You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 36 Next »

 March 2, 2016 - Working Draft

Introduction

This document is for software release reviewers and describes how to review an Apache Taverna incubator release, not how to prepare the release candidate. 

Contents

 NOTE: In this document, items from the ASF release checklist are identified by (RC) and items from the ReleaseChecklist wiki are identified by (RCw).

 - I received a VOTE email, what do I do now?
 - Before you start
 - What to check
 - How to check
 - Voting and community guidelines for acceptance
 - Possible additional items to check
 - Definitions
 

I received a VOTE email, what do I do now?

Congratulations! You are about to participate in a important Apache Software Foundation activity. This document focuses on what is required to review a Taverna release. Details: How to Review A Release will walk you through the steps in more detail, if necessary.

Reviewer's tasks

Reviewers must:

    • Download the source artifact and check it. 
      • See download instructions in the README file (example).
      • This document contains information about **what** to check and **how** to check it. 
      • For more information see Details: How to Review A Release
    • Support the release manager by ... ? commenting on the DISCUSS thread?

Tools

Some necessary and optional tools:

    • GPG (required)
    • MD5 and SHA Checksum utility (optional) [download]

    • Text file difference checker (optional) [online]

Before you start

Is there a reason not to do the release?

Speak up immediately if you know of a reason not to do the release. For example, if there is a critical security bugfix that has not been included, alert the community so it can be fixed before the release.

Each project community determines its release philosophy. Projects that "release early, release often." like Taverna, will likely allow certain bugfixes to wait until the next release. See the guidelines for Taverna's release philosophy.

Are the prerequisites installed?

The README.md file for each distribution lists the prerequisites, such as which Java or Maven versions are required. [example]

Download the release candidate(s)

Download the release candidate(s), including all hash and signature files, using the links in the VOTE email. (The release candidates are Zip files, the hash files are .md5 and .sha1 files, and the signature files are .asc files.)

What to check

1. Checksums and PGP signatures are valid (RC)

Check that the MD5 and SHA checksums of the downloaded release candidate match the values in the VOTE email.

Use the Apache Taverna KEYS files to check that the signature is valid.

(See the Release Signing dev documentation. (RC) )

2. Commit ID matches value in VOTE email.

Check that the git commit ID of each distribution matches the value in the VOTE email.

3. Disclaimer is correct and file names include "incubating" (RC)

Disclaimer

    • Verify the incubator disclaimer is in a separate file called DISCLAIMER, residing inside the top-level distribution folder, along with the LICENSE and NOTICE files.
    • Verify the DISCLAIMER file text matches that in the Podling Branding Guide.

File names: Verify that all (??) file names include "incubating."

4. Top-level LICENSE and NOTICE are correct for each distribution (RC)

Verify the top-level LICENSE and NOTICE files in the distribution match ASF guidelines, plus any Taverna-specific requirements.

See Details: How to Review A Release for more information. (Also, see the Licensing How-To, plus various pages under Legal Affairs. (RC) )

5. All source files have license headers, where appropriate (RC)

(See the ASF Source Header and Copyright Notice Policy. (RC) )

(How does a reviewer know which code is in what category?)

6. The provenance of all source files is clear (ASF or software grants). (RC)

(See the IP clearance section of the Mentor's guide, as well as the Releases section of the Incubator's policy page.} (RC)

(??? How do we demonstrate this?  How would a random reviewer know? Is this referring to CLAs and SGAs?)

7. Dependencies licenses are ok as per http://apache.org/legal/](http://apache.org/legal/ (RC)

Check that all dependency licenses have been handled correctly and that no Category X licenses have inadvertently been included.

(How does this differ from number 5, source file headers?)   (I understand we can use the RAT plugin, but it seems like there should be some other way to double-check. For example, a master list of dependencies, or a list of exceptions? Does RAT provide an output list we could refer to?)

8. Release consists of source code only, no binaries. (RC)

(NOTE: CHECK THIS BEFORE YOU BUILD.)

Each Apache release must contain a source package. This package may not contain compiled components (such as "jar" files) because compiled components are not open source, even if they were built from open source.

"The source artifact is the thing being released. Binaries and git are secondary." (What is the implication for reviewers?)

9. Build is successful, including automated tests (RC)

The expanded source archive is expected to build and pass tests.

Do not skip any automated unit tests (E.g., do not use -DskipTests=true)

The goal is to receive a BUILD SUCCESS message at the end of the building and testing process.

10.0 Verify the source produces the correct binaries

In addition to cursory checks of the jars, at least one person should check that all ataged JARs are the same as those built from the downloaded release candidate. (One approach is to do a recursive wget of the repository , and then compare the result of "find . -name '*jar'" in the wget-tree with */*/target/*.jar.)

NOTE: Binary releases are considered "convenience only" and are not crucial for the vote: The source release is what everything else should be made from. However, in practical terms most people download the binaries from the Maven repository, so it is important this is checked at least once.

How to check

Details: How to Review A Release contains detailed instructions for how to check (verify) the release.

Voting and community guidelines for acceptance

See also Podling Releases and voting process.

General review and voting requirements

    • Minimum vote: The minimum requirement is **three +1 votes** with a majority in favour.
    • Comments: The release manager decides how to handle comments.
    • Quality: Does the release quality level meet the group norms? (For example, "can we live with it?" vs "is it perfect?")

Minimum Taverna release review guidelines (TBR! Change at will!)

    • (All) Download at least one distribution (source-release-zip) and ensure it builds successfully *(Is this sufficient for a +1 vote?)* (PPMC members download all distributions?)
    • (All) Verify checksums and signatures
    • (PPMC members) each ensure accuracy of the following:
      • Top-level LICENSE and NOTICE files
      • Source file headers ("Apache" headers)
      • Dependency licenses
      • Source archive (does not include any binary files)
    • (At least one PPMC member) Verify commit ID  

NOTE: Functional testing will be limited until the full Taverna suite has  been released. 

Possible additional items to check

A list of possible additional items is maintained on the ReleaseChecklist wiki page. This is the list (as of 3/2016):

Provide build instructions, unless obvious. (RCw) *(obvious to whom?)*
Match each source archive *(define)* with the corresponding SCM *(define)* tag. (RCw)
Ensure RAT *(link? define?)* report is clean. (RCw)
Ensure change log is clean. (RCw) *("clean" is determined by each project? replace with "meets the community guidelines"?)* - this appears to be referring to release notes.
Ensure all copyright dates are current. (RCw)
Ensure issue tracker (e.g., JIRA) is clean.  (RCw)
Run extended tests (if any) and ensure they pass.(RCw)
Test that build succeeds on all target platforms.(RCw)
Ensure documentation builds correctly.(RCw)
Ensure binary release does not contain redundant dependency archives.(RCw)

Terms, definitions and additional information

Move this to "How to Check"

 - **source files**: Files downloaded from VOTE email. Includes *.java, *xsd, and TBR. *(get better definition; is this what is contained in the source-release-zip file? )*
 - **binary files**: Created during **mvn clean install**. Located in target folders. Include pictures, ZIP files, and JAR files.
 - **license**: Terms and conditions for use of source code. For example, *Licensed under a Creative Commons Attribution 3.0 license.*
 - **notice**: Copyright notice. For example, *Copyright (c) 2012-2015 University of Manchester.*
 - **source artifact***(same as source/ source files?)*
 - **distribution**: TBD
 - **dependency**: TBD
 - **provenance**: TBD 

  • No labels