Validating a staged release
On MacOS and Linux the first 4 steps can be automated. For details please read the section about tooling after this chapter. |
-
Download all staged artifacts under the url specified in the release vote email into a directory we’ll now call
download-dir
. -
Verify the signature is correct: Additional Apache tutorial on how to verify downloads can be found here.
gpg --verify apache-plc4x-{current-full-version}-source-release.zip.asc apache-plc4x-#{current-full-version}-source-release.zip
-
Check if the check is successful.
-
Check if the signature references an Apache email address.
-
Verify the SHA512 hashes:
Mac/Linux: shasum -a512 apache-plc4x-{current-full-version}-source-release.zip Windows (PowerShell): Get-FileHash -Algorithm SHA512 .\apache-plc4x-code-generation-{current-full-version}-source-release.zip | Format-List
-
Unzip the archive:
unzip apache-plc4x-{current-full-version}-source-release.zip
-
Verify the existence of
LICENSE
,NOTICE
,README
,RELEASE_NOTES
files in the extracted source bundle. -
Verify the content of
LICENSE
,NOTICE
,README
,RELEASE_NOTES
files in the extracted source bundle.
(Especially pay attention to the year in the NOTICE file if this is the first release of the year)
|
-
[RM] Verify the staged source README, RELEASE_NOTE files correspond to those in the extracted source bundle.
-
[RM] Run RAT externally to ensure there are no surprises.
java -jar apache-rat-0.13.jar apache-plc4x-{current-full-version}-source-release.zip > rat.log
-
Search for
SNAPSHOT
references:
find . -type f -name 'pom.xml' -exec grep -l "SNAPSHOT" {} \;
-
Search for
Copyright
references, and if they are in headers, make sure these files containing them are mentioned in the LICENSE file. -
Build the project according to the information in the README.md file.
-
[RM] Build the project with all
with-xyz
profiles and tests enabled and an empty maven local repo: by appending-Dmaven.repo.local=../.m2
(On windows use-D"maven.repo.local"="../.m2"
).
Using RAT
Even if we are using RAT to ensure sources have headers in place, still the project can contain exclusions that hide things from the check.
The only way to avoid missing important files is by running RAT
externally.
If you haven’t got it, yet please download it form here.
Also do I like to run RAT against the zip archive containing the source release as this way you avoid the problem of eventually scanning the binaries produced by the build (If you run RAT after building, it will complain about every jar and ever class file).
java -jar apache-rat-0.13.jar apache-plc4x-0.13.0-source-release.zip > rat.log
By piping the result into a text file gives you the chance to investigate the content more easily.
Release Tooling
In the tools
directory we have a little script that can help with downloading and checking the hashes and signatures automatically.
In order to execute this, please change directories into the projects base directory and execute the following command:
tools/download_staged_release.sh 0.13.0 1
This will download all the files into a directory: downloaded-plc4x-0.13.01
.
After that it will calculate the SHA512 hash and compare it with the staged hash.
Last not least it will validate the PGP key and print out some information on it.
Template for the email for voting
+1/-1 (binding) Name [] Download all staged artifacts under the url specified in the release vote email. [] Verify the signature is correct. [] Check if the signature references an Apache email address. [] Verify the SHA512 hashes. [] Unzip the archive. [] Verify the existence of LICENSE, NOTICE, README, RELEASE_NOTES files in the extracted source bundle. [] Verify the content of LICENSE, NOTICE, README, RELEASE_NOTES files in the extracted source bundle. [] [RM] Verify the staged source README, RELEASE_NOTE files correspond to those in the extracted source bundle. [] [RM] Run RAT externally to ensure there are no surprises. [] Search for SNAPSHOT references [] Search for Copyright references, and if they are in headers, make sure these files containing them are mentioned in the LICENSE file. [] Build the project according to the information in the README.md file. [] [RM] Build the project with all with-xyz profiles and tests enabled and an empty maven local repo.
If everything is ok, I put "OK" int the square brackets. If there are minor issues, I put "MINOR" in there and, if it’s a short reason, I put an explanation at the end of the line. If it’s longer I put a longer section after the checklist. If there are major issues, I put "FAIL" in there and comment the same way as with minor issues.