You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

This has been copied over from the IoTDB  and was adapted for NuttX (Validating a staged Release).


Once a release candidate has been staged to https://dist.apache.org/repos/dist/dev/incubator/nuttx it must be validated and voted on in order to proceed.

Team members must do the following.  

NOTE:  The 9.0.0-RC0 release is used here as an example

Only the Release Manager need perform the items tagged with '[RM]' though all are encouraged to.

  1. download staged artifacts. Check their signature and hashes.
    1. mkdir checkrelease
    2. cd checkrelease
    3. wget -r -nH --cut-dirs=100 --no-parent https://dist.apache.org/repos/dist/dev/incubator/nuttx/9.0.0-RC0
    4. [RM] verify the reported signature ("gpg: Good signature from ...")

      1. gpg --verify apache-nuttx-9.0.0-incubating.tar.gz.asc apache-nuttx-9.0.0-incubating.tar.gz

      2. gpg --verify apache-nuttx-apps-9.0.0-incubating.tar.gz.asc apache-nuttx-apps-9.0.0-incubating.tar.gz

    5. [RM] verify the reported hashes:

      1. sha512sum -c apache-nuttx-9.0.0-incubating.tar.gz.sha512

      2. sha512sum -c apache-nuttx-apps-9.0.0-incubating.tar.gz.sha512
  2. extract src bundle
    1. tar -xf apache-nuttx-9.0.0-incubating.tar.gz
    2. tar -xf apache-nuttx-apps-9.0.0-incubating.tar.gz
    3. verify the existence of LICENSE, NOTICE, README.md, DISCLAIMER-WIP files in the extracted source bundle in BOTH apps and nuttx
    4. [RM] verify the staged source ReleaseNotes file in nuttx correspond the current release
    5. [RM] verify the staged source .version file in nuttx correspond the current release
    6. WIP for future releases! Run RAT on the extracted source
  3. Built Targets
    1. cd nuttx
    2. build from directions in README.txt for a target that you have
      1. sim target is OK if you do not have hardware, but please try multiple OS if possible (especially Windows and MacOS)
      2. Some targets are built as part of CI, but do not have functional testing so these are valuable as well
  4. [RM] WIP for future releases! review target/rat.txt (though the build should fail if RAT constraints aren't met)

    1. Find and files containing binary content with this command:

      1. find . -type f -name 'rat.txt' -exec grep -l " B " {} \;

    2. Then review for B (binary) content in those files:   grep " B " target/rat.txt

Verifying the signature (ASC)

In order to check the signature (ASC) of the release:

gpg --verify apache-nuttx-9.0.0-incubating.tar.gz.asc apache-nuttx-9.0.0-incubating.tar.gz
gpg --verify apache-nuttx-apps-9.0.0-incubating.tar.gz.asc apache-nuttx-apps-9.0.0-incubating.tar.gz

This should produce something like this:

❯ gpg --verify apache-nuttx-9.0.0-incubating.tar.gz.asc apache-nuttx-9.0.0-incubating.tar.gz
gpg: Signature made Thu 23 Apr 2020 07:59:22 PM PDT
gpg:                using RSA key 66C4832A165ECC9354895A209750ED7E692B99E2
gpg: Good signature from "Brennan Ashton <bashton@brennanashton.com>" [ultimate]

The important part is that it's a "correct signature". The "ultimativ" at the end depends on your PGP trust environment. If you are not yet trusting any Apache people, this might be different.

If you get the following error,  it means you don't have the public key of the person who signed the message.

gpg: Signature made Thu 23 Apr 2020 07:59:22 PM PDT
gpg:                using RSA key 66C4832A165ECC9354895A209750ED7E692B99E2
gpg: Can't check signature: No public key


Then you can use the RSA key provided to receive the public key to verify and verify again.

gpg2 --receive-keys 66C4832A165ECC9354895A209750ED7E692B99E2


If you find error message when running `gpg2 --receive-keys ....`, like "gpg: keyserver receive failed: No data" or others, it may be caused by the network problem.

In this way, you can load the public key by:  Download the KEYS file from https://dist.apache.org/repos/dist/dev/incubator/nuttx/KEYS , and then

❯ gpg2 --import KEYS
gpg: key E1B6E30DB05D6280: "Brennan Ashton <bashton@brennanashton.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Verifying the hashes (SHA512)

sha512sum -c apache-nuttx-9.0.0-incubating.tar.gz.sha512
sha512sum -c apache-nuttx-apps-9.0.0-incubating.tar.gz.sha512

Running RAT  (WIP for Future Releases)

Before building it might be a good idea to run RAT on the unpacked sources. This will find all binaries and files without headers completely ignoring any "exclusions" in the pom.

Download the latest version of RAT from here: https://creadur.apache.org/rat/download_rat.cgi

Unpack it somewhere and change into the unpacked source-directory and run the following command:

java -Xms1024m -Xmx1024m -jar {path-to-apache-rat-0.13.jar} .
  • No labels