Validate Apache Release

Note: this doc will be updated continuously.

Verification

When the internal temporary release and packaging work is completed, other community developers ( especially PMC) need to participate in the verification link To ensure the “correctness + completeness” of someone’s published version, here requires **everyone ** to participate as much as possible, and then explain which items you have checked in the subsequent email reply.(The following are the core items)

1. prepare

If there is no svn or gpg or wget environment locally, it is recommended to install it first (windows recommend using WSL2 environment, or at least git-bash), also make sure to install java (recommended 11) and maven software

  1. # 1. install svn
  2. # ubuntu/debian
  3. sudo apt install subversion -y
  4. # MacOS
  5. brew install subversion
  6. # To verify that the installation was successful, execute the following command:
  7. svn --version
  8. # 2. install gpg
  9. # ubuntu/debian
  10. sudo apt-get install gnupg -y
  11. # MacOS
  12. brew install gnupg
  13. # To verify that the installation was successful, execute the following command:
  14. gpg --version
  15. # 3. install wget (we will enhance it later, like use `curl`)
  16. # ubuntu/debian
  17. sudo apt-get install wget -y
  18. # MacOS
  19. brew install wget
  20. # 4. Download the hugegraph-svn directory
  21. # For version number, pay attention to fill in the verification version
  22. svn co https://dist.apache.org/repos/dist/dev/incubator/hugegraph/1.x.x/
  23. # (Note) If svn downloads a file very slowly,
  24. # you can consider wget to download a single file, as follows (or consider using a proxy)
  25. wget https://dist.apache.org/repos/dist/dev/incubator/hugegraph/1.x.x/apache-hugegraph-toolchain-incubating-1.x.x.tar.gz

2. check hash value

First you need to check the file integrity of the source + binary package, Verify by shasum to ensure that it is consistent with the hash value published on apache/GitHub (Usually sha512), Here is the same as the last step of 0x02 inspection.

  1. execute the following command:
  2. for i in *.tar.gz; do echo $i; shasum -a 512 --check $i.sha512; done

3. check gpg signature

This is to ensure that the published package is uploaded by a reliable person. Assuming tom signs and uploads, others should download A’s public key and then perform signature confirmation.

Related commands:

  1. # 1. Download project trusted public key to local (required for the first time) & import
  2. curl https://downloads.apache.org/incubator/hugegraph/KEYS > KEYS
  3. gpg --import KEYS
  4. # After importing, you can see the following output, which means that x user public keys have been imported
  5. gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
  6. gpg: key BA7E78F8A81A885E: public key "imbajin (apache mail) <jin@apache.org>" imported
  7. gpg: key 818108E7924549CC: public key "vaughn <vaughn@apache.org>" imported
  8. gpg: key 28DCAED849C4180E: public key "coderzc (CODE SIGNING KEY) <zhaocong@apache.org>" imported
  9. ...
  10. gpg: Total number processed: x
  11. gpg: imported: x
  12. # 2. Trust release users (trust n username mentioned in voting mail, if more than one user,
  13. # just repeat the steps in turn or use the script below)
  14. gpg --edit-key $USER # input the username, enter the interactive mode
  15. gpg> trust
  16. ...output options..
  17. Your decision? 5 # select 5
  18. Do you really want to set this key to ultimate trust? (y/N) y # slect y, then q quits trusting the next user
  19. # (Optional) You could also use the command to trust one user in non-interactive mode:
  20. echo -e "5\ny\n" | gpg --batch --command-fd 0 --edit-key $USER trust
  21. # Or use the script to auto import all public gpg keys (be carefully):
  22. for key in $(gpg --no-tty --list-keys --with-colons | awk -F: '/^pub/ {print $5}'); do
  23. echo -e "5\ny\n" | gpg --batch --command-fd 0 --edit-key "$key" trust
  24. done
  25. # 3. Check the signature (make sure there is no Warning output, every source/binary file prompts Good Signature)
  26. #Single file verification
  27. gpg --verify xx.asc xxx-src.tar.gz
  28. gpg --verify xx.asc xxx.tar.gz # Note: without the bin/binary suffix
  29. # One-click shell traversal verification (recommended)
  30. for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done

First confirm the overall integrity/consistency, and then confirm the specific content (key)

4. Check the archive contents

Here it is divided into two aspects: source code package + binary package, The source code package is stricter, it can be said that the core part (Because it is longer, For a complete list refer to the official Wiki)

First of all, we need to download the package from the apache official release-candidate URL to the local (URL: click to jump)

A. source package

After decompressing *hugegraph*src.tar.gz, Do the following checks:

  1. folders with incubating, and no empty files/folders
  2. LICENSE + NOTICE + DISCLAIM file exists and the content is normal
  3. does not exist binaries (without LICENSE)
  4. The source code files all contain the standard ASF License header (this could be done with the Maven-MAT plugin)
  5. Check whether the pom.xml version number of each parent/child module is consistent (and meet expectations)
  6. Finally, make sure the source code works/compiles correctly
  1. # prefer to use/switch to `java 11` for the following operations (compiling/running) (Note: `Computer` only supports `java >= 11`)
  2. # java --version
  3. # try to compile in the Unix env to check if it works well
  4. mvn clean package -P stage -Dmaven.test.skip=true -Dcheckstyle.skip=true
B. binary package

After decompressing xxx-hugegraph.tar.gz, perform the following checks:

  1. folders with incubating
  2. LICENSE and NOTICE file exists and the content is normal
  3. start server
  1. # hugegraph-server
  2. bin/start-hugegraph.sh
  3. # hugegraph-loader
  4. bin/hugegraph-loader.sh -f path -g graph -s schema
  5. # hugegraph-hubble
  6. bin/start-hubble.sh
  7. more reference official website: https://hugegraph.apache.org/docs/quickstart

Note: If a third-party dependency is introduced in the binary package, you need to update the LICENSE and add the third-party dependent LICENSE; if the third-party dependent LICENSE is Apache 2.0, and the corresponding project contains NOTICE, you also need to update Our NOTICE file

5. Check the official website and GitHub and other pages

  1. Make sure that the official website at least meets apache website check, and no circular links, etc.
  2. Update download link and release notes updated

Mail Template

After the check & test, you should reply to the mail with the following content: (normal devs & PMC)

  1. [] +1 approve
  2. [] +0 no opinion
  3. [] -1 disapprove with the reason
  1. +1 (non-binding)
  2. I checked:
  3. 1. Download link/tag in mail are valid
  4. 2. Checksum and GPG signatures are OK
  5. 3. LICENSE & NOTICE & DISCLAIMER are exist
  6. 4. Build successfully on XX OS & Version XX
  7. 5. No unexpected binary files
  8. 6. Date is right in the NOTICE file
  9. 7. Compile from source is fine under JavaXX
  10. 8. No empty file & directory found
  11. 9. Test running XXX service OK
  12. 10. ....

and the PMC members should reply with binding, it’s important for summary the valid votes:

  1. +1 (binding)
  2. I checked:
  3. 1. Download link/tag in mail are valid
  4. 2. Checksum and GPG signatures are OK
  5. 3. LICENSE & NOTICE & DISCLAIMER are exist
  6. 4. Build successfully on XX OS & Version XX
  7. 5. No unexpected binary files
  8. 6. Date is right in the NOTICE file
  9. 7. Compile from source is fine under JavaXX
  10. 8. No empty file & directory found
  11. 9. Test running XX process OK
  12. 10. ....

Last modified January 1, 2024: doc(release): java version statement (#319) (c86e602d)