Once a release candidate has been staged to https://dist.apache.org/repos/dist/dev/incubator/pegasus it must be validated and voted on in order to proceed.
The full checklist can be found here: Incubator Release Checklist.
Prerequisites
For macMacOS:
Code Block |
---|
brew install gpg |
For ubuntu:
Code Block |
---|
sudo apt install gnupg |
For macRHEL or CentOS:
...
Code Block |
---|
sudo yum install gnupg |
Downloading the release files
Suppose you are going to validate version {a.b.c-RCd}.
A release consists of a source zip, a signature file, a sha512 checksum file.
- Source package: https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-sourceincubating-releasesrc.zip
- Signature (asc): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-sourceincubating-releasesrc.zip.asc
- Checksum (sha512): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-sourceincubating-releasesrc.zip.sha512
Please download the files altogether.
Verifying the signature (ASC)
Before checking the signature, you should download and import the public keys from https://dist.apache.org/repos/dist/dev/incubator/pegasus/KEYS
No Format |
---|
gpg --import KEYS |
In order to check the signature (ASC) of the release:
No Format |
---|
gpg --verify apache- |
...
pegasus- |
...
a. |
...
b. |
...
c- |
...
incubating- |
...
src.zip.asc apache- |
...
pegasus- |
...
a. |
...
b. |
...
c- |
...
incubating- |
...
src.zip |
This should produce something like this:
...
gpg: Signatur vom Fr
2
Aug
14
:
30
:
42
2019
CEST
gpg: mittels RSA-Schlüssel ADBD428CB5BF6C9FFC77B907C336E0143A553B89
gpg: Korrekte Signatur von
"Julian Feinauer <jfeinauer@apache.org>"
[ultimativ]
...
("Good signature" means correct!)
No Format |
---|
gpg: using RSA key B29EB88AD60BB41EC9D82687B1DA1BBC34C617A9
gpg: issuer "wutao@apache.org"
gpg: Good signature from "Tao Wu <wutao@apache.org>" [ultimate] |
If you get the following error, it means you don't have the public key of the person who signed the message.
No Format |
---|
gpg: Signature made |
...
一 10/14 13:04: |
...
42 2019 CST gpg: using RSA key BA45CDBB87E8B146A81F5BBE2206EF8F64C35889 |
...
gpg: Can't check signature: |
...
No public key |
Verifying the
...
checksum (SHA512)
Unfortunately checking the hashes isn't as automatic as checking the signatures.
...
shasum -a512 apache-plc4x-
0.8
.
0
-source-release.zip
This will print out the hash ... unfortunately I haven't found a tool that you could pass along the SHA512 file and it just says: OK or NOT OK, so you have to manually compare the output with the output in the SHA512 file.
...
Linux:
No Format |
---|
sha512sum --check apache-pegasus-a.b.c-incubating-src.zip.sha512 |
MacOS:
Code Block |
---|
shasum -a 512 --check apache-pegasus-a.b.c-incubating-src.zip.sha512 |
If it produces "apache-pegasus-a.b.c-incubating-src.zip: OK", it means the package is good.
Running RAT
Before building it might be a good idea to run RAT on the unpacked sources. This tool will find all binaries and files without headers completely ignoring any "exclusions" in the pomlicense headers.
Download the latest version of RAT from here: https://creadur.apache.org/rat/download_rat.cgi
Unpack it somewhere and change into the unpacked source-directory and run the following command, for example, you are using apache-rat-0.15:
No Format |
---|
java |
...
-jar apache-rat-0.15/apache-rat-0.15.jar -d apache-pegasus-a.b.c-incubating-src \
-E apache-pegasus-a.b.c-incubating-src/.rat-excludes |
Sample output (with 0 Unknown Licenses):
Code Block |
---|
*****************************************************
Summary
-------
Generated at: 2022-09-27T23:55:44+08:00
Notes: 3
Binaries: 14
Archives: 0
Standards: 1629
Apache Licensed: 1041
Generated Documents: 0
JavaDocs are generated, thus a license header is optional.
Generated files do not require license headers.
0 Unknown Licenses
***************************************************** |
Compile Pegasus
Please read the document compile-from-source or compile-by-docker to build pegasus.
Reply to the vote thread
This is a template for the reply email of your validation result. It's not required to completely follow the template.
+1/0/-1 (binding) # "binding" means you are an Apache PMC/PPMC. If not, "not-binding" here.
I checked:
(yes/no) Do release files have the word incubating in their name?
(yes/no) Are the digital signatures and hashes correct?
(yes/no) Does a DISCLAIMER file exist?
(yes/no) Do LICENSE and NOTICE files exist?
(yes/no) Is the LICENSE and NOTICE text correct?
(yes/no) Is the NOTICE year correct?
(yes/no) Un-included software dependencies are not mentioned in LICENSE or NOTICE?
(yes/no) License information is not mentioned in NOTICE?
(yes/no) Is there any 3rd party code contained inside the release? If so:
(yes/no) Does the software have a compatible license?
(yes/no) Are all software licenses mentioned in LICENSE?
(yes/no) Is the full text of the licenses (or pointers to it) in LICENSE?
(yes/no) Is any of this code Apache-licensed?
(yes/no) Do all source files have ASF headers?
(yes/no) Do they have NOTICE files? If so:
(yes/no) Have relevant parts of those NOTICE files been added to this NOTICE file?
(yes/no) Do the contents of the release match with what's tagged in version control?
(yes/no) Are there any unexpected binary files in the release?
(yes/no) Can you compile from source? Are the instructions clear?
...