...
We need to do some verification in our own environment before voting.
Check the filelist
- incubating in name if an incubating project
- CHANGES.txt
- [project]-source-release.zip
- [project].pom
- Signature file.
- Hash files.
DO NOT provide md5 or sha1 files.
Download source package and unpack
Download griffin-0.2.0-incubating-source-release.zip from the dist page.
Unpack the zip.
Verify signature files
Install gpg (GnuPG).
(I suggest you use C3 machine with ubuntu, which has installed gpg already)
Download KEYS from dist page, and import to your gpg env.
or use the KEYS from zip file.
No Format |
---|
gpg --import KEYS |
trust the KEY "lionel". (If it is signed by another key, you need to trust that key as well)
No Format |
---|
gpg --edit-key lionel
trust
5
y
quit |
Download griffin-0.2.0-incubating-source-release.zip.asc from the dist page.
Verify the signature.
No Format |
---|
gpg --verify griffin-0.2.0-incubating-source-release.zip.asc griffin-0.2.0-incubating-source-release.zip
// do the same thing to download and verify griffin-0.2.0-incubating.pom with griffin-0.2.0-incubating.pom.asc
gpg --verify griffin-0.2.0-incubating.pom.asc griffin-0.2.0-incubating.pom |
Verify hash files
Download the .sha512 files from the dist page.
on linux:
No Format |
---|
for f in *.sha512; do echo "$(cat $f)"; done | sha512sum -c |
on mac:
No Format |
---|
for f in *.sha512; do echo "$(cat $f)"; done | shasum -a 512 -c |
Check the filelist inside
In Unzip and change Into the directory, check the files exists:
- LICENSE
- NOTICE
- DISCLAIMER
Check the licenses
No Format |
---|
mvn apache-rat:check |
It should be success.
Source compile
No Format |
---|
mvn clean install |
It should be success. (For npm install, it runs for about 30 minutes on my machine, you can wait or skip it)
Check the third party licenses
In LICENSE files of each module, make sure the dependent third party packages in the JARs are all:
- under Apache permitted licenses
- listed in LICENSE file
Check the licenses of bundled resources.
- For source release, "bundled" means include the source code of third-party software.
- For binary release, "bundled" means include source code or depend on third-party software.
Licenses in different categories have different restrictions.
- Category A: can bundle and can depend on.
- Category B: can depend on, the package can be bunded in binary release, but can NOT be bundled the source code in source release.
- Category X: can NOT bundle source code or package, can NOT depend
...
- on.
No Format |
---|
Category A • Can bundle and can depend on • Don’t add any restrictions above and beyond what the Apache License 2.0 does • Common licenses include: Apache License 2.0, Apache License 1.1, 2 or 3 clause BSD (without advertising clause), MIT/X11, W3C, Unicode, CC copyright only, WTF public license Category B • Can’t include in source release • Contain some restriction of use • By using binary form limits chance of corruption • Common license include: Common Development and Distribution License (CDDL), Eclipse Public License (EPL), Mozilla Public License (MPL), Creative Common Attribution (CC-A) Category X • Can’t depend on • Can’t bundle • A few exceptions for build tools • Or optional dependancies • Common Category X include: GPL, LGPL, CC non commercial, JSON, BSD 4 clause, Apache 1.0? |
...
Some more references: https://events.static.linuxfound.org/sites/events/files/slides/Incubator_ApacheConUS2017.pdf
https://www.apache.org/dev/release-distribution#sigs-and-sums
http://www.apache.org/dev/licensing-howto.html#permissive-deps
http://www.apache.org/dev/licensing-howto.html#guiding-principle