This is an automated email from the ASF dual-hosted git repository.
jin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-hugegraph-doc.git
The following commit(s) were added to refs/heads/master by this push:
new 26a13dee enhance validate release doc (#167)
26a13dee is described below
commit 26a13dee61a1135643772b5d9b7b59eeddb0bf5e
Author: 青年 <[email protected]>
AuthorDate: Sat Dec 31 20:07:44 2022 +0800
enhance validate release doc (#167)
Co-authored-by: imbajin <[email protected]>
---
.../contribution-guidelines/validate-release.md | 84 +++++++++++++++++-----
.../contribution-guidelines/validate-release.md | 74 +++++++++++++++----
2 files changed, 127 insertions(+), 31 deletions(-)
diff --git a/content/cn/docs/contribution-guidelines/validate-release.md
b/content/cn/docs/contribution-guidelines/validate-release.md
index c3fae455..0bda3ec0 100644
--- a/content/cn/docs/contribution-guidelines/validate-release.md
+++ b/content/cn/docs/contribution-guidelines/validate-release.md
@@ -8,33 +8,82 @@ weight: 3
当内部的临时发布和打包工作完成后, 其他的社区开发者(尤其是
PMC)需要参与到[验证环节](https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist)确保某个人发布版本的"正确性
+ 完整性", 这里需要**每个人**都尽量参与, 然后后序**邮件回复**的时候说明自己**已检查**了哪些项. (下面是核心项)
-#### 1. 检查 hash 值
+#### 1. 准备工作
-首先需要检查 `source + binary` 包的文件完整性, 通过 `shasum` 进行校验, 确保和发布到 apache/github 上的
hash 值一致 (一般是 sha512), 这里同0x02的最后一步检验.
+如果本地没有 svn 或 gpg 环境, 建议先安装一下 (windows 推荐使用 WSL2 环境, 或者至少是 `git-bash`)
-#### 2. 检查 gpg 签名
+```bash
+# 1. 安装svn
+# ubuntu/debian
+sudo apt install subversion -y
+# MacOS
+brew install subversion
+# 验证安装是否成功, 执行以下命令:
+svn --version
+
+# 2. 安装gpg
+# ubuntu/debian
+sudo apt-get install gnupg -y
+# MacOS
+brew install gnupg
+# 验证安装是否成功, 执行以下命令:
+gpg --version
+
+# 3. 下载 hugegraph-svn 目录 (版本号注意填写此次验证版本, 这里以1.0.0为例)
+svn co https://dist.apache.org/repos/dist/dev/incubator/hugegraph/1.0.0/
+# (注) 如果出现 svn 下载某个文件速度很慢的情况, 可以考虑 wget 单个文件下载, 如下 (或考虑使用代理)
+wget
https://dist.apache.org/repos/dist/dev/incubator/hugegraph/1.0.0/apache-hugegraph-toolchain-incubating-1.0.0.tar.gz
+```
-这个就是为了确保发布的包是由**可信赖**的人上传的, 假设 tom 签名后上传, 其他人应该下载 A 的**公钥**然后进行**签名确认**, 相关命令:
+#### 2. 检查 hash 值
+
+首先需要检查 `source + binary` 包的文件完整性, 通过 `shasum` 进行校验, 确保和发布到 apache/github 上的
hash 值一致 (一般是 sha512)
```bash
-# 1. 下载项目可信赖公钥到本地 (首次需要)
-curl xxx >> PK
-gpg --import PK
-# 1.2 等待响应后输入 trust 表示信任 tom 的公钥 (其他人名类似)
-gpg -edit-key tom
+执行命令:
+for i in *.tar.gz; do echo $i; shasum -a 512 --check $i.sha512; done
+```
+#### 3. 检查 gpg 签名
-# 2. 检查签名 (可用 0x03 章节的第 ⑧ 步的 for 循环脚本批量遍历)
+这个就是为了确保发布的包是由**可信赖**的人上传的, 假设 tom 签名后上传, 其他人应该下载 A 的**公钥**然后进行**签名确认**, 相关命令:
+
+```bash
+# 1. 下载项目可信赖公钥到本地 (首次需要) & 导入
+curl https://downloads.apache.org/incubator/hugegraph/KEYS > KEYS
+gpg --import KEYS
+
+# 导入后可以看到如下输出, 这代表导入了 3 个用户公钥
+gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
+gpg: key B78B058CC255F6DC: public key "Imba Jin (apache mail)
<[email protected]>" imported
+gpg: key 818108E7924549CC: public key "vaughn <[email protected]>" imported
+gpg: key 28DCAED849C4180E: public key "coderzc (CODE SIGNING KEY)
<[email protected]>" imported
+gpg: Total number processed: 3
+gpg: imported: 3
+
+# 2. 信任发版用户 (这里需要信任 3 个, 对 Imba Jin, vaughn, coderzc 依次执行相同操作)
+gpg --edit-key Imba Jin # 以第一个为例, 进入交互模式
+gpg> trust
+...输出选项..
