Hi Suresh, First of all, major kudos on making this release!
Here's my feedback, I don't think any of these are blockers - INSTALL says version "0.14" - NOTICE says "Apache Airavata Copyright 2014 The Apache Software Foundation". Should that be Copyright 2014-2019? [1] Thanks for the signature verification notes. Regarding that, I had to install the signing key gpg --keyserver pgpkeys.mit.edu --recv-key 617DDBAD Then I was able to verify the signatures. Thanks, Marcus [1] http://www.apache.org/legal/src-headers.html#notice > On Mar 22, 2019, at 12:03 PM, Suresh Marru <[email protected]> wrote: > > Hi All, > > If you are looking to verify release signatures, here is a quick tip: > > * download all release artifacts into a folder or do a svn checkout of the > release - `svn co https://dist.apache.org/repos/dist/dev/airavata/0.17/RC1/ > <https://dist.apache.org/repos/dist/dev/airavata/0.17/RC1/>` > > * Verify signatures by a small script something like: > > for file in `find . -type f -iname '*.asc'` > do > gpg --verify ${file} > done > The output will indicate the You'll need to look at the output to ensure it > contains only good signatures - > > gpg: Good signature from ... gpg: Signature made … > > Once you verify the signature, next step is to uncompress the source and > verify it builds fine. > > This links provide guidance on release verifications: > > https://www.apache.org/info/verification > <https://www.apache.org/info/verification> > > Cheers, > Suresh > >> On Mar 21, 2019, at 1:07 AM, Suresh Marru <[email protected] >> <mailto:[email protected]>> wrote: >> >> Discussion thread for vote on Apache Airavata 0.17 release candidate. >> >> If you have any questions or feedback or to post results of validating the >> release, please reply to this thread. Once you verify the release, please >> post your vote to the VOTE thread. >> >> For reference, the Apache release guide - >> http://www.apache.org/dev/release.html >> <http://www.apache.org/dev/release.html> >> >> Some tips to validate the release before you vote: >> >> * Download the binary version and run the 5 minute or 10 minute tutorial as >> described in README and website. >> * Download the source files from compressed files and release tag and build >> (which includes tests). >> * Verify the distribution for the required LICENSE and NOTICE files >> * Verify if all the staged files are signed and the signature is verifiable. >> * Verify if the signing key in the project's KEYS file is hosted on a public >> server >> >> Thanks for your time in validating the release and voting, >> Suresh >> (On Behalf of Airavata PMC) >> >
smime.p7s
Description: S/MIME cryptographic signature
