I think these are reasonable to add, we probably should also verify there
are no binaries of any kind in the release tarball. Sometimes builds
accidentally leak these.
On Tue, Aug 20, 2024 at 8:36 AM Piotr Findeisen <piotr.findei...@gmail.com>
wrote:
> Hi All,
>
> Hi
>
> The release verification [1] includes testing release source tarball
> builds and also testing the binaries with downstream projects.
>
> Does it also contain, should it contain or is it a conscious omission of:
>
> 1. verifying the source tarball is what it should be (source matches the
> git repo state)
> 2. verifying the binaries are what should be built from the source
> ("repeatable builds")
>
> Best
> Piotr
>
> [1]
> https://iceberg.apache.org/how-to-release/#validating-a-source-release-candidate
> .
>
>
