You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Every release will be posted onto dist.apache.org, like following as an example:

https://dist.apache.org/repos/dist/dev/incubator/griffin/0.2.0-incubating/

We need to do some verification in our own environment before voting.

Check the filelist

  • CHANGES.txt
  • [project]-source-release.zip
  • [project].pom
  • Signature file.
  • Hash files.

DO NOT provide md5 files.

Download source package and unpack

Download griffin-0.2.0-incubating-source-release.zip from the dist page.

Unpack the zip.

Download asc file and verify

Download griffin-0.2.0-incubating-source-release.zip.asc from the dist page.

Verify the signature.

gpg --verify griffin-0.2.0-incubating-source-release.zip.asc griffin-0.2.0-incubating-source-release.zip

Check the filelist inside

In the directory, check the files exists:

  • LICENSE
  • NOTICE
  • DISCLAIMER

Check the licenses

mvn apache-rat:check

It should be success. (For npm install, it runs for about 30 minutes on my machine, you can wait or skip it)

Source compile

mvn clean install

It should be success.

Check the third party licenses

In LICENSE files of each module, make sure the dependent third party packages in the JARs are all:

  • under Apache permitted licenses
  • listed in LICENSE file

Licenses in Category X should not be depended on.

Category A
• Can bundle and can depend on
• Don’t add any restrictions above and beyond what the Apache License 2.0 does
• Common licenses include:
Apache License 2.0, Apache License 1.1, 2 or 3 clause BSD (without advertising clause), MIT/X11, W3C, Unicode, CC copyright only, WTF public license
 
Category B
• Can’t include in source release
• Contain some restriction of use
• By using binary form limits chance of corruption
• Common license include:
Common Development and Distribution License (CDDL), Eclipse Public License (EPL), Mozilla Public License (MPL), Creative Common Attribution (CC-A)
 
Category X
• Can’t depend on
• Can’t bundle
• A few exceptions for build tools
• Or optional dependancies
• Common Category X include:
 GPL, LGPL, CC non commercial, JSON, BSD 4 clause, Apache 1.0?

For service and measure module, you can also get the third party licenses conveniently by running this:

mvn license:add-third-party

It will generate two files showing third party licenses (Might miss some information):

  • service/target/generated-sources/license/THIRD-PARTY.txt
  • measure/target/generated-sources/license/THIRD-PARTY.txt

For ui module, you have to check them manually.


After all the steps above pass, you can be confident to vote +1.

If any problem, you can vote -1 with the reasons.


Some more references: https://events.static.linuxfound.org/sites/events/files/slides/Incubator_ApacheConUS2017.pdf

  • No labels