uima-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marshall Schor <...@schor.com>
Subject Re: [VOTE] Release UIMA-AS 2.8.1 RC3
Date Tue, 26 Apr 2016 21:03:18 GMT
Here's a summary (please correct if wrong):

There are two "optional" JARs not distributed with UIMA-AS have license and
(partial) notice info in the uima-as LICENSE/NOTICE files.

One of the value propositions that lets others make use of our technology is the
reputation we maintain about our always somewhat imperfect attempts at having
accurate license and notice files.  I would prefer that we strive to keep our
reputation where it is by removing the license and partial notice for these
JARs, and perhaps adding some documentation (if needed) specifying what JARs can
be optionally downloaded (from ActiveMQ distribution) for providing additional
functionality, not provided out of the box by the UIMA-AS binary distribution.

Having said that, if the others on the PMC feel that this flaw (having extra
licenses and extra (partial) notices not needed is OK for releasing, I won't
stand in the way.

I'll do a bit more testing, and then if nothing more is found, vote -0 to
indicate this.

http://www.apache.org/foundation/voting.html

-Marshall


On 4/26/2016 11:05 AM, Jaroslaw Cwiklik wrote:
> Thanks Marshall. Just to provide more context for the problems found
>
> The JmDNS seems to be part of auto discovery of network of brokers via
> unicast instead of hard coded URLs.  This is not part of standard uima-as
> configuration we distribute. When such functionality is needed users may
> download their own copy of AMQ and use that. Of course there is an issue of
> having this jar documented in LICENSE and NOTICE but not present in the
> distribution.
>
> The second one jasypt is providing encryption and decryption of user
> credentials per: http://activemq.apache.org/encrypted-passwords.html. I
> think the lack of this jar can also be dealt with the same way as above.
>
> Given the above I will await your vote. One way or the other I need your
> vote to proceed. Seems like quality of the distribution mandates RC3 vote
> down.
>
> Jerry
>
> On Mon, Apr 25, 2016 at 5:56 PM, Marshall Schor <msa@schor.com> wrote:
>
>> Although others may be voting +1 to release, just to be clear, I'm
>> currently -1
>> until the license / notice issues mentioned above are resolved.
>>
>> -Marshall
>>
>> On 4/25/2016 1:17 PM, Burn Lewis wrote:
>>> - Checked signatures
>>> - Build from source (on Linux)
>>> - Checked signatures on that build
>>> - Started a broker and ran the quick async test
>>> - Ran large AS pipeline with remote services on both binary dist & the
>>> build from src
>>> - Spot checked readme & license files & notices
>>>
>>> Found 3 minor Jira's missing from the Jira report (3953,4163,4220) as
>> we'd
>>> forgotten to assign a fixVersion.
>>>
>>> [x] +1 OK to release
>>>
>>> ~Burn
>>>
>>> On Thu, Apr 21, 2016 at 10:29 AM, Jaroslaw Cwiklik <uimaee@gmail.com>
>> wrote:
>>>> I got the license and notice info from AMQ jars. Each jar includes a
>>>> LICENSE and NOTICE set. I will investigate the missing jars
>>>> Jerry
>>>>
>>>> On Wed, Apr 20, 2016 at 4:06 PM, Marshall Schor <msa@schor.com> wrote:
>>>>
>>>>> another jar whose license info is present, but isn't distributed:
>> jasypt
>>>>> (Java
>>>>> Simplified Encryption)
>>>>>
>>>>> If it is supposed to be included, its "notice" parts are missing from
>>>>> uima-as's
>>>>> notices.
>>>>>
>>>>> -Marshall
>>>>>
>>>>> On 4/20/2016 1:39 PM, Marshall Schor wrote:
>>>>>> In looking over the license / notice files for the bin distr of
>> uima-as
>>>>> (very
>>>>>> clear and nicely formatted, I think, by the way), it seems these
>>>> contain
>>>>> things
>>>>>> not in the distribution.
>>>>>>
>>>>>> Were the content of these files generated in some way?
>>>>>>
>>>>>> An example: there's a license and notice for JmDNS.  If I grep the
>>>> binary
>>>>>> distribution for that, I see references to that only in
>>>>>> lib/activemq-client-5.13.2.jar:
>>>>>>
>>>>>> META-INF/DEPENDENCIES:From: 'JmDNS' (http://jmdns.sourceforge.net/)
>>>>>> META-INF/DEPENDENCIES:  - JmDNS (
>>>> http://sourceforge.net/projects/jmdns/)
>>>>>> javax.jmdns:jmdns:jar:3.4.1
>>>>>> Binary file
