Re: checklist for release

2016-10-18 Thread Josh Elser

Ps, I'd recommend getting this up onto the Rya website :)

David Lotts wrote:

Some additional detail:

Here's a checklist for things to consider when evaluating the release

candidate:

1. Download the sources and verify they compile cleanly.

2. Validate the hashes match.

3. Validate that the sources contain no unexpected binaries.
Run the find/grep command:  find . -type f  | grep -v
'\/test\/\|\/site\/\|\.java\|\.xml\|\.xsl\|\.groovy\|\.
properties\|\.sh\|\.bat\|\.md\|\.txt'
which looks for all files that don't have one of the approved extensions.

4. Validate the signature for the build and hashes.
Verify .asc files found at [1] using the Aaron's public key: [2]  Then
verify hashes of these files.


Here are the commands: [3]

a. Install GPG.
b. import Aaron's key from Apache [2]:
 gpg --keyserver
https://dist.apache.org/repos/dist/dev/incubator/rya/KEYS --recv-key
F50EAE1A

c. Download the files at [1] and run this in that folder:
 gpg --verify rya-project-3.2.10-incubating-source-release.zip.asc

If you see "*Good signature*" from the verify, that is good enough as long
as you feel strongly that you have Aaron's real public key.  To eliminate
the warning, either trust Aaron's key "ultimately" or let it find a trusted
path to a key that you trust ultimately.

[1] https://repository.apache.org/content/repositories/
orgapacherya-1002/org/apache/rya/rya-project/3.2.10-incubating/
[2] https://dist.apache.org/repos/dist/release/incubator/rya/KEYS
[3]  https://httpd.apache.org/dev/verification.html


5. Validate the LICENSE/NOTICE/Headers.
Verify that each project contains the ASF license and notice files.
Run the grep command:  fgrep -Ri 'copyright' rya-project-3.2.10 | fgrep -v
'The ASF licenses this file'
This should return only License and Notice files in rya-project-3.2.10.
The license files
and the notice files should be consistent with the ASF license and ASF
copyright statement.  Verify that only
the notice files contains the ASF copyright statement.











Re: checklist for release

2016-10-17 Thread David Lotts
Some additional detail:

Here's a checklist for things to consider when evaluating the release
> candidate:
>
> 1. Download the sources and verify they compile cleanly.
>
> 2. Validate the hashes match.
>
> 3. Validate that the sources contain no unexpected binaries.
> Run the find/grep command:  find . -type f  | grep -v
> '\/test\/\|\/site\/\|\.java\|\.xml\|\.xsl\|\.groovy\|\.
> properties\|\.sh\|\.bat\|\.md\|\.txt'
> which looks for all files that don't have one of the approved extensions.
>
> 4. Validate the signature for the build and hashes.
> Verify .asc files found at [1] using the Aaron's public key: [2]  Then
> verify hashes of these files.
>
Here are the commands: [3]

a. Install GPG.
b. import Aaron's key from Apache [2]:
gpg --keyserver
https://dist.apache.org/repos/dist/dev/incubator/rya/KEYS --recv-key
F50EAE1A

c. Download the files at [1] and run this in that folder:
gpg --verify rya-project-3.2.10-incubating-source-release.zip.asc

If you see "*Good signature*" from the verify, that is good enough as long
as you feel strongly that you have Aaron's real public key.  To eliminate
the warning, either trust Aaron's key "ultimately" or let it find a trusted
path to a key that you trust ultimately.

[1] https://repository.apache.org/content/repositories/
orgapacherya-1002/org/apache/rya/rya-project/3.2.10-incubating/
[2] https://dist.apache.org/repos/dist/release/incubator/rya/KEYS
[3]  https://httpd.apache.org/dev/verification.html

>
> 5. Validate the LICENSE/NOTICE/Headers.
> Verify that each project contains the ASF license and notice files.
> Run the grep command:  fgrep -Ri 'copyright' rya-project-3.2.10 | fgrep -v
> 'The ASF licenses this file'
> This should return only License and Notice files in rya-project-3.2.10.
> The license files
> and the notice files should be consistent with the ASF license and ASF
> copyright statement.  Verify that only
> the notice files contains the ASF copyright statement.
>
>
>
>
>
>
>


checklist for release

2016-10-17 Thread Meier, Caleb
Hello Everyone,

Here's a checklist for things to consider when evaluating the release candidate:

1. Download the sources and verify they compile cleanly.

2. Validate the hashes match.

3. Validate that the sources contain no unexpected binaries.
Run the find/grep command:  find . -type f  | grep -v 
'\/test\/\|\/site\/\|\.java\|\.xml\|\.xsl\|\.groovy\|\.properties\|\.sh\|\.bat\|\.md\|\.txt'
which looks for all files that don't have one of the approved extensions.

4. Validate the signature for the build and hashes.
Verify .asc files found at 
https://repository.apache.org/content/repositories/orgapacherya-1002/org/apache/rya/rya-project/3.2.10-incubating/
 using
the Aaron's public key: 
https://dist.apache.org/repos/dist/release/incubator/rya/KEYS .  Then verify 
hashes of these files.

5. Validate the LICENSE/NOTICE/Headers.
Verify that each project contains the ASF license and notice files.
Run the grep command:  fgrep -Ri 'copyright' rya-project-3.2.10 | fgrep -v 'The 
ASF licenses this file'
This should return only License and Notice files in rya-project-3.2.10. The 
license files
and the notice files should be consistent with the ASF license and ASF 
copyright statement.  Verify that only
the notice files contains the ASF copyright statement.