.20.1-incubating-rc2 >>>>>>>>>>> < >>>>>>>>>> >>>>>> >>>> >> https://github.com/apache/incubator-heron/releases/tag/0.20.1-incubating-rc2 >>>>>>>>>>> Source >>>>>>>>>>> SHA-512 >>>>>>>>>>> >>>>>>>>>> >>>>>> >>>> >> checksums:c47fc8c228b5543f94dcf8fb5eb0f8083e84602be4f3b5ca52402b6e3e0f893434f971c317f44c3a69e78e597b96642fd69b5bec63e9a8eb7456c816f8e118f3 >>>>>>>>>>> incubator-heron-0.20.1-incubating-rc2.tar.gzArtifacts are >> published >>>>>>>>>>> to:API: >>>>>>>>>>> >>>>>>>>>> >>>>>> >>>> >> https://repository.apache.org/content/repositories/staging/org/apache/heron/heron-api/0.20.1-incubating-rc2/ >>>>>>>>>>> < >>>>>>>>>> >>>>>> >>>> >> https://repository.apache.org/content/repositories/staging/org/apache/heron/heron-api/0.20.1-incubating-rc2/ >>>>>>>>>>> SPI: >>>>>>>>>>> >>>>>>>>>> >>>>>> >>>> >> https://repository.apache.org/content/repositories/staging/org/apache/heron/heron-spi/0.20.1-incubating-rc2/ >>>>>>>>>>> < >>>>>>>>>> >>>>>> >>>> >> https://repository.apache.org/content/repositories/staging/org/apache/heron/heron-spi/0.20.1-incubating-rc2/ >>>>>>>>>>> Storm >>>>>>>>>>> API: >>>>>>>>>>> >>>>>>>>>> >>>>>> >>>> >> https://repository.apache.org/content/repositories/staging/org/apache/heron/heron-storm/0.20.1-incubating-rc2/ >>>>>>>>>>> < >>>>>>>>>> >>>>>> >>>> >> https://repository.apache.org/content/repositories/staging/org/apache/heron/heron-storm/0.20.1-incubating-rc2/ >>>>>>>>>>> Simulator: >>>>>>>>>>> >>>>>>>>>> >>>>>> >>>> >> https://repository.apache.org/content/repositories/staging/org/apache/heron/heron-simulator/0.20.1-incubating-rc2/ >>>>>>>>>>> < >>>>>>>>>> >>>>>> >>>> >> https://repository.apache.org/content/repositories/staging/org/apache/heron/heron-simulator/0.20.1-incubating-rc2/ >>>>>>>>>>> The >>>>>>>>>>> artifacts are signed with PGP key 293DB72F865688D1, corresponding >>>> to >>>>>>>>>>> [email protected] <[email protected]>, that can be found in keys >>>>>>>>>>> file: >>>> https://dist.apache.org/repos/dist/release/incubator/heron/KEYS >>>>>>>>>>> <https://dist.apache.org/repos/dist/release/incubator/heron/KEYS >>>>>>>>>>> Please >>>>>>>>>>> download the source package, and follow the compiling >>>>>>>>>>> guide( >>>>>>>>>> >>>>>> >>>> >> https://apache.github.io/incubator-heron/docs/developers/compiling/compiling/ >>>>>>>>>>> < >>>>>>>>>> >>>>>> >>>> >> https://apache.github.io/incubator-heron/docs/developers/compiling/compiling/ >>>>>>>>>>> )to >>>>>>>>>>> build and run the Heron locally. Note that currently Bazel 0.14.1 >>>> is >>>>>>>>>>> required to build this version.The vote will be open for at least >>>> 72 >>>>>>>>>> hours >>>>>>>>>>> or until the necessary number of votes are reached.Please vote >>>>>>>>>>> accordingly:[ ] +1 approve[ ] +0 no opinion[ ] -1 disapprove with >>>> the >>>>>>>>>>> reasonThanks,The Apache Heron (Incubating) Team* >>>>>>>>>> >>>>>>>>>> >>>>>> >>>>>> >>>> >>>> >> >>
