THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
| Anchor | ||||
|---|---|---|---|---|
|
Use the command line interface to verify you have the correct versions of Maven and Java as stated in the README file. Use the following commands to check Maven (mvn) and Java versions.
mvn --version java --version...
| Anchor | ||||
|---|---|---|---|---|
|
...
| Anchor | ||||
|---|---|---|---|---|
|
1a. Check that Checksums are valid
There are three sources of checksums:
...
VERIFY. You can visually compare the checksums or use an online difference checker. The utiility also allows you to paste a checksum (e.g., either from the VOTE email or from the downloaded .md5 or .sha1 files) into the Hash input box, and the utility will compare it with the value from the .zip file.
1b. Check that the PGP signature is valid
...
| Anchor | ||||
|---|---|---|---|---|
|
2. Check the commit ID matches the VOTE email
The idea here is to check that the commit ID in the downloaded file matches that in the VOTE email. You will use a command line interface for at least some of these steps.
...
Again, if there are NO DIFFERENCES, then the commit ID in the VOTE email matches the release candidate.
3a. Check the incubator disclaimer (INCUBATOR PROJECTS ONLY)
All Podlings must include a disclaimer indicating they are in incubation. To check a Taverna release candidate, open the DISCLAIMER file (in the top level release candidate folder) and verify the text matches what is shown below. You can use a text editor (e.g., Notepad++) or an integrated development environment (IDE), such as Eclipse, to open the DISCLAIMER files.
...
While incubation status is not necessarily a reflection of the completeness
or stability of the code, it does indicate that the project has yet to be
fully endorsed by the ASF.
3b. Check that file names include "incubating"
Check the unzipped release candidate to ensure the top-level distribution folder contains the word "incubating" (Is this all that can be checked before building? See 11 below.)
4. Check the top-level LICENSE and NOTICE files
LICENSE file
Check the text of the LICENSE file in the top-level release candidate folder, and ensure the Apache License matches the text of the required Apache License. The LICENSE file may also include details of additional licenses.
...
Portions of this software were originally based on the following:
- Copyright 2010-2014 University of Manchester, UK
These have been licensed to the Apache Software Foundation under a software grant.
5. Check the source file headers
How does a reviewer know if a source file has been submitted directly to the ASF?
...
Check that each file has a license (?) and that the license is allowed. Files used by the project, but not submitted by their owners directly to the ASF, are treated differently. Copyright notices stay in the header, and associated licenses must be part of the distribution.
6. Check the provenance
TO DO What exactly is this, how does it differ from licensing, and how do you accomplish it?
7. Check that the source code does not include any binaries
Before building, the downloaded zip folder should contain no unexpected binary artifacts. For example, there should be no *.jar files.
There may be some "expected" binary files, such as pictures and test workflows. If these come from third-parties (e.g., a Creative Commons-licensed JPEG), they should be declared in NOTICE/LICENSE.
| Anchor | ||||
|---|---|---|---|---|
|
8. Build the release candidate(s) from source
Run mvn clean install
- Successfully complete the verification steps above.
- Use a command line interface and navigate to the folder containing the unzipped release candidate files.
- Execute the command below, which will build the release candidate and save the output to two text files. (The text file names can be anything.) This command will run several Maven goals, including automated tests. Do not skip the automated build tests.
mvn clean install > console.txt 2> err.txt
Review build completion status
BUILD FAILURE: At the completion of the mvn clean install process, if the message is "BUILD FAILURE," review both text files. Report the failure, along with any warning and error messages, on the release candidate's DISCUSS thread.
BUILD SUCCESS: If the completion message is "BUILD SUCCESS," review both text files. Report the success, along with any warning messages, on the release candidate's DISCUSS thread.
| Anchor | ||||
|---|---|---|---|---|
|
9. Check the dependencies
Checking dependencies:
- Make sure dependencies are used and declared properly. (Use mvn dependency:analyze and look for warnings or errors.)
- Determine if there are any mismatches between resolved dependencies and the dependencyManagement section. (Use mvn dependency:analyze-dep-mgt and look for warnings or errors.)
- Generate a list of licenses for each third-party dependency and check the licenses to make sure they meet Apache licensing requirements. (See Review Binary License below.)
- You can create a list of dependencies by module using mvn dependency:list and generate a dependency tree to troubleshoot conflicts using mvn dependency:tree.
Review Binary Licenses.
Create a list of third-party dependencies using the license:aggregate-add-third-party plugin and review the dependency licenses.)
- In a command line interface, change to the top level directory of the distribution (e.g., apache-taverna-language-<version>-incubator).
- Run the following Maven command: mvn license:aggregate-add-third-party. (On Windows, to save the output to a file, add > filename.txt to the end of the command.)
- This command will create THIRD-PARTY.txt files in each target folder (in the generated-sources/license subfolder).
- Review the THIRD-PARTY.txt files for unknown or disallowed licenses. Note: some unknown licenses have been determined to be allowed.) One method is shown below.
cat target/generated-sources/license/THIRD-PARTY.txt | sort
10. Verify the build produces the binaries
Quick check: browse the target folders and make sure there are not any extra folders. (For example, if we are voting on taverna-language there should not be any taverna-engine folders.)
Deeper check: ensure your target folders contains all the same *.jar files as those in the git repo? in the Maven repository? (Example link?)
At least one person should check that all staged JARs are the same as those built from the downloaded release candidate. (One approach is to do a recursive wget of the repository , and then compare the result of "find . -name '*jar'" in the wget-tree with */*/target/*.jar. See StackOverflow response.)
NOTE: Binary releases are considered "convenience only" and are not crucial for the vote: The source release is what everything else should be made from. However, in practical terms most people download the binaries from the Maven repository, so it is important this is checked at least once.
11. Verify all the *.jar files include the word "incubating"
Visually inspect all the *.jar files include the word "incubating" by opening all the /target folders. Is there an easier way to do this?
Are other files supposed to be labeled as well, or is it only the *.jar files?
Anchor tips tips
Tips
| tips | |
| tips |
How to check LICENSE, NOTICE, DISCLAIMER, and similar files?
- Command line: Navigate to directory containing the file and use cat command to print contents to console (Example: cat LICENSE)
- Text Editor/IDE: Use a text editor (e.g., Notepad++) or an integrated development environment (IDE), such as Eclipse, to open the LICENSE, NOTICE, DISCLAIMER, and similar files.
How to capture the output of a command line interface command?
- In a command line interface, send the console output and error messages to a text file:
- GitBash example: mvn clean install > Console.txt 2> Err.txt
- In a command line interface, send the console output and error messages to a text file: