...
Check signatures and checksums
Verify the signature:
Code Block | ||
---|---|---|
| ||
gpg --verify apache-streampipes-{current-full-version}-incubating-source-release.zip.asc apache-streampipes-{current-full-version}-incubating-source-release.zip # example: gpg --verify apache-streampipes-0.66.0-incubating-source-release.zip.asc apache-streampipes-0.66.0-incubating-source-release.zip |
If the output says "public key not found", follow the instructions in this guide: Validate a release for the first time
Verify the checksum:
Code Block | ||
---|---|---|
| ||
sha512sum -c apache-streampipes-{current-full-version}-incubating-source-release.zip.sha512 # example: sha512sum -c apache-streampipes-0.66.0-incubating-source-release.zip.sha512 |
Make sure the output says OK.
Check source release
Unzip the source file
Unzip and switch to the parent directory (where the README and pom files are located)
Verify legal information and required files
- Verify the existence of LICENSE, NOTICE, README, RELEASE_NOTES and RELEASE_VALIDATION files in the extracted source bundle.
- Check the LICENSE file
- Check the NOTICE file (e.g., make sure the year is correct)
Run RAT
Search for SNAPSHOT dependencies
Search for any unexpected SNAPSHOT dependencies in the bundle, e.g.:
Code Block | ||
---|---|---|
| ||
grep -rnw './' -e 'SNAPSHOT'
# Check the output |
Info | ||
---|---|---|
| ||
The current release version 0.66.0 will return a few files containing "SNAPSHOT" from the archetype.properties file. These are not used for the build and shouldn't cause any harm. |
Build backend & UI
incubator-streampipes-extensions
...