Validate Apache Releases
This validation step can be used for validation during release polling and also for validation of released versions.
The following steps can be followed to verify.
- Whether the download link is legitimate.
- Whether the checksum and PGP signature are legitimate. 3.
- Whether the DISCLAIMER or DISCLAIMER-WIP is included.
- Whether the code matches the current release.
- Whether the LICENSE and NOTICE files are correct.
- All files carry the necessary protocol descriptions.
- No compiled content is included in the source package.
- Whether the compilation can be executed without problems.
Here we use the verification of the Doris Core version as an example. Note that other components have their corresponding names changed.
1. download the source package, signature file, checksum file and KEYS
Download all relevant files, using a.b.c-incubating as an example:
In case of poll verification, you need to get the relevant files from the svn address provided in the email.
2. Check signature and checksum value
It is recommended to use GunPG, which can be installed by the following command.
CentOS: yum install gnupg
Ubuntu: apt-get install gnupg
gpg --import KEYS
gpg --verify apache-doris-a.b.c-incubating-src.tar.gz.asc apache-doris-a.b.c-incubating-src.tar.gz
sha512sum --check apache-doris-a.b.c-incubating-src.tar.gz.sha512
3. Verify the source protocol header
Here we use skywalking-eyes for protocol validation.
Go to the root of the source code and execute:
sudo docker run -it --rm -v $(pwd):/github/workspace apache/skywalking-eyes header check
The results of the run are as follows.
INFO GITHUB_TOKEN is not set, license-eye won't comment on the pull request
INFO Loading configuration from file: .licenserc.yaml
INFO Totally checked 5611 files, valid: 3926, invalid: 0, ignored: 1685, fixed: 0
If invalid is 0, then the validation passes.
4. Verify compilation
Please see the compilation documentation of each component to verify the compilation.