[
https://issues.apache.org/jira/browse/PIO-27?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15429798#comment-15429798
]
Pat Ferrel commented on PIO-27:
-------------------------------
Further @dev comments
It took Gearpump six release candidates before their first release from
incubation passed the IPMC's checks on correct LICENSE and NOTICE files (note:
different requirements for source and binary artifacts) and that all the
licenses of all transitive dependencies were accounted for and did not require
anything in Category X. This cannot be fully automated even with maven projects
where license data is part of the POM model, because the metadata is sometimes
wrong. I don't know how it works for SBT but suspect at best it's the same
situation.
The process is basically:
- Study and understand fully the foundation and Incubator release policies with
respect to licensing requirements.
- Dump the transitive dependencies of your source build and ensure there are
only Category A dependencies, or you have a plan to replace something in B with
A. X is not allowed except in limited circumstances as part of the build only.
- Ensure the LICENSE and NOTICE files in the source root directory contain
everything required by policy.
- Dump the transitive dependencies of your binary builds and make sure
everything is licensed under licenses in Categories A or B.
- Ensure the LICENSE and NOTICE files included in **every PIO jar** contain
everything required by policy. If you aren't including such files in every jar
fix the build so it happens as required.
You can avoid dealing with binary artifact requirements by producing only
source artifacts for releases.
On Aug 20, 2016, at 11:24 AM, Suneel Marthi <[email protected]> wrote:
This is a laborious manual thing. Most incubator projects get dinged on
those very issues.
We have been trying to get a first Pirk release for a week now, but holding
off to fix the license and notices.
Maybe in PIO, its already been taken care of. Donald?
Regardless it would be good if someone reviewed the release artifacts now
and validates the License and Notices as opposed to pushing a release and
getting -1 vote from IPMC.
On Sat, Aug 20, 2016 at 2:21 PM, Pat Ferrel <[email protected]> wrote:
Sound good. Is this a hand thing or can we automate it like PIO-26 RAT.
Could you add a Jira with comments?
On Aug 20, 2016, at 11:16 AM, Suneel Marthi <[email protected]> wrote:
While waiting on #1 below, I would ask that you do the due diligence on the
License and Notice files and ensure that all third party jars have been
accounted for and the License and Notice files are included in the
appropriate project release artifacts.
> Check release artifacts for licenses and the LICENSE.txt file
> -------------------------------------------------------------
>
> Key: PIO-27
> URL: https://issues.apache.org/jira/browse/PIO-27
> Project: PredictionIO
> Issue Type: Task
> Affects Versions: 0.10.0
> Reporter: Pat Ferrel
> Priority: Blocker
> Fix For: 0.10.0
>
>
> Quoth [~smarthi] " I would ask that you do the due diligence on the
> License and Notice files and ensure that all third party jars have been
> accounted for and the License and Notice files are included in the
> appropriate project release artifacts."
> This has to be done by hand. We should be able to do it now on the develop
> branch build since we will not include new features and so no new
> dependencies.
> https://github.com/apache/incubator-predictionio/blob/develop/LICENSE.txt
> https://github.com/apache/incubator-predictionio/blob/develop/NOTICE.txt
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
