Hi Andy, thanks for the summary list :)
2013/3/25 Andy Seaborne <[email protected]> > From Fabian's excellent detailed and careful review: > > http://mail-archives.apache.**org/mod_mbox/incubator-** > marmotta-dev/201303.mbox/%**3CCA%2B_sZ%2BjY_eH52KhEea19%**3DL%3DGMJW%** > 2BS5N7FBVmRM6TQeuL22Leuw%**40mail.gmail.com%3E<http://mail-archives.apache.org/mod_mbox/incubator-marmotta-dev/201303.mbox/%3CCA%2B_sZ%2BjY_eH52KhEea19%3DL%3DGMJW%2BS5N7FBVmRM6TQeuL22Leuw%40mail.gmail.com%3E> > > I think we need to make sure we are agreed on each of these items: > > == SHA1 archive and tag > > > >> The SHA1 checksum of the archive is > >> 670d7c5d4d524acb86665f234dac4a**de16be8da6. >>> >> >> Which archive are you referring to? >> > > I went looking expecting this to the SHA1 of the tag commit but can't find > such a git commit or the tag with that SHA1. > > What was this commit SHA1? It should be the checksum of the source archive (i.e. the main distribution file). If it is not, the e-mail has a bug. The .sha files are the ones containing the correct information. I will check the mail next time, maybe something went wrong here in the process. > > The KEYS are okay but could be placed at a location like >> http://marmotta.incubator.**apache.org/KEYS<http://marmotta.incubator.apache.org/KEYS> >> > > == KEYS > > See also comment on KEYS.asc vs KEYS > > The file will be placed at > http://marmotta.incubator.**apache.org/KEYS<http://marmotta.incubator.apache.org/KEYS> > > No response to the KEYS.asc naming. Is it changing? > KEYS.asc is the (self-)signed version of the KEYS file. The KEYS file itself contains all the keys that are potentially used by the developers. If you want, we can remove the KEYS.asc, as it is not strictly required. Doesn't hurt, though. > > == N&L 2 > > > "data based on JSON-LD Test Suite licensed under CC0 License" in >> NOTICE but there is no info in LICENSE - what is CC0? Fix in future >> releases. >> > > Sebastain explained this but I'm unclear whether there is a proposed > change. I think it should be in LICENSE. It cannot be added, because it is in the public domain, so it has no license at all, see: http://creativecommons.org/publicdomain/zero/1.0/ What I can add to the license is a short note saying that it is in the public domain with a CC0 license. > > Checking >> ./apache-marmotta-3.0.0-**incubating-webapp.zip >> LICENSE & NOTICE: "H2 Database Engine under The H2 License, Version >> 1.0" in NOTICE but in LICENSE there is no "H2 License". In LICENSE it >> says "is dual licensed and available >> under a modified version of the MPL 1.1 (Mozilla Public License) or >> under the (unmodified) EPL 1.0 (Eclipse Public License)". You do not >> include a copy of this modified versions. I am really not an expert >> but there might be people who would argue that you need to include a >> copy of such licenses in LICENSE. My understanding of the ASF policies >> is that you should include copies of the license not just pointers. >> People need to be able to verify the licenses without the need to >> follow pointers to websites which may change. In doubt I would include >> the license text. >> > > == N&L 3 > > To be added to LICENSE (in progress) > (DONE) > > == DISCLAIMER > > Missing in various binaries. > > > Checking >> ./apache-marmotta-3.0.0-**incubating-installer.zip >> marmotta-installer-3.0.0-**incubating.jar/META-INF: Missing LICENSE, >> NOTICE, DISCLAIMER >> > This is an "executable jar" that noone can use as library or dependency. The LICENSE is displayed when running the installer. But to be sure, I will add the files anyways to META-INF/. (DONE). > marmotta.war: Missing DISCLAIMER >> > (DONE). > > Checking >> ./apache-marmotta-3.0.0-**incubating-ldpath.zip >> NOTICE has a list of included libs but the LICENSE does not list all >> of them -> missing pointers to LICENSES >> > (DONE). > > ldpath-3.0.0-incubating.jar/**META-INF : Missing LICENSE, NOTICE, >> DISCLAIMER >> > (DONE). > > == Maven artifacts > > DISCLAIMER issues > > (DONE). > > Checking staged repo: >> 2013/3/22 Sebastian Schaffert <[email protected]>: >> >>> A staged Maven repository is available for review at: >>> https://repository.apache.org/**content/repositories/** >>> orgapachemarmotta-013/<https://repository.apache.org/content/repositories/orgapachemarmotta-013/> >>> >> >> I checked arbitrary files in the staged repo. All JARs I checked are >> missing the DISCLAIMER in META-INF. I assume this is a general problem >> with the build system. But the DISCLAIMER has to be there. >> > > == Handling included source code > > > Summary: I still believe that the NOTICE file is the wrong place for >> listing included libs. It is for legal notices, only. >> > > This was a point from last RC and we don't seem to have got to consensus > yet. > > When I looked last cycle, I got to point where I think source inclusion > and binary bundling are handled differently: > > -- source inclusion > > http://www.apache.org/dev/**licensing-howto.html#mod-**notice<http://www.apache.org/dev/licensing-howto.html#mod-notice> > > I concluded that when it's included source code, if the whole source code > is used and that includes the copyright/license statement, it should be > left as-is and a pointer in LICENSE is sufficient. > > If, however, only part of the source code is used, or if it is not > correctly labelled with their BSD-style notice, then the full license goes > in LICENSE. Additionally, if there is a missing copyright, a copyright > statement goes in NOTICE (so there is no potential to believe it (c) > anything else). > > It depends on how each item is used in Marmotta which means each usage > needs checking as to how it's used. > > (I also trying to learn here - it's not something I'd had to deal with. > On Jena we had included BSD source fragments and bundled binaries only and > even then we have full license in LICENSE where we are shipping binaries > ourselves on the principle of being self-contained for the bytes in the > artifact.) > > -- binary bundling > > Sebastain came up [1] with the info: > > http://www.apache.org/dev/**licensing-howto.html#**permissive-deps<http://www.apache.org/dev/licensing-howto.html#permissive-deps> > > when the binary artifact bundles BSD unchanged. > > Fabian, Sebastian, all - Does that agree with your understanding? For me, yes. Greetings, Sebastian
