Once a release candidate has been staged to https://dist.apache.org/repos/dist/dev/incubator/pegasus it must be validated and voted on in order to proceed.
The full checklist can be found here: Incubator Release Checklist.
Prerequisites
For mac:
brew install gpg
For ubuntu:
sudo apt install gnupg
Downloading the release files
A release consists of a source zip, a signature file, a sha512 checksum file.
- Source package: https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-incubating-src.zip
- Signature (asc): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-incubating-src.zip.asc
- Checksum (sha512): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-incubating-src.zip.sha512
Please download the files altogether.
Verifying the signature (ASC)
Before checking the signature, you should download and import the public keys from https://dist.apache.org/repos/dist/dev/incubator/pegasus/KEYS
gpg --import KEYS
In order to check the signature (ASC) of the release:
gpg --verify apache-pegasus-2.1.0-incubating-src.zip.asc apache-pegasus-2.1.0-incubating-src.zip
This should produce something like this:
gpg: using RSA key B29EB88AD60BB41EC9D82687B1DA1BBC34C617A9 gpg: issuer "wutao@apache.org" gpg: Good signature from "Tao Wu <wutao@apache.org>" [ultimate]
If you get the following error, it means you don't have the public key of the person who signed the message.
gpg: Signature made 一 10/14 13:04:42 2019 CST gpg: using RSA key BA45CDBB87E8B146A81F5BBE2206EF8F64C35889 gpg: Can't check signature: No public key
Verifying the checksum (SHA512)
sha512sum --check apache-pegasus-2.1.0-incubating-src.zip.sha512
If it produces "apache-pegasus-2.1.0-incubating-src.zip: OK", it means the package is good.
Running RAT
Before building it might be a good idea to run RAT on the unpacked sources. This will find all binaries and files without headers.
Download the latest version of RAT from here: apache-rat-0.13-bin.tar.gz
Unpack it somewhere and change into the unpacked source directory and run the following command:
java -jar apache-rat-0.13/apache-rat-0.13.jar -d apache-pegasus-a.b.c-incubating-src -E apache-pegasus-a.b.c-incubating-src/.rat-excludes
Compile Pegasus
Please read the document compile-from-source or compile-by-docker to build pegasus.
Reply to the vote thread
This is a template for the reply email of your validation result. It's not required to completely follow the template.
+1 (binding) # "binding" means you are a committer/PPMC/mentor of Pegasus. If not, "not-binding" here.
I checked:
☐ Do release files have the word incubating in their name?
☐ Are the digital signature and hashes correct?
☐ Does DISCLAIMER file exist?
☐ Do LICENSE and NOTICE files exists?
☐ Is the LICENSE and NOTICE text correct?
☐ Is the NOTICE year correct?
☐ Un-included software dependencies are not mentioned in LICENSE or NOTICE?
☐ License information is not mentioned in NOTICE?
Is there any 3rd party code contained inside the release? If so:
☐ Does the software have a compatible license?
☐ Are all software licenses mentioned in LICENSE?
☐ Is the full text of the licenses (or pointers to it) in LICENSE?
Is any of this code Apache licensed? Do they have NOTICE files? If so:
☐ Have relevant parts of those NOTICE files been added to this NOTICE file?
☐ Do all source files have ASF headers?
☐ Do the contents of the release match with what's tagged in version control?
☐ Are there any unexpected binary files in the release?
☐ Can you compile from source? Are the instruction clear?