Re: checklist for release
Ps, I'd recommend getting this up onto the Rya website :) David Lotts wrote: Some additional detail: Here's a checklist for things to consider when evaluating the release candidate: 1. Download the sources and verify they compile cleanly. 2. Validate the hashes match. 3. Validate that the sources contain no unexpected binaries. Run the find/grep command: find . -type f | grep -v '\/test\/\|\/site\/\|\.java\|\.xml\|\.xsl\|\.groovy\|\. properties\|\.sh\|\.bat\|\.md\|\.txt' which looks for all files that don't have one of the approved extensions. 4. Validate the signature for the build and hashes. Verify .asc files found at [1] using the Aaron's public key: [2] Then verify hashes of these files. Here are the commands: [3] a. Install GPG. b. import Aaron's key from Apache [2]: gpg --keyserver https://dist.apache.org/repos/dist/dev/incubator/rya/KEYS --recv-key F50EAE1A c. Download the files at [1] and run this in that folder: gpg --verify rya-project-3.2.10-incubating-source-release.zip.asc If you see "*Good signature*" from the verify, that is good enough as long as you feel strongly that you have Aaron's real public key. To eliminate the warning, either trust Aaron's key "ultimately" or let it find a trusted path to a key that you trust ultimately. [1] https://repository.apache.org/content/repositories/ orgapacherya-1002/org/apache/rya/rya-project/3.2.10-incubating/ [2] https://dist.apache.org/repos/dist/release/incubator/rya/KEYS [3] https://httpd.apache.org/dev/verification.html 5. Validate the LICENSE/NOTICE/Headers. Verify that each project contains the ASF license and notice files. Run the grep command: fgrep -Ri 'copyright' rya-project-3.2.10 | fgrep -v 'The ASF licenses this file' This should return only License and Notice files in rya-project-3.2.10. The license files and the notice files should be consistent with the ASF license and ASF copyright statement. Verify that only the notice files contains the ASF copyright statement.
Re: checklist for release
Some additional detail: Here's a checklist for things to consider when evaluating the release > candidate: > > 1. Download the sources and verify they compile cleanly. > > 2. Validate the hashes match. > > 3. Validate that the sources contain no unexpected binaries. > Run the find/grep command: find . -type f | grep -v > '\/test\/\|\/site\/\|\.java\|\.xml\|\.xsl\|\.groovy\|\. > properties\|\.sh\|\.bat\|\.md\|\.txt' > which looks for all files that don't have one of the approved extensions. > > 4. Validate the signature for the build and hashes. > Verify .asc files found at [1] using the Aaron's public key: [2] Then > verify hashes of these files. > Here are the commands: [3] a. Install GPG. b. import Aaron's key from Apache [2]: gpg --keyserver https://dist.apache.org/repos/dist/dev/incubator/rya/KEYS --recv-key F50EAE1A c. Download the files at [1] and run this in that folder: gpg --verify rya-project-3.2.10-incubating-source-release.zip.asc If you see "*Good signature*" from the verify, that is good enough as long as you feel strongly that you have Aaron's real public key. To eliminate the warning, either trust Aaron's key "ultimately" or let it find a trusted path to a key that you trust ultimately. [1] https://repository.apache.org/content/repositories/ orgapacherya-1002/org/apache/rya/rya-project/3.2.10-incubating/ [2] https://dist.apache.org/repos/dist/release/incubator/rya/KEYS [3] https://httpd.apache.org/dev/verification.html > > 5. Validate the LICENSE/NOTICE/Headers. > Verify that each project contains the ASF license and notice files. > Run the grep command: fgrep -Ri 'copyright' rya-project-3.2.10 | fgrep -v > 'The ASF licenses this file' > This should return only License and Notice files in rya-project-3.2.10. > The license files > and the notice files should be consistent with the ASF license and ASF > copyright statement. Verify that only > the notice files contains the ASF copyright statement. > > > > > > >
checklist for release
Hello Everyone, Here's a checklist for things to consider when evaluating the release candidate: 1. Download the sources and verify they compile cleanly. 2. Validate the hashes match. 3. Validate that the sources contain no unexpected binaries. Run the find/grep command: find . -type f | grep -v '\/test\/\|\/site\/\|\.java\|\.xml\|\.xsl\|\.groovy\|\.properties\|\.sh\|\.bat\|\.md\|\.txt' which looks for all files that don't have one of the approved extensions. 4. Validate the signature for the build and hashes. Verify .asc files found at https://repository.apache.org/content/repositories/orgapacherya-1002/org/apache/rya/rya-project/3.2.10-incubating/ using the Aaron's public key: https://dist.apache.org/repos/dist/release/incubator/rya/KEYS . Then verify hashes of these files. 5. Validate the LICENSE/NOTICE/Headers. Verify that each project contains the ASF license and notice files. Run the grep command: fgrep -Ri 'copyright' rya-project-3.2.10 | fgrep -v 'The ASF licenses this file' This should return only License and Notice files in rya-project-3.2.10. The license files and the notice files should be consistent with the ASF license and ASF copyright statement. Verify that only the notice files contains the ASF copyright statement.