March 2, 2016 - Working Draft
This document describes how to review an Apache Taverna release, not how to prepare the release.
Contents
NOTE: In this document, (rc) items are from the [ASF release checklist](http://incubator.apache.org/guides/releasemanagement.html#check-list) and (rcw) items are from the [ReleaseChecklist wiki](http://wiki.apache.org/incubator/ReleaseChecklist)
- I received a VOTE email, what do I do now?
- [Before you start](#before-you-start)
- [What to check](#what-to-check)
- [How to check](#how-to-check)
- [Voting and community guidelines for acceptance](#voting-and-guidelines)
- [Possible additional items to check](#additional-items)
- [Definitions](#definitions)
- [FAQ](#faq)
I received a VOTE email, what do I do now?
Congratulations! You are about to participate in a important Apache Software Foundation activity. Reviewers must:
- Download the source artifact and check it. (See below for **what** to check and **how** to check it.) See download instructions on website [(example)](http://taverna.incubator.apache.org/download/language/) and README.md files in each distribution [(example)](https://github.com/apache/incubator-taverna-language/blob/master/README.md).
- Support the release manager by ... ?
###Helpful Tools
- MD5 and SHA Checksum utility [(download)](http://download.cnet.com/MD5-SHA-Checksum-Utility/3000-2092_4-10911445.html)
- Text file difference checker: [(online)](https://www.diffchecker.com)
- PGP ... (add)
###Tips
- Save the build output to a file. (Windows: **mvn clean install > file1.txt 2> file2.txt**)
- tbd
##<a name="before-you-start">Before you start</a>
###Is there a reason *not* to do the release?
Speak up immediately if you know of a reason not to do the release. For example, if there is a critical security bugfix that has not been included, alert the community so it can be fixed before the release.
Each project community determines its release philosophy. Projects that "release early, release often." like Taverna, will likely allow certain bugfixes to wait until the next release. See the [guidelines](#voting-and-guidelines) for Taverna's release philosophy.
###Are the prerequisites installed?
The README.md file for each distribution *(source artifact?)* lists the prerequisites, such as which Java or Maven versions are required. [(example)](https://github.com/apache/incubator-taverna-language/blob/master/README.md)
###Download the release candidate(s)
Download the release candidate(s), including all hash and signature files, using the links in the VOTE email. (The release candidates are Zip files, the hash files are .md5 and .sha1 files, and the signature files are .asc files.)
##<a name="what-to-check">What to check</a>
###1. Checksums and PGP signatures are valid (rc)
See the [Release Signing](http://www.apache.org/dev/release-signing.html#basic-facts) dev documentation. (rc)
- Check that the MD5 and SHA checksums of the downloaded release candidate match the values in the VOTE email.
- Use the Apache Taverna [KEYS](https://www.apache.org/dist/incubator/taverna/KEYS) files to check that the [signature](http://www.apache.org/info/verification.html#CheckingSignatures) is valid.
###2. Commit ID matches value in VOTE email.
Check that the git commit ID of each distribution matches the value in the VOTE email.
###3. [Disclaimer](http://incubator.apache.org/guides/branding.html#disclaimers) is correct and file names include "incubating" (rc)
Disclaimer
- Verify the incubator disclaimer is in a separate file called DISCLAIMER, residing inside the top-level distribution folder, along with the LICENSE and NOTICE files.
- Verify the DISCLAIMER file text matches that in the [Podling Branding Guide](http://incubator.apache.org/guides/branding.html#disclaimers).
File names: Verify that all (??) file names include "incubating."
###4. Top-level [LICENSE](http://www.apache.org/licenses/LICENSE-2.0.tx) and [NOTICE]( http://www.apache.org/legal/src-headers.html#notice) are correct for each distribution (rc)
(See the [Licensing How-To](http://www.apache.org/dev/licensing-howto.html), plus various pages under [Legal Affairs](http://www.apache.org/legal).) (rc)
Verify the top-level LICENSE and NOTICE files in the distribution match ASF guidelines, plus any Taverna-specific requirements.
*(Should the **required** Taverna license, notice, and source header text be on the website somewhere? So someone would know what they are supposed to look like? Or, at least, the basic ones. Maybe some of LICENSE is too distribution specific.)*
###5. All source files have [license headers](http://www.apache.org/legal/src-headers.html#headers), where appropriate (rc)
(See the [ASF Source Header and Copyright Notice Policy](http://www.apache.org/legal/src-headers.html).) (rc)
Check that code (1) developed at the ASF or (2) developed elsewhere **and submitted by the copyright owner or owner's agent** have the [appropriate source file headers](http://www.apache.org/legal/src-headers.html#headers).
Check that all other source files [(third party files)](http://apache.org/legal/resolved.html#required-third-party-notices)
have been [handled properly](http://www.apache.org/legal/src-headers.html#3party).
