...
Download the tarball. Check the signature and the checksums, and check that the tarball matches the upstream tag. The script below shows how to do each of those steps. To use it, set your environment variables VERSION, RELEASE_CANDIDATE, TREE_HASH, and RELEASE_MANAGER like:
Code Block language bash VERSION=2.8.0 RELEASE_CANDIDATE=1 TREE_HASH=cc8de358d5c64778d171ad47aa6b513d437ac4b0 RELEASE_MANAGER=jbapple ./release.sh
You can get the RELEASE_MANAGER username from the KEYS file here. The rest of the fields should be evident from the Vote thread.
Committers can run this (along with the pre-commit tests) via the experimental "release-test" job on Impala's Jenkins server.
Code Block language bash #!/bin/bash set -euxo pipefail echo "Set up a sandbox for key import and a temporary directory for git" export GNUPGHOME="$(mktemp -d)" IMPALA_GIT="$(mktemp -d)" echo "Delete gpg sandbox and temporary directory when done" function onexit { rm -rf "${GNUPGHOME}" rm -rf "${IMPALA_GIT}" df -m free -m uptime -p } trap onexit EXIT pushd "${GNUPGHOME}" echo "Download the keys of the release managers:" wget https://dist.apache.org/repos/dist/dev/impala/KEYS gpg --import KEYS echo "If in an interactive shell, At the prompt, enter '5' for 'I trust ultimately', then 'y' for 'yes', then 'q' for 'quit'" if [[ $- == *i* ]]; then gpg --edit-key ${RELEASE_MANAGER} trust fi echo "Download the release artifacts:" for SUFFIX in gz gz.asc gz.sha512; do wget -q "https://dist.apache.org/repos/dist/dev/impala/${VERSION}/RC${RELEASE_CANDIDATE}/apache-impala-${VERSION}.tar.${SUFFIX}" done echo "Check the checksums:" sha512sum --check "apache-impala-${VERSION}.tar.gz.sha512" echo "Check the signature:" gpg --verify "apache-impala-${VERSION}.tar.gz.asc" "apache-impala-${VERSION}.tar.gz" echo "Download git to make sure the tarball, git tag, and tree hash all correspond:" pushd "${IMPALA_GIT}" sudo apt-get -q=2 update sudo apt-get -q=2 install git git clone https://git-wip-usgitbox.apache.org/repos/asf/impala.git cd * git checkout "${VERSION}-rc${RELEASE_CANDIDATE}" echo "Check the tree hash from the release manager is correct:" if ! (git rev-list --pretty=format:"%T" --max-count=1 HEAD | grep "${TREE_HASH}"); then echo "Tree hash ${TREE_HASH} not found" exit 1 fi echo "Remove the .git directory to make tarball and git directories equal:" rm -rf .git IMPALA_GIT="$(pwd)" popd echo "Compare the tarball and the repo:" tar xzf "apache-impala-${VERSION}.tar.gz" diff -r "apache-impala-${VERSION}" "${IMPALA_GIT}"
Test the release quality, possibly using
bin/run-all-tests.py.
The ASF requires in its "Release Policy" that: "Before voting +1 PMC members are required to download the signed source code package, compile it as provided, and test the resulting executable on their own platform, along with also verifying that the package meets the requirements of the ASF policy on releases." The ASF interprets "own platform" in this sentence to not require that you own and physically control the machine you are testing on, unlike the procedure for signing a release.Check compliance with ASF release policy. Use Apache RAT and follow the instructions in
bin/check-rat-report.py
to check licence compliance.- If it is an official "[VOTE]" thread, vote +1 or -1. If you are a PMC member, add "(binding)" after your vote; otherwise, add "(non-binding)". If you vote -1, explain why.
...