Hi Justin, Thank you for the thorough review! I have created AIRFLOW-2779 to track most of the issues you have raised.
On the GPL dependency you mentioned. We are not distributing GPL sources, not in source or in binary form. This has never been the case. In the third degree there potentially was a GPL issue during runtime. The author of the package in question (unidecode) when asked mentioned several times that he considered the usage equal to an API (ie. like the Linux kernel exposing a set of generic calls) and the API could be implemented by an alternative. This was discussed in LEGAL-362, which you took part in. We managed to convince the upstream package maintainers (python-slugify and python-nvd3) to allow a patch that allowed switching to a different API implementation by setting a environment variable while installing their packages and to release new versions. However it is not the default for them. This means at least that the situation we are now in is an improvement over the previous releases (1.8.0 -> 1.8.1 -> 1.8.2 -> 1.9.0) as there was no way switch and avoid the package before. As to our solution (for now). Python packages are often installed site-wide and can be part of the dependencies of other packages. While we maybe could enforce the installation of the non-GPL API it would/could 1) interfere with other packages on the same system that do not set this environment variable explicitly. 2) If any the other packages upgrades without setting this variable it would pull in the GPL API. So we decided that it would be better to educate the user and make it part of the install instructions. We can reconsider, but we cannot solve #1 and #2. Which, in my opinion, would make it more opaque to the users. Given the current situation is at least improvement over the old situation can you reconsider your -1 for this release and preferably agree with our approach (or maybe have an improvement over it)? Cheers Bolke > On 21 Jul 2018, at 03:03, Justin Mclean <jus...@classsoftware.com> wrote: > > Hi, > > -1 (binding) because of GPL dependancy > > I checked the source release: > - incubating in name > - signatures and hash good but please remove md5 hashes and don’t publish then > - DISCLAIMER exists > - Year in NOTICE is not correct "2016 and onwards” isn’t valid as copyright > has an expiry date > - NOTICE and LICENSE have a couple of minor issues (see below) > - Several files look to have incorrect headers with copyright lines > [8][9][10] Are these actually 3rd party files? > - No unexpected binary files > - Failed to install, probably my set up. Would be nice to note python version > required and supported OS’s in INSTALL. > > LICENSE is: > - missing jQuery clock [3] and typeahead [4], as they are ALv2 it’s not > required to list them but it’s a good idea to do so. > - missing the license for this [5] > - this file [7] oddly has © 2016 GitHub, Inc.at the bottom of it > > This files [1][2] seem to be 3rd party ALv2 licensed files that refers to a > NOTICE file, that information in that NOTICE file (at the very least the > copyright into) should be in your NOTICE file. This should also be noted in > LICENSE. > > I also find it very odd that the GPL dependancy unidecode is opt out, rather > than opt in (ie the user has to do something to not get it) and that makes it > non optional IMO [6]. Can you explain why it was done this way and I’ll > consider changing my vote. > > Thanks, > Justin > > 1. /airflow/security/utils.py > 2. ./airflow/security/kerberos.py > 3. ./airflow/www_rbac/static/jqClock.min.js > 4. ./airflow/www/static/bootstrap3-typeahead.min.js > 5. ./apache-airflow-1.10.0rc2+incubating/scripts/ci/flake8_diff.sh > 6. https://www.apache.org/legal/resolved.html#optional > 7. ./docs/license.rst > 8. airflow/contrib/auth/backends/google_auth.py > 9. /airflow/contrib/auth/backends/github_enterprise_auth.py > 10. /airflow/contrib/hooks/ssh_hook.py > 11. /airflow/minihivecluster.py > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
