This is an automated email from the ASF dual-hosted git repository. pingsutw pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/submarine.git
The following commit(s) were added to refs/heads/master by this push: new f4844c1 SUBMARINE-1089. Page of How to Verify f4844c1 is described below commit f4844c108063ed2eadd697fc8badb62e01315b5b Author: featherchen <garychen0975321...@gmail.com> AuthorDate: Sat Nov 20 17:07:19 2021 +0800 SUBMARINE-1089. Page of How to Verify ### What is this PR for? <!-- A few sentences describing the overall goals of the pull request's commits. First time? Check out the contributing guide - https://submarine.apache.org/contribution/contributions.html --> Refer to https://inlong.apache.org/development/how-to-verify/ Create a new page on the website which describe the process of verification of the release candidate. ### What type of PR is it? Documentation ### Todos ### What is the Jira issue? <!-- * Open an issue on Jira https://issues.apache.org/jira/browse/SUBMARINE/ * Put link here, and add [SUBMARINE-*Jira number*] in PR title, eg. `SUBMARINE-23. PR title` --> https://issues.apache.org/jira/browse/SUBMARINE-1089 ### How should this be tested? <!-- * First time? Setup Travis CI as described on https://submarine.apache.org/contribution/contributions.html#continuous-integration * Strongly recommended: add automated unit tests for any new or changed behavior * Outline any manual steps to test the PR here. --> Please help me double-check whether there are mistake in the article or not. ### Screenshots (if appropriate) ![Screenshot from 2021-11-20 17-06-53](https://user-images.githubusercontent.com/57944334/142720880-89a51135-f97b-4160-90f4-00084aec3ece.png) ### Questions: * Do the license files need updating? No * Are there breaking changes for older versions? No * Does this need new documentation? No Author: featherchen <garychen0975321...@gmail.com> Signed-off-by: Kevin <pings...@apache.org> Closes #808 from featherchen/SUBMARINE-1089 and squashes the following commits: 9b445e95 [featherchen] add HowToVerify page --- website/docs/devDocs/HowToVerify.md | 162 ++++++++++++++++++++++++++++++++++++ website/sidebars.js | 1 + 2 files changed, 163 insertions(+) diff --git a/website/docs/devDocs/HowToVerify.md b/website/docs/devDocs/HowToVerify.md new file mode 100644 index 0000000..2883692 --- /dev/null +++ b/website/docs/devDocs/HowToVerify.md @@ -0,0 +1,162 @@ +--- +title: How to Verify +--- + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +### Verification of the release candidate + +## 1. Download the candidate version to be released to the local environment + +```shell +svn co https://dist.apache.org/repos/dist/dev/submarine/${release_version}-${rc_version}/ +``` + +## 2. Verify whether the uploaded version is compliant + +> Begin the verification process, which includes but is not limited to the following content and forms. + +### 2.1 Check if the release package is complete + +> The package uploaded to dist must include the source code package, and the binary package is optional. + +1. Whether it includes the source code package. +2. Whether it includes the signature of the source code package. +3. Whether it includes the sha512 of the source code package. +4. If the binary package is uploaded, also check the contents listed in (2)-(4). + +### 2.2 Check gpg signature + +- Import the public key + +```shell +curl https://dist.apache.org/repos/dist/dev/submarine/KEYS > KEYS # Download KEYS +gpg --import KEYS # Import KEYS to local +``` + +- Trust the public key + > Trust the KEY used in this version. + +``` + gpg --edit-key xxxxxxxxxx # The KEY used in this version + gpg (GnuPG) 2.2.21; Copyright (C) 2020 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Secret key is available. + + sec rsa4096/5EF3A66D57EC647A + created: 2020-05-19 expires: never usage: SC + trust: ultimate validity: ultimate + ssb rsa4096/17628566FEED6AF7 + created: 2020-05-19 expires: never usage: E + [ultimate] (1). XXX YYYZZZ <youracco...@apache.org> + + gpg> trust + sec rsa4096/5EF3A66D57EC647A + created: 2020-05-19 expires: never usage: SC + trust: ultimate validity: ultimate + ssb rsa4096/17628566FEED6AF7 + created: 2020-05-19 expires: never usage: E + [ultimate] (1). XXX YYYZZZ <youracco...