kaxil commented on a change in pull request #10493: URL: https://github.com/apache/airflow/pull/10493#discussion_r475663988
########## File path: dev/README.md ########## @@ -158,3 +136,181 @@ After that navigate to relative directory i.e., `cd dist` and sign the release f ``` Signing files will be created in the same directory. + + +# Verifying the release candidate by PMCs (legal) + +## PMC voting + +The PMCs should verify the releases in order to make sure the release is following the +[Apache Legal Release Policy](http://www.apache.org/legal/release-policy.html). + +At least 3 (+1) votes should be recorded in accordance to +[Votes on Package Releases](https://www.apache.org/foundation/voting.html#ReleaseVotes) + +The legal checks include: + +* checking if the packages are present in the right dist folder on svn +* verifying if all the sources have correct licences +* verifying if release manager signed the releases with the right key +* verifying if all the checksums are valid for the release + +## SVN check + +The files should be present in the sub-folder of +[Airflow dist](https://dist.apache.org/repos/dist/dev/airflow/) + +The following files should be present (9 files): + +* -bin-tar.gz + .asc + .sha512 +* -source.tar.gz + .asc + .sha512 +* -.whl + .asc + .sha512 + +As a PMC you should be able to clone the SVN repository: + +```bash +svn co https://dist.apache.org/repos/dist/dev/airflow +``` + +Or update it if you already checked it out: + +```bash +svn update . +``` + +## Verifying the licences + +This can be done with the Apache RAT tool. + +* Download the latest jar from https://creadur.apache.org/rat/download_rat.cgi (unpack the sources, + the jar is inside) +* Unpack the -source.tar.gz to a folder +* Enter the folder and run the check (point to the place where you extracted the .jar) + +```bash +java -jar ../../apache-rat-0.13/apache-rat-0.13.jar -E .rat-excludes -d . +``` + +## Verifying the signatures + +Make sure you have the key of person signed imported in your GPG. You can find the valid keys in +[KEYS](https://dist.apache.org/repos/dist/release/airflow/KEYS). You can import them with the GPG +command. The below one uses Kaxil's key and retrieves it from the default GPG keyserver +[OpenPGP.org](https://keys.openpgp.org): Review comment: The following should work if a PMC/contributor doesn't want to import keys from OpenPGP server ``` gpg --import KEYS ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
