Once a release candidate has been staged to https://dist.apache.org/repos/dist/dev/incubator/pegasus it must be validated and voted on in order to proceed.
The full checklist can be found here: Incubator Release Checklist.
Prerequisites
For mac:
brew install gpg
For ubuntu:
sudo apt install gpg
Downloading the release files
A release consists of a source zip, a signature file, a sha512 checksum file.
- Source package: https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-source-release.zip
- Signature (asc): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-source-release.zip.asc
- Checksum (sha512): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-source-release.zip.sha512
Verifying the signature (ASC)
Before checking the signature, you should import the public keys from https://dist.apache.org/repos/dist/dev/incubator/pegasus/KEYS
gpg --import KEYS
In order to check the signature (ASC) of the release:
gpg --verify apache-pegasus-2.1.0-source-release.zip.asc apache-pegasus-2.1.0-source-release.zip
This should produce something like this:
gpg: using RSA key B29EB88AD60BB41EC9D82687B1DA1BBC34C617A9 gpg: issuer "wutao@apache.org" gpg: Good signature from "Tao Wu <wutao@apache.org>" [ultimate]
If you get the following error, it means you don't have the public key of the person who signed the message.
|
Verifying the checksum (SHA512)
sha512sum --check apache-pegasus-2.1.0-source-release.zip.sha512
If it produces "apache-pegasus-2.1.0-source-release.zip: OK", it means the package is good.
Running RAT
Before building it might be a good idea to run RAT on the unpacked sources. This will find all binaries and files without headers completely ignoring any "exclusions" in the pom.
Download the latest version of RAT from here: https://creadur.apache.org/rat/download_rat.cgi
Unpack it somewhere and change into the unpacked source-directory and run the following command:
|