> > > * There's no copyright or NOTICE file in source jar artifact. >
I'll double-check, but I do not remember this mentioned in the Apache guide > I've followed, it's worth adding this information there if it's missing. > These links have a lot of info - http://www.apache.org/legal/release-policy.html - http://www.apache.org/dev/release-publishing.html - http://www.apache.org/dev/release-distribution The Incubator is (overly) strict on releases, so their docs can be helpful too. - https://cwiki.apache.org/confluence/display/INCUBATOR/ReleaseChecklist - http://incubator.apache.org/guides/releasemanagement.html What was the guide you were using? > > * What key has been used to sign? > Can you provide more specific details on that? Apache guide I've followed > said you have to sign with your own key, which was what I've done. If this > is not the case, it'd be great to know which key I should use. I did upload > public key to ubuntu keystore for verification to. > You need to sign with your own key, and the public key needs to be in our KEYS file. ( Also, the gpg key needs to reside, and the release made, on hardware owned and only controlled (exclusively full administrative/superuser access) by you. https://www.apache.org/dev/release-signing.html ) > > * The scm SHA is not mentioned in the vote. > True; branch is not merged since Cassandra patch that depends on it is not > finalized. But to comply to Apache processes we can just merge the branch. > It doesn't matter on what branch the SHA is on, just so long as the SHA that the release was cut from is announced, so the release is reproducible also from scm. A git tag also helps. cheers, Mick