...
6 Check the provenance
tbd
7 Check
the dependenciestbd
8 Checkthat the source code does not include any binaries
Before building, the downloaded zip folder should contain no unexpected binary artifacts. For example, there should be no *.jar files.
There may be some "expected" binary files, such as pictures and test workflows. These should be declared in NOTICE/LICENSE if they came from third-parties, e.g., if use use a Creative Commons-licensed JPEG.
Build
9 8 Check for BUILD SUCCESS
AFTER the Build
9 Check the dependencies
Create a list of third-party dependencies using the license:aggregate-add-third-party plugin.
- In a command line interface, change to the top level directory of the distribution (e.g., apache-taverna-language-<version>-incubator).
- Run the following Maven command: mvn license:aggregate-add-third-party. (On Windows, to save the output to a file, add > filename.txt to the end of the command.)
- This command will create a THIRD-PARTY.txt files in each target folder (in the generated-sources/license subfolder).
- Review the THIRD-PARTY.txt files for unknown or disallowed licenses. Note: some unknown licenses have been determined to be allowed.)
10 Does the build produce the binaries
Quick check: browse the target folders and make sure there are not any extra folders. (For example, if we are voting on taverna-language there should not be any taverna-engine folders.)
Deeper check: ensure your target folders contains all the same *.jar files as those in the git repo? in the Maven repository? (Example link?)
At least one person should check that all staged JARs are the same as those built from the downloaded release candidate. (One approach is to do a recursive wget of the repository , and then compare the result of "find . -name '*jar'" in the wget-tree with */*/target/*.jar.)
NOTE: Binary releases are considered "convenience only" and are not crucial for the vote: The source release is what everything else should be made from. However, in practical terms most people download the binaries from the Maven repository, so it is important this is checked at least once.
...