...
The full checklist can be found here: Incubator Release Checklist.
Prerequisites
For macMacOS:
Code Block |
---|
brew install gpg |
...
Code Block |
---|
sudo apt install gpggnupg |
For RHEL or CentOS:
Code Block |
---|
sudo yum install gnupg |
Downloading the release files
Suppose you are going to validate version {a.b.c-RCd}.
A release consists of a source zip, a signature file, a sha512 checksum file.
- Source package: https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-sourceincubating-releasesrc.zip
- Signature (asc): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-sourceincubating-releasesrc.zip.asc
- Checksum (sha512): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-sourceincubating-releasesrc.zip.sha512
Please download the files altogether.
Verifying the signature (ASC)
Before checking the signature, you should download and import the public keys from https://dist.apache.org/repos/dist/dev/incubator/pegasus/KEYS
...
No Format |
---|
gpg --verify apache-pegasus-2a.1b.0c-sourceincubating-releasesrc.zip.asc apache-pegasus-2a.1b.0c-sourceincubating-releasesrc.zip |
This should produce something like this: ("Good signature" means correct!)
No Format |
---|
gpg: using RSA key B29EB88AD60BB41EC9D82687B1DA1BBC34C617A9 gpg: issuer "wutao@apache.org" gpg: Good signature from "Tao Wu <wutao@apache.org>" [ultimate] |
If you get the following error, it means you don't have the public key of the person who signed the message.
No Format |
---|
gpg: Signature made |
...
一 10/14 13:04: |
...
42 2019 CST gpg: using RSA key BA45CDBB87E8B146A81F5BBE2206EF8F64C35889 |
...
gpg: Can't check signature: |
...
No public key |
Verifying the checksum (SHA512)
Linux:
No Format |
---|
sha512sum --check apache-pegasus-2.1.0-source-releasea.b.c-incubating-src.zip.sha512 |
MacOS:
Code Block |
---|
shasum -a 512 --check apache-pegasus-a.b.c-incubating-src.zip.sha512 |
If it produces "apache-pegasus-2a.1b.0c-sourceincubating-releasesrc.zip: OK", it means the package is good.
...
Before building it might be a good idea to run RAT on the unpacked sources. This tool will find all binaries and files without headers completely ignoring any "exclusions" in the pomlicense headers.
Download the latest version of RAT from here: https://creadur.apache.org/rat/download_rat.cgi
Unpack it somewhere and change into the unpacked source-directory and run the following command, for example, you are using apache-rat-0.15:
No Format |
---|
java |
...
-jar apache-rat-0.15/apache-rat-0.15.jar -d apache-pegasus-a.b.c-incubating-src \
-E apache-pegasus-a.b.c-incubating-src/.rat-excludes |
Sample output (with 0 Unknown Licenses):
Code Block |
---|
*****************************************************
Summary
-------
Generated at: 2022-09-27T23:55:44+08:00
Notes: 3
Binaries: 14
Archives: 0
Standards: 1629
Apache Licensed: 1041
Generated Documents: 0
JavaDocs are generated, thus a license header is optional.
Generated files do not require license headers.
0 Unknown Licenses
***************************************************** |
Compile Pegasus
Please read the document compile-from-source or compile-by-docker to build pegasus.
Reply to the vote thread
This is a template for the reply email of your validation result. It's not required to completely follow the template.
+1/0/-1 (binding) # "binding" means you are an Apache PMC/PPMC. If not, "not-binding" here.
I checked:
(yes/no) Do release files have the word incubating in their name?
(yes/no) Are the digital signatures and hashes correct?
(yes/no) Does a DISCLAIMER file exist?
(yes/no) Do LICENSE and NOTICE files exist?
(yes/no) Is the LICENSE and NOTICE text correct?
(yes/no) Is the NOTICE year correct?
(yes/no) Un-included software dependencies are not mentioned in LICENSE or NOTICE?
(yes/no) License information is not mentioned in NOTICE?
(yes/no) Is there any 3rd party code contained inside the release? If so:
(yes/no) Does the software have a compatible license?
(yes/no) Are all software licenses mentioned in LICENSE?
(yes/no) Is the full text of the licenses (or pointers to it) in LICENSE?
(yes/no) Is any of this code Apache-licensed?
(yes/no) Do all source files have ASF headers?
(yes/no) Do they have NOTICE files? If so:
(yes/no) Have relevant parts of those NOTICE files been added to this NOTICE file?
(yes/no) Do the contents of the release match with what's tagged in version control?
(yes/no) Are there any unexpected binary files in the release?
(yes/no) Can you compile from source? Are the instructions clear?
...