This is an automated email from the ASF dual-hosted git repository.
aw pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/yetus.git
The following commit(s) were added to refs/heads/main by this push:
new df0a152b YETUS-327. Verify hash in rc branch (#322)
df0a152b is described below
commit df0a152b8afc16aee2d479110ccc28109f124f76
Author: Allen Wittenauer <[email protected]>
AuthorDate: Tue Sep 12 07:38:53 2023 -0700
YETUS-327. Verify hash in rc branch (#322)
Signed-off-by: Nick Dimiduk <[email protected]>
---
asf-site-src/source/contribute/releases.html.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/asf-site-src/source/contribute/releases.html.md
b/asf-site-src/source/contribute/releases.html.md
index b89f3e06..9a242f54 100644
--- a/asf-site-src/source/contribute/releases.html.md
+++ b/asf-site-src/source/contribute/releases.html.md
@@ -299,7 +299,7 @@ ASF policies require that binding votes on releases be cast
only after verifying
- Our `LICENSE` and `NOTICE` files must correctly propagate licensing
information for bundled products. The [Foundation's Licensing HOWTO
Guide](https://www.apache.org/dev/licensing-howto.html) provides guidance on
how these files should be maintained.
- Our software must only bundle compatibly licensed products; read [the
Licensing Policy's Category A list for compatible
licenses](https://www.apache.org/legal/resolved#category-a).
- Our software may only have a runtime dependency on a product with a
prohibit license if its use is optional; read [the Licensing Policy's Category
X list for prohibited
licenses](https://www.apache.org/legal/resolved#category-x) and [the Licensing
Policy's explanation of optional runtime
dependencies](https://www.apache.org/legal/resolved#optional).
-1. You SHOULD make sure the source release artifact corresponds to the
referenced commit hash in the [VOTE] thread. (This ASF policy is currently in
DRAFT status.) The release tag is how we'll provide long-term provenance
information for our downstream users. Since the release's source code artifact
will be the canonical representation of the release we vote on, it is essential
that it matches the contents of the version control system's tag. Given our
example above, you can check this w [...]
+1. You SHOULD make sure the source release artifact corresponds to the
referenced commit hash in the [VOTE] thread. A release tag that points to this
commit hash is how we'll provide long-term provenance information for our
downstream users. Since the release's source code artifact will be the
canonical representation of the release we vote on, it is essential that it
matches the contents of the version control system's tag. Given our example
above, you can check this with recursive diff.
NOTE: The `maven` plug-in that we use does not include some git control
files like `.gitignore` and `.gitattributes`. Additionally, it adds a
`DEPENDENCIES` file.
@@ -307,6 +307,8 @@ ASF policies require that binding votes on releases be cast
only after verifying
$ mkdir apache-yetus-0.7.0-src_unpack
$ tar -C apache-yetus-0.7.0-src_unpack -xzf apache-yetus-0.7.0-src.tar.gz
$ git clone --single-branch --depth=1 --branch YETUS-585
'https://github.com/apache/yetus.git' apache-yetus-0.7.0-RC1-tag
+ $ git --C apache-yetus-0.7.0-RC1-tag show -1
+ .. verify the hash ...
$ diff -r apache-yetus-0.7.0-RC1-tag
apache-yetus-0.7.0-src_unpack/apache-yetus-0.7.0
```
