Validate Apache Releases

This validation step can be used for validation during release polling and also for validation of released versions.

The following steps can be followed to verify.

  1. Whether the download link is legitimate.
  2. Whether the checksum and PGP signature are legitimate. 3.
  3. Whether the DISCLAIMER or DISCLAIMER-WIP is included.
  4. Whether the code matches the current release.
  5. Whether the LICENSE and NOTICE files are correct.
  6. All files carry the necessary protocol descriptions.
  7. No compiled content is included in the source package.
  8. Whether the compilation can be executed without problems.

Here we use the verification of the Doris Core version as an example. Note that other components have their corresponding names changed.

1. download the source package, signature file, checksum file and KEYS

Download all relevant files, using a.b.c-incubating as an example:

  1. wget https://www.apache.org/dyn/mirrors/mirrors.cgi?action=download&filename=/incubator/doris/a.b.c-incubating/apache-doris-a.b.c-incubating-src.tar.gz
  3. wget https://www.apache.org/dist/incubator/doris/a.b.c-incubating/apache-doris-a.b.c-incubating-src.tar.gz.sha512
  5. wget https://www.apache.org/dist/incubator/doris/a.b.c-incubating/apache-doris-a.b.c-incubating-src.tar.gz.asc
  7. wget https://downloads.apache.org/incubator/doris/KEYS

In case of poll verification, you need to get the relevant files from the svn address provided in the email.

2. Check signature and checksum value

It is recommended to use GunPG, which can be installed by the following command.

  1. CentOS: yum install gnupg
  2. Ubuntu: apt-get install gnupg
  1. gpg --import KEYS
  2. gpg --verify apache-doris-a.b.c-incubating-src.tar.gz.asc apache-doris-a.b.c-incubating-src.tar.gz
  3. sha512sum --check apache-doris-a.b.c-incubating-src.tar.gz.sha512

3. Verify the source protocol header

Here we use skywalking-eyesVerify the Apache release version - 图1 (opens new window) for protocol validation.

Go to the root of the source code and execute:

  1. sudo docker run -it --rm -v $(pwd):/github/workspace apache/skywalking-eyes header check

The results of the run are as follows.

  1. INFO GITHUB_TOKEN is not set, license-eye won't comment on the pull request
  2. INFO Loading configuration from file: .licenserc.yaml
  3. INFO Totally checked 5611 files, valid: 3926, invalid: 0, ignored: 1685, fixed: 0

If invalid is 0, then the validation passes.

4. Verify compilation

Please see the compilation documentation of each component to verify the compilation.