Checking a Release
After the release manager creates a release as described in Creating a Release the voting process starts. This guide will contain some steps you can take to validate a release candidate and base your vote on. Each member will have his own way to check some parts of a release. There is no general rule on how to check a release, there is only a list on what has to be checked this list can be found in the official release documentation.
Start by grabbing the artifacts mentioned in the vote mail. Either use the link provided in the mail or grab them here.
In these examples a folder to check everything in was created in
/tmp and the artifacts are already in place.
mkdir /tmp/release_check cd /tmp/release_check
First check would be to see if the keys and hashes are in order
# check the sha512 sha512sum -c apache-hop-X.XX-src.tar.gz.sha512 sha512sum -c apache-hop-client-X.XX.zip.sha512 # should echo the artifact name and OK # check the gpg signature gpg --verify apache-hop-X.XX-src.tar.gz.asc gpg --verify apache-hop-client-X.XX.zip.asc # if it prints out gpg: Can't check signature: No public key fetch the key from public keyserver # 1. Check if the keyid matches a known key in the KEYS file https://dist.apache.org/repos/dist/dev/hop/KEYS # 2. grab the key from the public keyserver found in the release mail gpg --keyserver <KEY SERVER> --receive-keys <KEY ID> # verify the package again gpg --verify apache-hop-X.XX-src.tar.gz.asc gpg --verify apache-hop-client-X.XX.zip.asc # output should be: # gpg: Good signature from "Owner Name <Owner@apache.org>" [ultimate]
If these steps pass we can start checking the content of the release. First step would be to download the matching source code from github.
# replace branch with the branch name mentioned in the release mail git clone --depth 1 --branch X.XX-rcX https://github.com/apache/hop.git source_version # check if the git commit matches the commit mentioned in the release mail cd source_version git rev-parse --short HEAD # remove the .git folder rm -rf .git cd ..
final step is to see if the content of the source repository matches the content of the downloaded archive.
# unpack the downloaded source code tar -xvf apache-hop-X.XX-src.tar.gz # do a diff to see if they match diff -qr source_version apache-hop-X.XX # this should show no output indicating that all files match # the folder containing the source code can now be removed rm -rf source_version
Check if the unpacked archive contains following files and if they are correct
check if mentioned licenses are available in the licenses folder
check for build instructions
Validate if all files contain the correct headers
cd apache-hop-X.XX mvn apache-rat:check -debug
Now build and test the released code
# run maven clean install (you can add -T 4 to build multi threaded) mvn clean install # switch to the finished artifact, extract and test cd assemblies/client/target unzip hop-client-*.zip cd hop ./hop-gui.sh