{scrollbar}

Voting on a MyFaces Project Release

An Apache release is a set of valid and signed artifacts, voted on by the appropriate PMC and distributed on the ASF's official release infrastructure. All voters for a release must verify these items:

  • Verify checksums on released files.1
  • Validate signatures on released files.1
  • Verify that the release source code builds.2
  • Verify that all source files have appropriate and compatible licensing.2
  • Optionally verify that each archive type contains the same contents.

1http://www.apache.org/dev/release-publishing.html#signed
2http://www.apache.org/dev/release-publishing.html#valid

Here is an example of how these tasks can be accomplished under linux.

verify checksums on released files.

find . -name '*.md5' -exec cat {} \; -printf ' %f\n' | sed 's|\.md5$||' | md5sum -c find . -name '*.sha1' -exec cat {} \; -printf ' %f\n' | sed 's|\.sha1$||' | sha1sum -c

Validate signatures on released files.

wget http://www.apache.org/dist/myfaces/KEYS gpg --import KEYS find . -name '*.asc' -exec gpg --verify {} \;

Verify tar.gz and zip sources are identical

mkdir src cd src tar xvf ../myfaces-core-assembly-2.0.15-src.tar.gz ls -l mv myfaces-core-2.0.15-src/ myfaces-core-2.0.15-src-tar-gz unzip ../myfaces-core-assembly-2.0.15-src.zip # should be no output diff -rq myfaces-core-2.0.15-src* # should be "are identical" output diff -srq myfaces-core-2.0.15-src*

Verify that the release source code builds.

cd myfaces-core-2.0.15-src/src find \( -name '*.jar' -o -name '*.zip' \) -exec unzip -n {} \; cd myfaces-core-module-2.0.15/ mvn install

Verify that all source files have appropriate and compatible licensing.

mvn apache-rat:check # To check for all errors, if more than one project is affected # mvn -e -X apache-rat:check -Drat.numUnapprovedLicenses=9999
  • No labels