Voting on a MyFaces Project Release
An Apache release is a set of valid and signed artifacts, voted on by the appropriate PMC and distributed on the ASF's official release infrastructure. All voters for a release must verify these items:
- Verify checksums on released files.1
- Validate signatures on released files.1
- Verify that the release source code builds.2
- Verify that all source files have appropriate and compatible licensing.2
- Optionally verify that each archive type contains the same contents.
1http://www.apache.org/dev/release-publishing.html#signed
2http://www.apache.org/dev/release-publishing.html#valid
Here is an example of how these tasks can be accomplished under linux.
verify checksums on released files.
find . -name '*.md5' -exec cat {} \; -printf ' %f\n' | sed 's|\.md5$||' | md5sum -c find . -name '*.sha1' -exec cat {} \; -printf ' %f\n' | sed 's|\.sha1$||' | sha1sum -c
Validate signatures on released files.
wget http://www.apache.org/dist/myfaces/KEYS gpg --import KEYS find . -name '*.asc' -exec gpg --verify {} \;
Verify tar.gz and zip sources are identical
mkdir src cd src tar xvf ../myfaces-core-assembly-2.0.15-src.tar.gz ls -l mv myfaces-core-2.0.15-src/ myfaces-core-2.0.15-src-tar-gz unzip ../myfaces-core-assembly-2.0.15-src.zip 1. should be no output diff -rq myfaces-core-2.0.15-src* 1. should be "are identical" output diff -srq myfaces-core-2.0.15-src*
Verify that the release source code builds.
cd myfaces-core-2.0.15-src/src find \( -name '*.jar' -o -name '*.zip' \) -exec unzip -n {} \; cd myfaces-core-module-2.0.15/ mvn install
Verify that all source files have appropriate and compatible licensing.
mvn apache-rat:check 1. To check for all errors, if more than one project is affected 1. mvn -e -X apache-rat:check -Drat.numUnapprovedLicenses=9999