OpenWhisk, the an open source, distributed serverless platform, has already launched its journey to release under Apache as an incubator project. It consists of multiple modules dedicated to different aspects ranging from core service to client library, from deployment to runtimes, etc. Based on release policy of ASF(Apache Software Foundation), an email is sent off to the developer’s mailing list firstname.lastname@example.org, calling for votes from the OpenWhisk developers. Although the votes from the member of PPMC(Podling Project Management Committee) count for the final decision, every OpenWhisk committer is welcome to vote and comment on the vote email for the release. As you may have noticed, each vote email offers a checklist for voters to verify. This article will walk you through how to verify and vote on the vote emails for OpenWhisk modules.
Although the checklist may be changed in the future, the current one looks like this:
- Download links are valid.
- Checksums and PGP signatures are valid.
- DISCLAIMER is included.
- Source code artifacts have correct names matching the current release.
- LICENSE and NOTICE files are correct for each OpenWhisk repo.
- All files have license headers if necessary.
- No compiled archives bundled in source archive.
You can find it in the historic vote emails, like vote for OpenWhisk core module or vote for OpenWhisk Client Go and CLI modules. It is the minimum requirement to pass the verification of this checklist in order to release the OpenWhisk module(s). Let’s go through the bulletins one by one:
1.Download links are valid.
This is a manual step. There are three links for each OpenWhisk module: source code artifact, SHA-512 checksum and signature. There will be more artifacts, because we are planning to release the binaries or docker images in future. The download links are included in the vote email, click on them to download or view for the verification. If you find them valid, mark check to this bulletin. If not, reply to the vote email with your comments.
2.Checksums and PGP signatures are valid.
This is a step, which can be helped with local configuration and commands.
You need to install `gpg` on your local machine.
- For Ubuntu user, run the following command:
sudo apt-get install gnupg
- For Mac user, run the following command:
brew install gpg
Before using `gpg` to verify the OpenWhisk release integrity, you should verify `gpg`’s own integrity.
The public key used to verify the OpenWhisk checksums can be found here. Download the key and import it on your local machine.
gpg --import <key_file>
The parameter <key_file> is the file, where the public key is saved.
To generate the SHA512 checksum:
gpg --print-md SHA512 <artifact>
We take the OpenWhisk main module for example to demostrat how to use the gpg command to verify the SHA-512 checksum and the signature. The name will vary if you verify the artifact for other OpenWhisk modules.
The parameter <artifact> is the file of the artifact `”openwhisk-0.9.0-incubating-sources.tar.gz”` for OpenWhisk core module. Compare the content with the SHA512 file.
Download the signature for OpenWhisk 0.9.0, and verify it with the command:
gpg --verify openwhisk-0.9.0-incubating-sources.tar.gz.asc openwhisk-0.9.0-incubating-sources.tar.gz
As you may notice, if each OpenWhisk module is named <artifact>, the naming convention for the SHA512 checksum is <artifact>.sha512 and for the signature is <artifact>.sha512.asc.
Based on the result of the above commands, you should be able to see whether the checksum and signature match the artifact.
3.DISCLAIMER is included.
This is a manual step. Since OpenWhisk is currently at the incubator stage under ASF, we need a file of DISCLAIMER included in the source code release. You need look for a file named DISCLAIMER.txt available under the root directory of the OpenWhisk module. If you find it right, and the content is compliant with the ASF incubator requirement, you can mark check to this bulletin. If not, reply to the vote email with your comment.
4.Source code artifacts have correct names matching the current release.
This is a manual step. You need to check whether the OpenWhisk modules to be release have the correct names for the artifact, the SHA-512 checksum and the signature. For example, if the version is 0.9.0-incubating and the module name is openwhisk-cli, the artifact’s name should be openwhisk-cli-0.9.0-incubating-sources.tar.gz The SHA512 checksum and the signature should have the same name with different suffixes. When you untar and extract the artifact, you should see the root directory with the same name as well. If you find the naming convention is corrct, you can mark check to this bulletin. If not, please reply to the email with your comment.
5.LICENSE and NOTICE files are correct for each OpenWhisk repository.
This is a manual step. ASF defines a comprehensive instruction on how to assemble LICENSE and NOTICE. At least, you should make sure there is a LICENSE file and NOTICE file available under the root directory of the OpenWhisk source code artifact.
OpenWhisk is released under Apache 2.0 license, so you need to verify if the content of LICENSE matches the content of Apache 2.0 license. It is possible that it contains additional license for the source code we bundle, but their license should be compatible with Apache 2.0. For licenses that may not be included, refer to the exclude list.
You should locate in NOTICE file the copyright and the copyright of the bundled source code.
If you find the LICENSE and NOTICE available, and not doubt about the content of them, this bulletin is checked.
6.All files have license headers if necessary.
This is a step, which can be helped with an existing tool. OpenWhisk uses the tool called openwhisk-utilities to check the license header for each source code file. Please check the `scanCode` tutorial for instructions to download and run the tool and scan all code in the release.
Download the OpenWhisk utilities project with the following command:
git clone https://github.com/apache/incubator-openwhisk-utilities.git
Then,run the following command:
scancode/scanCode.py --config scancode/ASF-Release.cfg <Path of root directory for openwhisk artifact>
Based on the result of the above command, you should be able to decide whether the license header is correct for each source code file.
7.No compiled archives bundled in source archive.
This is a manual step. You can either go through all the directories or use some commands to make sure there is no compiled archives available for this OpenWhisk module. Files, ending with tar.gz, jar, zip, etc, are not what source code artifact should include. Dependencies, including but not limited to third-party libraries, should also be excluded. We only bundle the source code(intellectual assets) developed by our OpenWhisk developers, or other people’s source code with friendly license to Apache 2.0 and correct explanations in NOTICE. If you find this bulletin passed, mark check to this item. If not, reply to the vote email with something exceptional you have found in the artifact.
After you have done all the verification for the above checklist, you probably have an ideal about what vote you are about to cast. If all the above bulletins checked with no problem, you can vote +1 to the vote email. If not, you can vote -1 with your comments. You can also abstain if you really have no idea what to vote. I hope you find useful information here regarding how to verify the release checklist and cast your vote on OpenWhisk modules.