Validate Apache Releases
This validation step can be used for validation during release polling and also for validation of released versions.
The following steps can be followed to verify.
- The download link is legal.
- The PGP signature are valid.
- The source code matches the current release version.
- The LICENSE and NOTICE files are correct.
- All files carry the necessary protocol header.
- The compiled content is not included in the source package.
- The compilation can be executed smoothly.
Here we use the verification of the Doris Core version as an example. Note that other components have their corresponding names changed.
1. download the source package, signature file, checksum file and KEYS
Download all relevant files, using a.b.c-incubating as an example:
In case of poll verification, you need to get the relevant files from the svn address provided in the email.
2. Check signature and checksum value
It is recommended to use GunPG, which can be installed by the following command.
CentOS: yum install gnupg
Ubuntu: apt-get install gnupg
gpg --import KEYS
gpg --verify apache-doris-a.b.c-incubating-src.tar.gz.asc apache-doris-a.b.c-incubating-src.tar.gz
sha512sum --check apache-doris-a.b.c-incubating-src.tar.gz.sha512
Note: If gpg --import reports no valid user IDs, it may be that the gpg version does not match. You can upgrade the version to 2.2.x or above
3. Verify the source protocol header
Here we use skywalking-eyes for protocol validation.
Go to the root of the source code and execute:
sudo docker run -it --rm -v $(pwd):/github/workspace apache/skywalking-eyes header check
The results of the run are as follows.
INFO GITHUB_TOKEN is not set, license-eye won't comment on the pull request
INFO Loading configuration from file: .licenserc.yaml
INFO Totally checked 5611 files, valid: 3926, invalid: 0, ignored: 1685, fixed: 0
If invalid is 0, then the validation passes.
4. Verify compilation
Please see the compilation documentation of each component to verify the compilation.