@apache.org> + + Please decide how far you trust this user to correctly verify other users' keys + (by looking at passports, checking fingerprints from different sources, etc.) + + 1 = I don't know or won't say + 2 = I do NOT trust + 3 = I trust marginally + 4 = I trust fully + 5 = I trust ultimately + m = back to the main menu + + Your decision? 5 #choose 5 + Do you really want to set this key to ultimate trust? (y/N) y # choose y + + sec rsa4096/5EF3A66D57EC647A + created: 2020-05-19 expires: never usage: SC + trust: ultimate validity: ultimate + ssb rsa4096/17628566FEED6AF7 + created: 2020-05-19 expires: never usage: E + [ultimate] (1). XXX YYYZZZ <youracco...@apache.org> + + gpg> + + sec rsa4096/5EF3A66D57EC647A + created: 2020-05-19 expires: never usage: SC + trust: ultimate validity: ultimate + ssb rsa4096/17628566FEED6AF7 + created: 2020-05-19 expires: never usage: E + [ultimate] (1). XXX YYYZZZ <youracco...@apache.org> +``` + +- Use the following command to check the signature. + +```shell +for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done +#Or +gpg --verify apache-submarine-${release_version}-src.tar.gz.asc apache-submarine-${release_version}-src.tar.gz +# If you upload a binary package, you also need to check whether the signature of the binary package is correct. +gpg --verify apache-submarine-server-${release_version}-bin.tar.gz.asc apache-submarine-server-${release_version}-bin.tar.gz +gpg --verify apache-submarine-client-${release_version}-bin.tar.gz.asc apache-submarine-client-${release_version}-bin.tar.gz +``` + +- Check the result + > If something like the following appears, it means that the signature is correct. The keyword:**`Good signature`** + +```shell +apache-submarine-${release_version}-src.tar.gz +gpg: Signature made Sat May 30 11:45:01 2020 CST +gpg: using RSA key 9B12C2228BDFF4F4CFE849445EF3A66D57EC647A +gpg: Good signature from "XXX YYYZZZ <youracco...@apache.org>" [ultimate]gular2 +``` + +### 2.3 Check sha512 hash + +> After calculating the sha512 hash locally, verify whether it is consistent with the one on dist. + +```shell +for i in *.tar.gz; do echo $i; gpg --print-md SHA512 $i; done +#Or +gpg --print-md SHA512 apache-submarine-${release_version}-src.tar.gz +# If you upload a binary package, you also need to check the sha512 hash of the binary package. +gpg --print-md SHA512 apache-submarine-server-${release_version}-bin.tar.gz +gpg --print-md SHA512 apache-submarine-client-${release_version}-bin.tar.gz +# 或者 +for i in *.tar.gz.sha512; do echo $i; sha512sum -c $i; done +``` + +### 2.4. Check the file content of the source package. + +Unzip `apache-submarine-${release_version}-src.tar.gz` and check as follows: + +- Whether the DISCLAIMER file exists and whether the content is correct. +- Whether the LICENSE and NOTICE file exists and whether the content is correct. +- Whether all files have ASF License header. +- Whether the source code can be compiled normally. +- Whether the single test is passed. +- .... + +### 2.5 Check the binary package (if the binary package is uploaded) + +Unzip `apache-submarine-client-${release_version}-src.tar.gz` and ` apache-submarine-server-${release_version}-src.tar.gz`, then check as follows: + +- Whether the DISCLAIMER file exists and whether the content is correct. +- Whether the LICENSE and the NOTICE file exists and whether the content is correct. +- Whether the deployment is successful. +- Deploy a test environment to verify whether production and consumption can run normally. +- Verify what you think might go wrong. +- .... diff --git a/website/sidebars.js b/website/sidebars.js index 465c78a..a9a34e8 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -62,6 +62,7 @@ module.exports = { "devDocs/Development", "devDocs/IntegrationTestK8s", "devDocs/IntegrationTestE2E", + "devDocs/HowToVerify", ], Community: [ "community/README", --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@submarine.apache.org For additional commands, e-mail: dev-h...@submarine.apache.org