Once a release candidate has been staged to https://dist.apache.org/repos/dist/dev/incubator/pegasus it must be validated and voted on in order to proceed.
The full checklist can be found here: Incubator Release Checklist.
Prerequisites
For MacOS:
brew install gpg
For ubuntu:
sudo apt install gnupg
For RHEL or CentOS:
sudo yum install gnupg
Downloading the release files
Suppose you are going to validate version {a.b.c-RCd}.
A release consists of a source zip, a signature file, a sha512 checksum file.
- Source package: https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-incubating-src.zip
- Signature (asc): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-incubating-src.zip.asc
- Checksum (sha512): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-incubating-src.zip.sha512
Please download the files altogether.
Verifying the signature (ASC)
Before checking the signature, you should download and import the public keys from https://dist.apache.org/repos/dist/dev/incubator/pegasus/KEYS
gpg --import KEYS
In order to check the signature (ASC) of the release:
gpg --verify apache-pegasus-a.b.c-incubating-src.zip.asc apache-pegasus-a.b.c-incubating-src.zip
This should produce something like this: ("Good signature" means correct!)
gpg: using RSA key B29EB88AD60BB41EC9D82687B1DA1BBC34C617A9 gpg: issuer "wutao@apache.org" gpg: Good signature from "Tao Wu <wutao@apache.org>" [ultimate]
If you get the following error, it means you don't have the public key of the person who signed the message.
gpg: Signature made 一 10/14 13:04:42 2019 CST gpg: using RSA key BA45CDBB87E8B146A81F5BBE2206EF8F64C35889 gpg: Can't check signature: No public key
Verifying the checksum (SHA512)
Linux:
sha512sum --check apache-pegasus-a.b.c-incubating-src.zip.sha512
MacOS:
shasum -a 512 --check apache-pegasus-a.b.c-incubating-src.zip.sha512
If it produces "apache-pegasus-a.b.c-incubating-src.zip: OK", it means the package is good.
Running RAT
Before building it might be a good idea to run RAT on the unpacked sources. This tool will find all binaries and files without license headers.
Download the latest version of RAT from here: https://creadur.apache.org/rat/download_rat.cgi
Unpack it somewhere and run the following command, for example, you are using apache-rat-0.15:
java -jar apache-rat-0.15/apache-rat-0.15.jar -d apache-pegasus-a.b.c-incubating-src \
-E apache-pegasus-a.b.c-incubating-src/.rat-excludes
Sample output (with 0 Unknown Licenses):
***************************************************** Summary ------- Generated at: 2022-09-27T23:55:44+08:00 Notes: 3 Binaries: 14 Archives: 0 Standards: 1629 Apache Licensed: 1041 Generated Documents: 0 JavaDocs are generated, thus a license header is optional. Generated files do not require license headers. 0 Unknown Licenses *****************************************************
Compile Pegasus
Please read the document compile-from-source or compile-by-docker to build pegasus.
Reply to the vote thread
This is a template for the reply email of your validation result. It's not required to completely follow the template.
+1/0/-1 (binding) # "binding" means you are an Apache PMC/PPMC. If not, "not-binding" here.
I checked:
(yes/no) Do release files have the word incubating in their name?
(yes/no) Are the digital signatures and hashes correct?
(yes/no) Does a DISCLAIMER file exist?
(yes/no) Do LICENSE and NOTICE files exist?
(yes/no) Is the LICENSE and NOTICE text correct?
(yes/no) Is the NOTICE year correct?
(yes/no) Un-included software dependencies are not mentioned in LICENSE or NOTICE?
(yes/no) License information is not mentioned in NOTICE?
(yes/no) Is there any 3rd party code contained inside the release? If so:
(yes/no) Does the software have a compatible license?
(yes/no) Are all software licenses mentioned in LICENSE?
(yes/no) Is the full text of the licenses (or pointers to it) in LICENSE?
(yes/no) Is any of this code Apache-licensed?
(yes/no) Do all source files have ASF headers?
(yes/no) Do they have NOTICE files? If so:
(yes/no) Have relevant parts of those NOTICE files been added to this NOTICE file?
(yes/no) Do the contents of the release match with what's tagged in version control?
(yes/no) Are there any unexpected binary files in the release?
(yes/no) Can you compile from source? Are the instructions clear?