[submarine] branch master updated: SUBMARINE-1089. Page of How to Verify

Mon, 22 Nov 2021 22:05:09 -0800 

This is an automated email from the ASF dual-hosted git repository.

pingsutw pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/submarine.git


The following commit(s) were added to refs/heads/master by this push:
     new f4844c1  SUBMARINE-1089. Page of How to Verify
f4844c1 is described below

commit f4844c108063ed2eadd697fc8badb62e01315b5b
Author: featherchen <garychen0975321...@gmail.com>
AuthorDate: Sat Nov 20 17:07:19 2021 +0800

    SUBMARINE-1089. Page of How to Verify
    
    ### What is this PR for?
    <!-- A few sentences describing the overall goals of the pull request's 
commits.
    First time? Check out the contributing guide - 
https://submarine.apache.org/contribution/contributions.html
    -->
    Refer to https://inlong.apache.org/development/how-to-verify/
    Create a new page on the website which describe the process of verification 
of the release candidate.
    ### What type of PR is it?
    Documentation
    ### Todos
    
    ### What is the Jira issue?
    <!-- * Open an issue on Jira 
https://issues.apache.org/jira/browse/SUBMARINE/
    * Put link here, and add [SUBMARINE-*Jira number*] in PR title, eg. 
`SUBMARINE-23. PR title`
    -->
    https://issues.apache.org/jira/browse/SUBMARINE-1089
    ### How should this be tested?
    <!--
    * First time? Setup Travis CI as described on 
https://submarine.apache.org/contribution/contributions.html#continuous-integration
    * Strongly recommended: add automated unit tests for any new or changed 
behavior
    * Outline any manual steps to test the PR here.
    -->
    Please help me double-check whether there are mistake in the article or not.
    ### Screenshots (if appropriate)
    ![Screenshot from 2021-11-20 
17-06-53](https://user-images.githubusercontent.com/57944334/142720880-89a51135-f97b-4160-90f4-00084aec3ece.png)
    
    ### Questions:
    * Do the license files need updating? No
    * Are there breaking changes for older versions? No
    * Does this need new documentation? No
    
    Author: featherchen <garychen0975321...@gmail.com>
    
    Signed-off-by: Kevin <pings...@apache.org>
    
    Closes #808 from featherchen/SUBMARINE-1089 and squashes the following 
commits:
    
    9b445e95 [featherchen] add HowToVerify page
---
 website/docs/devDocs/HowToVerify.md | 162 ++++++++++++++++++++++++++++++++++++
 website/sidebars.js                 |   1 +
 2 files changed, 163 insertions(+)