*(How does a reviewer know which code is in what category?)*
###6. The provenance of all source files is clear (ASF or software grants). (rc)
(See the [IP clearance](http://incubator.apache.org/guides/mentor.html#initial-ip-clearance) section of the Mentor's guide, as well as the [Releases](http://incubator.apache.org/incubation/Incubation_Policy.html#Releases) section of the Incubator's policy page.} (rc)
*(??? How do we demonstrate this? How would a random reviewer know? Is this referring to CLAs and SGAs?)*
###7. Dependencies licenses are ok as per [http://apache.org/legal/](http://apache.org/legal/) (rc)
Check that all dependency licenses have been [handled correctly](http://www.apache.org/legal/resolved.html#faq) and that no [Category X](http://www.apache.org/legal/resolved.html#category-x) licenses have inadvertently been included.
*(How does this differ from number 5, source file headers?)*
*(I understand we can use the RAT plugin, but it seems like there should be some other way to double-check. For example, a master list of dependencies, or a list of exceptions? Does RAT provide an output list we could refer to?)*
###8. Release consists of source code only, no binaries. (rc)
(NOTE: CHECK BEFORE YOU BUILD.)
Each Apache release [must contain a source package](http://www.apache.org/dev/release-publishing.html#valid). This package may not contain compiled components (such as "jar" files) because compiled components are not open source, even if they were built from open source.
"The source artifact is the thing being released. Binaries and git are secondary." *(What is the implication for reviewers?)*
###9. Build is successful, including automated tests (rc)
The expanded source archive is expected to [build and pass tests](http://www.apache.org/dev/release.html#what-must-every-release-contain).
- Do not skip any automated unit tests (E.g., do not use -DskipTests=true)
- Goal is to receive BUILD SUCCESS message at the end of the building and testing process.
##<a name="how-to-check">How to check</a>
Detailed information about How to check a release is to be added.
##<a name="voting-and-guidelines">Voting and community guidelines for acceptance</a>
See also [Podling Releases and voting process](http://incubator.apache.org/incubation/Incubation_Policy.html#Releases)
General review and voting requirements
- Minimum vote: The minimum requirement is **three +1 votes** with a majority in favour.
- Comments: The release manager decides how to handle comments.
- Quality: Does the release quality level meet the group norms? (For example, "can we live with it?" vs "is it perfect?")
**Minimum** Taverna release review guidelines (TBR! Change at will!)
- (All) Download at least one distribution (source-release-zip) and ensure it builds successfully *(Is this sufficient for a +1 vote?)* (PPMC members download all distributions?)
- (All) Verify checksums and signatures
- (PPMC members) each ensure accuracy of the following:
- Top-level LICENSE and NOTICE files
- Source file headers ("Apache" headers)
- Dependency licenses
- Source archive (does not include any binary files)
- (At least one PPMC member) Verify commit ID
NOTE: Functional testing will be limited until the full Taverna suite has been released.
##<a name="additional-items">Possible additional items to check</a>
A list of possible additional items is maintained on the [ReleaseChecklist wiki](http://wiki.apache.org/incubator/ReleaseChecklist) page. Here is the list:
- Provide build instructions, unless obvious. (rcw) *(obvious to whom?)*
- Match each source archive *(define)* with the corresponding SCM *(define)* tag. (rcw)
- Ensure RAT *(link? define?)* report is clean. (rcw)
- Ensure change log is clean. (rcw) *("clean" is determined by each project? replace with "meets the community guidelines"?)* - this appears to be referring to release notes.
- Ensure all copyright dates are current. (rcw)
- Ensure issue tracker (e.g., JIRA) is clean. (rcw)
- Run extended tests (if any) and ensure they pass.(rcw)
- Test that build succeeds on all target platforms.(rcw)
- Ensure documentation builds correctly.(rcw)
- Ensure binary release does not contain redundant dependency archives.(rcw)
##<a name="definitions">Terms, definitions and additional information</a>
- **source files**: Files downloaded from VOTE email. Includes *.java, *xsd, and TBR. *(get better definition; is this what is contained in the source-release-zip file? )*
- **binary files**: Created during **mvn clean install**. Located in target folders. Include pictures, ZIP files, and JAR files.
- **license**: Terms and conditions for use of source code. For example, *Licensed under a Creative Commons Attribution 3.0 license.*
- **notice**: Copyright notice. For example, *Copyright (c) 2012-2015 University of Manchester.*
- **source artifact**: *(same as source/ source files?)*
- **distribution**: TBD
- **dependency**: TBD
- **provenance**: TBD
##<a name="FAQ">FAQ</a> (TBR)
needed?
- how do I...
- where do I ...
- ???