Page History

Anchor
after-the-build after-the-build

AFTER the (successful) build

9. Check the dependencies

Checking dependencies: 

• Make sure dependencies are used and declared properly. (Use mvn dependency:analyze and look for warnings or errors.) 
• Determine if there are any mismatches between resolved dependencies and the dependencyManagement section. (Use mvn dependency:analyze-dep-mgt and look for warnings or errors.)
• Generate a list of licenses for each third-party dependency and check the licenses to make sure they meet Apache licensing requirements. (See Review Binary License below.)
• You can create a list of dependencies by module using mvn dependency:list and generate a dependency tree to troubleshoot conflicts using mvn dependency:tree.

Review Binary Licenses. 

Create a list of third-party dependencies using the license:aggregate-add-third-party plugin and review the dependency licenses.)

1. In a command line interface, change to the top level directory of the distribution (e.g., apache-taverna-language-<version>-incubator).
2. Run the following Maven command: mvn license:aggregate-add-third-party. (On Windows, to save the output to a file, add > filename.txt to the end of the command.)
3. This command will create THIRD-PARTY.txt files in each target folder (in the generated-sources/license subfolder).
4. Review the THIRD-PARTY.txt files for unknown or disallowed licenses. Note: some unknown licenses have been determined to be allowed.) One method is shown below.

         cat target/generated-sources/license/THIRD-PARTY.txt | sort

10. Verify the build produces the binaries

Quick check: browse the target folders and make sure there are not any extra folders. (For example, if we are voting on taverna-language there should not be any taverna-engine folders.)

Deeper check: ensure your target folders contains all the same *.jar files as those in TBR.

At least one person should check that all staged JARs are the same as those built from the downloaded release candidate. (One approach is to do a recursive wget of the repository , and then compare the result of "find . -name '*jar'" in the wget-tree with */*/target/*.jar. See StackOverflow response.)

NOTE: Binary releases are considered "convenience only" and are not crucial for the vote: The source release is what everything else should be made from. However, in practical terms most people download the binaries from the Maven repository, so it is important this is checked at least once.

11. Verify all the *.jar files include the word "incubating"

Visually inspect all the *.jar files include the word "incubating" by opening all the /target folders.

Anchor
tips tips

Tips

• How to check LICENSE, NOTICE, DISCLAIMER, and similar files?

  • Command line: Navigate to directory containing the file and use cat command to print contents to console (Example: cat LICENSE)
  • Text Editor/IDE: Use a text editor (e.g., Notepad++) or an integrated development environment (IDE), such as Eclipse, to open the LICENSE, NOTICE, DISCLAIMER, and similar files. 

• How to capture the output of a command line interface command?

  • In a command line interface, send the console output and error messages to a text file:
    • GitBash example: mvn clean install > Console.txt 2> Err.txt

  Anchor
  definitions definitions

  Definitions

  • binary files: Created during mvn clean install, located in target folders. Includes pictures, ZIP files, and JAR files.
  • dependency: "A dependency is a file that something you are trying to install requires." [AskUbuntu]
  • distribution: A distribution is all of the files (not including dependencies) that are needed to run an application.
    
  • license: Terms and conditions for use of source code. For example, *Licensed under a Creative Commons Attribution 3.0 license.*
  • notice: Copyright notice. For example, *Copyright (c) 2012-2015 University of Manchester.*
  • provenance: "[A] record that describes the people, institutions, entities, and activities involved in producing, influencing, or delivering a piece of data or a thing." (Schreiber, 2013)
  • source artifact: ".. 'things' ... produced by people involved in the process. Examples [are] design documents, data models, workflow diagrams, test matrices and plans, setup scripts. ... [A]ny thing that is created could be an artifact." [Programmers StackExchange]
  • source files: Files downloaded from the VOTE email. Includes *.java and *xsd. 

  References:

  Schreiber, Andreas. (2013) "Increasing software quality using the provenance of software development processes," in ESA Software Product Assurance Workshop 2013, 12-13 June 2013, Noordwijk, Niederlande. [link]