diff --git a/website/docs/devDocs/HowToVerify.md 
b/website/docs/devDocs/HowToVerify.md
new file mode 100644
index 0000000..2883692
--- /dev/null
+++ b/website/docs/devDocs/HowToVerify.md
@@ -0,0 +1,162 @@
+---
+title: How to Verify
+---
+
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+
+### Verification of the release candidate
+
+## 1. Download the candidate version to be released to the local environment
+
+```shell
+svn co 
https://dist.apache.org/repos/dist/dev/submarine/${release_version}-${rc_version}/
+```
+
+## 2. Verify whether the uploaded version is compliant
+
+> Begin the verification process, which includes but is not limited to the 
following content and forms.
+
+### 2.1 Check if the release package is complete
+
+> The package uploaded to dist must include the source code package, and the 
binary package is optional.
+
+1. Whether it includes the source code package.
+2. Whether it includes the signature of the source code package.
+3. Whether it includes the sha512 of the source code package.
+4. If the binary package is uploaded, also check the contents listed in 
(2)-(4).
+
+### 2.2 Check gpg signature
+
+- Import the public key
+
+```shell
+curl https://dist.apache.org/repos/dist/dev/submarine/KEYS > KEYS # Download 
KEYS
+gpg --import KEYS # Import KEYS to local
+```
+
+- Trust the public key
+  > Trust the KEY used in this version.
+
+```
+  gpg --edit-key xxxxxxxxxx # The KEY used in this version
+  gpg (GnuPG) 2.2.21; Copyright (C) 2020 Free Software Foundation, Inc.
+  This is free software: you are free to change and redistribute it.
+  There is NO WARRANTY, to the extent permitted by law.
+
+  Secret key is available.
+
+  sec  rsa4096/5EF3A66D57EC647A
+       created: 2020-05-19  expires: never       usage: SC
+       trust: ultimate      validity: ultimate
+  ssb  rsa4096/17628566FEED6AF7
+       created: 2020-05-19  expires: never       usage: E
+  [ultimate] (1). XXX YYYZZZ <youracco...@apache.org>
+
+  gpg> trust
+  sec  rsa4096/5EF3A66D57EC647A
+       created: 2020-05-19  expires: never       usage: SC
+       trust: ultimate      validity: ultimate
+  ssb  rsa4096/17628566FEED6AF7
+       created: 2020-05-19  expires: never       usage: E
+  [ultimate] (1). XXX YYYZZZ <youracco...@apache.org>
+
+  Please decide how far you trust this user to correctly verify other users' 
keys
+  (by looking at passports, checking fingerprints from different sources, etc.)
+
+    1 = I don't know or won't say
+    2 = I do NOT trust
+    3 = I trust marginally
+    4 = I trust fully
+    5 = I trust ultimately
+    m = back to the main menu
+
+  Your decision? 5 #choose 5
+  Do you really want to set this key to ultimate trust? (y/N) y # choose y
+
+  sec  rsa4096/5EF3A66D57EC647A
+       created: 2020-05-19  expires: never       usage: SC
+       trust: ultimate      validity: ultimate
+  ssb  rsa4096/17628566FEED6AF7
+       created: 2020-05-19  expires: never       usage: E
+  [ultimate] (1). XXX YYYZZZ <youracco...@apache.org>
+
+  gpg>
+
+  sec  rsa4096/5EF3A66D57EC647A
+       created: 2020-05-19  expires: never       usage: SC
+       trust: ultimate      validity: ultimate
+  ssb  rsa4096/17628566FEED6AF7
+       created: 2020-05-19  expires: never       usage: E
+  [ultimate] (1). XXX YYYZZZ <youracco...@apache.org>
+```
+
+- Use the following command to check the signature.
+
+```shell
+for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done
+#Or
+gpg --verify apache-submarine-${release_version}-src.tar.gz.asc 
apache-submarine-${release_version}-src.tar.gz
+# If you upload a binary package, you also need to check whether the signature 
of the binary package is correct.
+gpg --verify apache-submarine-server-${release_version}-bin.tar.gz.asc 
apache-submarine-server-${release_version}-bin.tar.gz
+gpg --verify apache-submarine-client-${release_version}-bin.tar.gz.asc 
apache-submarine-client-${release_version}-bin.tar.gz
+```
+
+- Check the result
+  > If something like the following appears, it means that the signature is 
correct. The keyword:**`Good signature`**
+
+```shell
+apache-submarine-${release_version}-src.tar.gz
+gpg: Signature made Sat May 30 11:45:01 2020 CST
+gpg:                using RSA key 9B12C2228BDFF4F4CFE849445EF3A66D57EC647A
+gpg: Good signature from "XXX YYYZZZ <youracco...@apache.org>" [ultimate]gular2
+```
+
+### 2.3 Check sha512 hash
+
+> After calculating the sha512 hash locally, verify whether it is consistent 
with the one on dist.
+
+```shell
+for i in *.tar.gz; do echo $i; gpg --print-md SHA512 $i; done
+#Or
+gpg --print-md SHA512 apache-submarine-${release_version}-src.tar.gz
+# If you upload a binary package, you also need to check the sha512 hash of 
the binary package.
+gpg --print-md SHA512 apache-submarine-server-${release_version}-bin.tar.gz
+gpg --print-md SHA512 apache-submarine-client-${release_version}-bin.tar.gz
+# 或者
+for i in *.tar.gz.sha512; do echo $i; sha512sum -c $i; done
+```
+
+### 2.4. Check the file content of the source package.
+
+Unzip `apache-submarine-${release_version}-src.tar.gz` and check as follows:
+
+- Whether the DISCLAIMER file exists and whether the content is correct.
+- Whether the LICENSE and NOTICE file exists and whether the content is 
correct.
+- Whether all files have ASF License header.
+- Whether the source code can be compiled normally.
+- Whether the single test is passed.
+- ....
+
+### 2.5 Check the binary package (if the binary package is uploaded)
+
+Unzip `apache-submarine-client-${release_version}-src.tar.gz` and ` 
apache-submarine-server-${release_version}-src.tar.gz`, then check as follows:
+
+- Whether the DISCLAIMER file exists and whether the content is correct.
+- Whether the LICENSE and the NOTICE file exists and whether the content is 
correct.
+- Whether the deployment is successful.
+- Deploy a test environment to verify whether production and consumption can 
run normally.
+- Verify what you think might go wrong.
+- ....
diff --git a/website/sidebars.js b/website/sidebars.js
index 465c78a..a9a34e8 100644
--- a/website/sidebars.js
+++ b/website/sidebars.js
@@ -62,6 +62,7 @@ module.exports = {
                 "devDocs/Development",
                 "devDocs/IntegrationTestK8s",
                 "devDocs/IntegrationTestE2E",
+                "devDocs/HowToVerify",
             ],
             Community: [
                 "community/README",

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@submarine.apache.org
For additional commands, e-mail: dev-h...@submarine.apache.org

Reply via email to