>>>>>>
>> org/apache/activemq/transport/discovery/zeroconf/JmDNSFactory$UsageTracker.class
>>>>>> matches
>>>>>> Binary file
>>>>> org/apache/activemq/transport/discovery/zeroconf/JmDNSFactory.class
>>>>>> matches
>>>>>> Binary file
>>>>>>
>> org/apache/activemq/transport/discovery/zeroconf/ZeroconfDiscoveryAgent$1.class
>>>>>> matches
>>>>>> Binary file
>>>>>>
>> org/apache/activemq/transport/discovery/zeroconf/ZeroconfDiscoveryAgent.class
>>>>>> matches
>>>>>>
>>>>>> I don't see the jmdns.jar itself in the distribution; so it seems
to
>> me
>>>>> that the
>>>>>> license/notice entries for this should not be included in the uima-as
>>>>>> license/notice collection.
>>>>>>
>>>>>> I'll look around a bit see if there are other cases of this.
>>>>>> -Marshall
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 4/18/2016 12:23 PM, Jaroslaw Cwiklik wrote:
>>>>>>> The are more dependencies as this is a totally new AMQ which
has
>>>>> changed in
>>>>>>> many ways since 5.7.0.
>>>>>>>
>>>>>>> I ran mvn dependency:tree on uima-as and yes there a quite a
few jars
>>>>> that
>>>>>>> are now being downloaded as part of the uima-as build.
>>>>>>> Some of the dependencies you see are transitive. Finding which
are
>>>> used
>>>>> and
>>>>>>> which are not used can be tricky. Exclusion may lead to  runtime
>>>> errors.
>>>>>>> The AMQ distribution has been redone and there are new dependencies
>>>>> which
>>>>>>> did not exist in older versions.
>>>>>>>
>>>>>>> I think I've got the main AMQ dependencies right for UIMA-AS
>>>>>>> <artifactId>activemq-client</artifactId>
>>>>>>> <artifactId>activemq-broker</artifactId>
>>>>>>> <artifactId>activemq-jaas</artifactId>
>>>>>>> <artifactId>activemq-web</artifactId>
>>>>>>> <artifactId>activemq-spring</artifactId>
>>>>>>> <artifactId>activemq-console</artifactId>
>>>>>>> <artifactId>activemq-http</artifactId>
>>>>>>> <artifactId>activemq-camel</artifactId>
>>>>>>> <artifactId>activemq-jms-pool</artifactId>
>>>>>>> <artifactId>activemq-leveldb-store</artifactId>
>>>>>>> <artifactId>activemq-log4j-appender</artifactId>
>>>>>>> <artifactId>activemq-amqp</artifactId>
>>>>>>> <artifactId>activemq-pool</artifactId>
>>>>>>> <artifactId>activemq-stomp</artifactId>
>>>>>>> <artifactId>activemq-mqtt</artifactId>
>>>>>>> <artifactId>activemq-partition</artifactId>
>>>>>>> <artifactId>activemq-runtime-config</artifactId>
>>>>>>> <artifactId>activemq-shiro</artifactId>
>>>>>>> <artifactId>hawtbuf</artifactId>
>>>>>>> <artifactId>activemq-kahadb-store</artifactId>
>>>>>>>
>>>>>>> I'd rather keep these dependencies unless there is a concrete
reason
>>>> to
>>>>>>> warrant exclusion.
>>>>>>>
>>>>>>> -Jerry
>>>>>>>
>>>>>>>
>>>>>>> On Sun, Apr 17, 2016 at 6:20 PM, Marshall Schor <msa@schor.com>
>>>> wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I'm starting to have a look at this.
>>>>>>>>
>>>>>>>> I observed that during the "build-from-sources" for
>>>> uimaj-as-activemq,
>>>>> 169
>>>>>>>> files
>>>>>>>> were downloaded from maven (many were .poms, but many were
Jars).
>>>> Are
>>>>> all
>>>>>>>> of
>>>>>>>> these needed when doing the uimaj-as-activemq build?
>>>>>>>>
>>>>>>>> Examples:
>>>>>>>>   jackson-annotations, core, databind, at 2.6.3 level
>>>>>>>>   guava 12.0
>>>>>>>>   netty 3.7.0
>>>>>>>>   websocket-api 1.0
>>>>>>>>   activemq-all, amqp, broker, console, http, jaas, jms-pool,
>>>>> kahadb-store,
>>>>>>>> leveldb-store, log4j-appender, mqtt, openwire-legacy, partition,
>>>> pool,
>>>>>>>> runtime-config, shiro, spring, stomp, web,    5.13.2
>>>>>>>>   genesis-default-flava, java5-flava 2.1
>>>>>>>>   qpid/proton-m
>>>>>>>>   shiro/shiro-core, root, spring, web 1.2.4
>>>>>>>>   xbean-spring 3.18
>>>>>>>>   zookeeper 3.4.6
>>>>>>>>   jetty-all, -continuation,-http, -io, -security, -server,
-servlet,
>>>>> -util,
>>>>>>>> websocket-api, websocket-client, websocket-common, websocket-server,
>>>>>>>> websocket-servlet  9.2.13
>>>>>>>>   fusesource/hawtdispatch -scala, -transport, 1.22
>>>>>>>>   and a whole lot more....
>>>>>>>>
>>>>>>>> This seems like a surprising number of dependencies for the
>>>>>>>> uimaj-as-activemq
>>>>>>>> build.  What am I missing?
>>>>>>>>
>>>>>>>> -Marshall
>>>>>>>>
>>>>>>>>
>>


Mime
View raw message