...
The full checklist can be found here: Incubator Release Checklist.
Prerequisites
For macMacOS:
| Code Block |
|---|
brew install gpg |
For ubuntu:
| Code Block |
|---|
sudo apt install gnupg |
For RHEL or CentOS:
| Code Block |
|---|
sudo yum install gpggnupg |
Downloading the release files
Suppose you are going to validate version {a.b.c-RCd}.
A release consists of a source zip, a signature file, a sha512 checksum file.
- Source package: https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-sourceincubating-releasesrc.zip
- Signature (asc): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-sourceincubating-releasesrc.zip.asc
- Checksum (sha512): https://dist.apache.org/repos/dist/dev/incubator/pegasus/a.b.c-RCd/apache-pegasus-a.b.c-sourceincubating-releasesrc.zip.sha512
Please download the files altogether.
...
Before checking the signature, you should download and import the public keys from https://dist.apache.org/repos/dist/dev/incubator/pegasus/KEYS
...
| No Format |
|---|
gpg --verify apache-pegasus-2a.1b.0c-sourceincubating-releasesrc.zip.asc apache-pegasus-2a.1b.0c-sourceincubating-releasesrc.zip |
This should produce something like this: ("Good signature" means correct!)
| No Format |
|---|
gpg: using RSA key B29EB88AD60BB41EC9D82687B1DA1BBC34C617A9 gpg: issuer "wutao@apache.org" gpg: Good signature from "Tao Wu <wutao@apache.org>" [ultimate] |
...
Verifying the checksum (SHA512)
Linux:
| No Format |
|---|
sha512sum --check apache-pegasus-a.b.c-incubating-src.zip.sha512 |
MacOS:
| Code Block |
|---|
shasum -a 512 --check apache-pegasus-2a.1b.0c-sourceincubating-releasesrc.zip.sha512 |
If it produces "apache-pegasus-2a.1b.0c-sourceincubating-releasesrc.zip: OK", it means the package is good.
...
Before building it might be a good idea to run RAT on the unpacked sources. This tool will find all binaries and files without license headers.
Download the latest version of RAT from here: apache-rat-0.13-bin.tar.gz: https://creadur.apache.org/rat/download_rat.cgi
Unpack it somewhere and change into the unpacked source directory and run the following command, for example, you are using apache-rat-0.15:
| No Format |
|---|
jarjava -jar apache-rat-0.1315/apache-rat-0.1315.jar -d apache-pegasus-a.b.c-incubating-src \ -E apache-pegasus-a.b.c-incubating-src/.rat-excludes |
Sample output (with 0 Unknown Licenses):
| Code Block |
|---|
*****************************************************
Summary
-------
Generated at: 2022-09-27T23:55:44+08:00
Notes: 3
Binaries: 14
Archives: 0
Standards: 1629
Apache Licensed: 1041
Generated Documents: 0
JavaDocs are generated, thus a license header is optional.
Generated files do not require license headers.
0 Unknown Licenses
***************************************************** |
Compile Pegasus
Please read the document compile-from-source or compile-by-docker to build pegasus.
Reply to the vote thread
This is a template for the reply email of your validation result. It's not required to completely follow the template.
+1/0/-1 (binding) # "binding" means you are an Apache PMC/PPMC. If not, "not-binding" here.
I checked:
(yes/no) Do release files have the word incubating in their name?
(yes/no) Are the digital signatures and hashes correct?
(yes/no) Does a DISCLAIMER file exist?
(yes/no) Do LICENSE and NOTICE files exist?
(yes/no) Is the LICENSE and NOTICE text correct?
(yes/no) Is the NOTICE year correct?
(yes/no) Un-included software dependencies are not mentioned in LICENSE or NOTICE?
(yes/no) License information is not mentioned in NOTICE?
(yes/no) Is there any 3rd party code contained inside the release? If so:
(yes/no) Does the software have a compatible license?
(yes/no) Are all software licenses mentioned in LICENSE?
(yes/no) Is the full text of the licenses (or pointers to it) in LICENSE?
(yes/no) Is any of this code Apache-licensed?
(yes/no) Do all source files have ASF headers?
(yes/no) Do they have NOTICE files? If so:
(yes/no) Have relevant parts of those NOTICE files been added to this NOTICE file?
(yes/no) Do the contents of the release match with what's tagged in version control?
(yes/no) Are there any unexpected binary files in the release?
(yes/no) Can you compile from source? Are the instructions clear?