+Your decision? 5 #选择5
+Do you really want to set this key to ultimate trust? (y/N) y #选择y, 然后 q
退出信任下一个用户
+
+
+# 3. 检查签名(确保没有 Warning 输出, 每一个 source/binary 文件都提示 Good Signature)
+#单个文件验证
gpg --verify xx.asc xxx-source.tar.gz
gpg --verify xx.asc xxx-binary.tar.gz # 注: 我们目前没有 binary 后缀
+#for循环遍历验证(推荐使用)
+for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done
+
```
-先确认了整体的完整性/一致性, 然后接下来确认具体的内容 (**关键**)
+先确认了整体的"完整性 + 一致性", 然后接下来确认具体的内容 (**关键**)
-#### 3. 检查压缩包内容
+#### 4. 检查压缩包内容
-这里分源码包 + 二进制包两个方面, 源码包更为严格, 挑核心的部分说 (完整的列表参考官方
[Wiki](https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist),
比较长)
+这里分源码包 + 二进制包两个方面, 源码包更为严格, 挑核心的部分说 (完整的列表可参考官方
[Wiki](https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist),
比较长)
-首先我们需要从 apache 官方的 `release-candidate` 地址下载包到本地 (地址:
`dist.apache.org/repos/dist/dev/hugegraph/`)
+首先我们需要从 apache 官方的 `release-candidate` 地址下载包到本地 (地址:
[点击跳转](https://dist.apache.org/repos/dist/dev/incubator/hugegraph/))
##### A. 源码包
@@ -51,7 +100,7 @@ gpg --verify xx.asc xxx-binary.tar.gz # 注: 我们目前没有 binary 后缀
```bash
# 同时也可以检查一下代码风格是否符合规范, 不符合的可以放下一次调整
-mvn clean test -Dcheckstyle.skip=false
+mvn clean package -Dmaven.test.skip=true -Dcheckstyle.skip=false
```
##### B. 二进制包
@@ -60,12 +109,11 @@ mvn clean test -Dcheckstyle.skip=false
1. 文件夹都带有 `incubating`
2. 存在 `LICENSE` + `NOTICE` 文件并且内容正常
-3. 通过 gpg 命令确认每个文件的签名正常
**注:** 如果二进制包里面引入了第三方依赖, 则需要更新 LICENSE, 加入第三方依赖的 LICENSE; 若第三方依赖 LICENSE 是
Apache 2.0, 且对应的项目中包含了 NOTICE, 则还需要更新我们的 NOTICE 文件
-#### 4. 检查官网以及 github 等页面
+#### 5. 检查官网以及 github 等页面
1. 确保官网至少满足 [apache website
check](https://whimsy.apache.org/pods/project/hugegraph), 以及没有死链等
2. 更新**下载链接**以及版本更新说明
-3. …..
+3. ...
diff --git a/content/en/docs/contribution-guidelines/validate-release.md
b/content/en/docs/contribution-guidelines/validate-release.md
index b8377ed2..535822ed 100644
--- a/content/en/docs/contribution-guidelines/validate-release.md
+++ b/content/en/docs/contribution-guidelines/validate-release.md
@@ -10,33 +10,81 @@ weight: 3
When the internal temporary release and packaging work is completed, other
community developers (especially PMC) need to participate in the [verification
link](https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist)To
ensure the "correctness + completeness" of someone's published version, here
requires **everyone** to participate as much as possible, and then explain
which items you have **checked** in the subsequent **email reply**. (The
following are the core items)
-#### 1. check hash value
+#### 1. prepare
+
+If there is no svn or gpg environment locally, it is recommended to install it
first (windows recommend using WSL2 environment, or at least `git-bash`)
+```bash
+# 1. install svn
+# ubuntu/debian
+sudo apt install subversion -y
+# MacOS
+brew install subversion
+# To verify that the installation was successful, execute the following
command:
+svn --version
+
+# 2. install gpg
+# ubuntu/debian
+sudo apt-get install gnupg -y
+# MacOS
+brew install gnupg
+# To verify that the installation was successful, execute the following
command:
+gpg --version
+
+# 3. Download the hugegraph-svn directory (version number, pay attention to
fill in the verification version, here we take 1.0.0 as an example)
+svn co https://dist.apache.org/repos/dist/dev/incubator/hugegraph/1.0.0/
+# (Note) If svn downloads a file very slowly, you can consider wget to
download a single file, as follows (or consider using a proxy)
+wget
https://dist.apache.org/repos/dist/dev/incubator/hugegraph/1.0.0/apache-hugegraph-toolchain-incubating-1.0.0.tar.gz
+```
+
+#### 2. check hash value
First you need to check the file integrity of the `source + binary` package,
Verify by `shasum` to ensure that it is consistent with the hash value
published on apache/github (Usually sha512), Here is the same as the last step
of 0x02 inspection.
