Note: this doc will be updated continuously.
When the internal temporary release and packaging work is completed, other community developers (especially PMC) need to participate in the verification linkTo ensure the “correctness + completeness” of someone's published version, here requires everyone to participate as much as possible, and then explain which items you have checked in the subsequent email reply. (The following are the core items)
If there is no svn or gpg environment locally, it is recommended to install it first (windows recommend using WSL2 environment, or at least git-bash
)
# 1. install svn # ubuntu/debian sudo apt install subversion -y # MacOS brew install subversion # To verify that the installation was successful, execute the following command: svn --version # 2. install gpg # ubuntu/debian sudo apt-get install gnupg -y # MacOS brew install gnupg # To verify that the installation was successful, execute the following command: gpg --version # 3. Download the hugegraph-svn directory (version number, pay attention to fill in the verification version, here we take 1.0.0 as an example) svn co https://dist.apache.org/repos/dist/dev/incubator/hugegraph/1.0.0/ # (Note) If svn downloads a file very slowly, you can consider wget to download a single file, as follows (or consider using a proxy) wget https://dist.apache.org/repos/dist/dev/incubator/hugegraph/1.0.0/apache-hugegraph-toolchain-incubating-1.0.0.tar.gz
First you need to check the file integrity of the source + binary
package, Verify by shasum
to ensure that it is consistent with the hash value published on apache/github (Usually sha512), Here is the same as the last step of 0x02 inspection.
execute the following command: for i in *.tar.gz; do echo $i; shasum -a 512 --check $i.sha512; done
This is to ensure that the published package is uploaded by a reliable person. Assuming tom signs and uploads, others should download A’s public key and then perform signature confirmation. Related commands:
# 1. Download project trusted public key to local (required for the first time) & import curl https://downloads.apache.org/incubator/hugegraph/KEYS > KEYS gpg --import KEYS # After importing, you can see the following output, which means that 3 user public keys have been imported gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created gpg: key BA7E78F8A81A885E: public key "imbajin (apache mail) <jin@apache.org>" imported gpg: key 818108E7924549CC: public key "vaughn <vaughn@apache.org>" imported gpg: key 28DCAED849C4180E: public key "coderzc (CODE SIGNING KEY) <zhaocong@apache.org>" imported gpg: Total number processed: 3 gpg: imported: 3 # 2. Trust release users (trust n username mentioned in voting mail, if more than one user, just repeat the steps in turn or use the script below) gpg --edit-key $USER # input the username, enter the interactive mode gpg> trust ...output options.. Your decision? 5 # select 5 Do you really want to set this key to ultimate trust? (y/N) y # slect y, then q quits trusting the next user # (Optional) You could also use the command to trust one user in non-interactive mode: echo -e "5\ny\n" | gpg --batch --command-fd 0 --edit-key $USER trust # Or use the script to auto import all public gpg keys (be carefully): for key in $(gpg --no-tty --list-keys --with-colons | awk -F: '/^pub/ {print $5}'); do echo -e "5\ny\n" | gpg --batch --command-fd 0 --edit-key "$key" trust done # 3. Check the signature (make sure there is no Warning output, every source/binary file prompts Good Signature) #Single file verification gpg --verify xx.asc xxx-src.tar.gz gpg --verify xx.asc xxx.tar.gz # Note: without the bin/binary suffix # One-click shell traversal verification (recommended) for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done
First confirm the overall integrity/consistency, and then confirm the specific content (key)
Here it is divided into two aspects: source code package + binary package, The source code package is stricter, it can be said that the core part (Because it is longer,For a complete list refer to the official Wiki)
First of all, we need to download the package from the apache official release-candidate
URL to the local (URL: click to jump)
After decompressing *hugegraph*src.tar.gz
, Do the following checks:
incubating
, and no empty files/foldersLICENSE
+ NOTICE
+ DISCLAIM
file exists and the content is normalASF License
header (this could be done with the Maven-MAT
plugin)pom.xml
version number of each parent/child module is consistent (and meet expectations)# prefer to use/switch to java 11 for the following operations (compiling/running) # java --version # try to test in the Unix env to check if it works well mvn clean package -Dmaven.test.skip=true -Dcheckstyle.skip=true
After decompressing xxx-hugegraph.tar.gz
, perform the following checks:
incubating
LICENSE
and NOTICE
file exists and the content is normal# hugegraph-server bin/start-hugegraph.sh # hugegraph-loader bin/hugegraph-loader.sh -f path -g graph -s schema # hugegraph-hubble bin/start-hubble.sh # hugegraph-computer bin/start-computer.sh -d local -r master more reference official website: https://hugegraph.apache.org/cn/docs/quickstart
Note: If a third-party dependency is introduced in the binary package, you need to update the LICENSE and add the third-party dependent LICENSE; if the third-party dependent LICENSE is Apache 2.0, and the corresponding project contains NOTICE, you also need to update Our NOTICE file
After the check & test, you should reply the mail with the following content: (normal devs & PMC)
+1 (non-binding) I checked: 1. All download links are valid 2. Checksum and signature are OK 3. LICENSE and NOTICE are exist 4. Build successfully on macOS(Big Sur) 5. ....
and the PMC members should reply with binding
, it's important for summary the valid votes:
+1 (binding) I checked: 1. All download links are valid 2. Checksum and signature are OK 3. LICENSE and NOTICE are exist 4. Build successfully on macOS(Big Sur) 5. ....