Versions Compared

Old Version 1

changes.mady.by.user Wu Tao

Saved on

compared with

New Version Current

changes.mady.by.user Dan Wang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Once a release candidate has been staged to https://dist.apache.org/repos/dist/dev/incubator/pegasus it must be validated and voted on in order to proceed.

The full checklist can be found here: Incubator Release Checklist.

Prerequisites

For macMacOS:

Code Block
brew install gpg

For ubuntu:

Code Block
sudo apt install gnupg

For macRHEL or CentOS:

...

Code Block
sudo yum install gnupg

Downloading the release files

Suppose you are going to validate version {a.b.c-RCd}.

A release consists of a source zip, a signature file, a sha512 checksum file.

  • Source package: https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-sourceincubating-releasesrc.zip
  • Signature (asc)https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-sourceincubating-releasesrc.zip.asc
  • Checksum (sha512): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-sourceincubating-releasesrc.zip.sha512

Please download the files altogether.

Verifying the signature (ASC)

Before checking the signature, you should download and import the public keys from https://dist.apache.org/repos/dist/dev/incubator/pegasus/KEYS

No Format
gpg --import KEYS

In order to check the signature (ASC) of the release:

No Format
gpg --verify apache-

...

pegasus-

...

a.

...

b.

...

c-

...

incubating-

...

src.zip.asc apache-

...

pegasus-

...

a.

...

b.

...

c-

...

incubating-

...

src.zip

This should produce something like this:

...

gpg: Signatur vom Fr  2 Aug 14:30:42 2019 CEST
gpg:                mittels RSA-Schlüssel ADBD428CB5BF6C9FFC77B907C336E0143A553B89
gpg: Korrekte Signatur von "Julian Feinauer <jfeinauer@apache.org>" [ultimativ]

...

("Good signature" means correct!)

No Format
gpg: using RSA key B29EB88AD60BB41EC9D82687B1DA1BBC34C617A9
gpg: issuer "wutao@apache.org"
gpg: Good signature from "Tao Wu <wutao@apache.org>" [ultimate]

If you get the following error,  it means you don't have the public key of the person who signed the message.

No Format
gpg: Signature made

...

 一 10/14 13:04:

...

42 2019 CST
gpg:                using RSA key BA45CDBB87E8B146A81F5BBE2206EF8F64C35889

...


gpg: Can't check signature:

...

 No public key

Verifying the

...

checksum (SHA512)

Unfortunately checking the hashes isn't as automatic as checking the signatures. 

...

shasum -a512 apache-plc4x-0.8.0-source-release.zip

This will print out the hash ... unfortunately I haven't found a tool that you could pass along the SHA512 file and it just says: OK or NOT OK, so you have to manually compare the output with the output in the SHA512 file. 

...

Linux:

No Format
sha512sum --check apache-pegasus-a.b.c-incubating-src.zip.sha512

MacOS:

Code Block
shasum -a 512 --check apache-pegasus-a.b.c-incubating-src.zip.sha512

If it produces "apache-pegasus-a.b.c-incubating-src.zip: OK", it means the package is good.

Running RAT

Before building it might be a good idea to run RAT on the unpacked sources. This tool will find all binaries and files without headers completely ignoring any "exclusions" in the pomlicense headers.

Download the latest version of RAT from here:   https://creadur.apache.org/rat/download_rat.cgi

Unpack it somewhere and change into the unpacked source-directory and run the following command, for example, you are using apache-rat-0.15:

No Format
java

...

 -jar apache-rat-0.15/apache-rat-0.15.jar -d apache-pegasus-a.b.c-incubating-src \
     -E apache-pegasus-a.b.c-incubating-src/.rat-excludes

Sample output (with 0 Unknown Licenses):

Code Block
*****************************************************
Summary
-------
Generated at: 2022-09-27T23:55:44+08:00

Notes: 3
Binaries: 14
Archives: 0
Standards: 1629

Apache Licensed: 1041
Generated Documents: 0

JavaDocs are generated, thus a license header is optional.
Generated files do not require license headers.

0 Unknown Licenses

*****************************************************


Compile Pegasus

Please read the document compile-from-source or compile-by-docker to build pegasus.

Reply to the vote thread

This is a template for the reply email of your validation result. It's not required to completely follow the template.

+1/0/-1 (binding) # "binding" means you are an Apache PMC/PPMC. If not, "not-binding" here.

I checked:

(yes/no) Do release files have the word incubating in their name?

(yes/no) Are the digital signatures and hashes correct?

(yes/no) Does a DISCLAIMER file exist?

(yes/no) Do LICENSE and NOTICE files exist?

(yes/no) Is the LICENSE and NOTICE text correct?

(yes/no) Is the NOTICE year correct?

(yes/no) Un-included software dependencies are not mentioned in LICENSE or NOTICE?

(yes/no) License information is not mentioned in NOTICE?

(yes/no) Is there any 3rd party code contained inside the release? If so:

(yes/no) Does the software have a compatible license?

(yes/no) Are all software licenses mentioned in LICENSE?

(yes/no) Is the full text of the licenses (or pointers to it) in LICENSE?

(yes/no) Is any of this code Apache-licensed?

    (yes/no) Do all source files have ASF headers?

    (yes/no) Do they have NOTICE files? If so:

        (yes/no) Have relevant parts of those NOTICE files been added to this NOTICE file?

(yes/no) Do the contents of the release match with what's tagged in version control?

(yes/no) Are there any unexpected binary files in the release?

(yes/no) Can you compile from source? Are the instructions clear?

...