You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Validating a Release

Download the GPG keys and import them:

wget https://people.apache.org/keys/group/crunch.asc
gpg --import crunch.asc

Download the release and verify checksums and signatures:

RM=mafr
VERSION=0.6.0
RELEASE=apache-crunch-$VERSION

wget http://people.apache.org/~$RM/crunch-$VERSION-RC0/$RELEASE-{src,bin}.{tar.gz,zip}{,.asc,.md5,.sha1}

md5sum -c *.md5
sha1sum -c *.sha1

for i in *.asc; echo "verify: " $i; do gpg --verify $i; done

Extract distribution files and check whether tarballs and ZIP files are identical. If they are you only have to check two distribution artifacts.

mkdir tgz zip
tar -xzf $RELEASE-src.tar.gz -C tgz
tar -xzf $RELEASE-bin.tar.gz -C tgz
unzip -qd zip $RELEASE-src.zip
unzip -qd zip $RELEASE-bin.zip

diff -Naur {tgz,zip}/$RELEASE-src/
diff -Naur {tgz,zip}/$RELEASE-bin/

Check whether mandatory files are identical across all distribution artifacts:

for i in LICENSE NOTICE; do diff tgz/$RELEASE-{src,bin}/$i; done

Check out the tag from the source repository and make sure that it's identical to the source release:

git clone https://git-wip-us.apache.org/repos/asf/crunch.git
cd crunch
git fetch --tags
git checkout REVISION-CHECKSUM-FROM-VOTING-MAIL
cd ..

diff -Naur -x .git -x .gitignore crunch/ tgz/$RELEASE-src/

If all of the above checked out you can proceed with validating the release artifacts against Apache regulations.

  • No labels