+```bash
+execute the following command:
+for i in *.tar.gz; do echo $i; shasum -a 512 --check $i.sha512; done
+```
-#### 2. check gpg signature
+#### 3. check gpg signature
This is to ensure that the published package is uploaded by a **reliable**
person. Assuming tom signs and uploads, others should download A’s **public
key** and then perform **signature confirmation**. Related commands:
```bash
-# 1. Download the trusted public key of the project to the local (required for
the first time)
-curl xxx >> PK
-gpg --import PK
-# 1.2 Enter trust after waiting for the response to trust Tom's public key
(other names are similar)
-gpg -edit-key tom
-
-# 2. Check the signature (you can use the for loop script in step ⑧ of Chapter
0x03 to traverse in batches)
+# 1. Download project trusted public key to local (required for the first
time) & import
+curl https://downloads.apache.org/incubator/hugegraph/KEYS > KEYS
+gpg --import KEYS
+
+# After importing, you can see the following output, which means that 3 user
public keys have been imported
+gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
+gpg: key B78B058CC255F6DC: public key "Imba Jin (apache mail)
<[email protected]>" imported
+gpg: key 818108E7924549CC: public key "vaughn <[email protected]>" imported
+gpg: key 28DCAED849C4180E: public key "coderzc (CODE SIGNING KEY)
<[email protected]>" imported
+gpg: Total number processed: 3
+gpg: imported: 3
+
+# 2. Trust release users (here you need to trust 3 users, perform the same
operation for Imba Jin, vaughn, coderzc in turn)
+gpg --edit-key Imba Jin # Take the first one as an example, enter the
interactive mode
+gpg> trust
+...output options..
+Your decision? 5 #select five
+Do you really want to set this key to ultimate trust? (y/N) y #slect y, then q
quits trusting the next user
+
+
+# 3. Check the signature (make sure there is no Warning output, every
source/binary file prompts Good Signature)
+#Single file verification
gpg --verify xx.asc xxx-source.tar.gz
-gpg --verify xx.asc xxx-binary.tar.gz # Note: We currently do not have a
binary suffix
+gpg --verify xx.asc xxx-binary.tar.gz # 注: 我们目前没有 binary 后缀
+#for loop traversal verification (recommended)
+for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done
+
```
First confirm the overall integrity/consistency, and then confirm the specific
content (**key**)
-#### 3. Check the archive contents
+#### 4. Check the archive contents
Here it is divided into two aspects: source code package + binary package, The
source code package is more strict, it can be said that the core part (Because
it is longer,For a complete list refer to the official
[Wiki](https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist))
-First of all, we need to download the package from the apache official
`release-candidate` URL to the local (URL:
`dist.apache.org/repos/dist/dev/hugegraph/`)
+First of all, we need to download the package from the apache official
`release-candidate` URL to the local (URL: [click to
jump](https://dist.apache.org/repos/dist/dev/incubator/hugegraph/))
##### A. source package
@@ -66,7 +114,7 @@ After decompressing `xxx-hugegraph.tar.gz`, perform the
following checks:
**Note:** If a third-party dependency is introduced in the binary package, you
need to update the LICENSE and add the third-party dependent LICENSE; if the
third-party dependent LICENSE is Apache 2.0, and the corresponding project
contains NOTICE, you also need to update Our NOTICE file
-#### 4. Check the official website and github and other pages
+#### 5. Check the official website and github and other pages
1. Make sure that the official website at least meets [apache website
check](https://whimsy.apache.org/pods/project/hugegraph), and no circular links
etc.
2. Update **download link** and version update instructions
