This is an automated email from the ASF dual-hosted git repository.
dockerzhang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/inlong-website.git
The following commit(s) were added to refs/heads/master by this push:
new ab420f0c8e [INLONG-628][Doc] Update the How to verify release
candidate guide (#629)
ab420f0c8e is described below
commit ab420f0c8e3b46321765fb17ec0d48070cbf5fe0
Author: Charles Zhang <[email protected]>
AuthorDate: Tue Nov 29 18:47:33 2022 +0800
[INLONG-628][Doc] Update the How to verify release candidate guide (#629)
---
community/how-to-release.md | 2 +-
community/how-to-verify.md | 180 +++++++--------------
.../current/how-to-verify.md | 166 ++++++-------------
3 files changed, 107 insertions(+), 241 deletions(-)
diff --git a/community/how-to-release.md b/community/how-to-release.md
index 0889c36bf3..725052f81d 100644
--- a/community/how-to-release.md
+++ b/community/how-to-release.md
@@ -170,7 +170,7 @@ Adding `<servers>/<profiles>` configurations in your maven
`settings.xml` with c
```
## Build
-The following `release_version` is the upcoming release number, such as 1.0.0;
`rc_version` is Release Candidate, such as RC0, RC1...; `KEY_ID` is your GPG
Key ID.
+The following `release_version` is the upcoming release number, such as 1.4.0;
`rc_version` is Release Candidate, such as RC0, RC1...; `KEY_ID` is your GPG
Key ID.
### Prepare branch
- Create the release branch from the main version branch and modify the POM
version number and CHANGES.md. For example, create `release-1.4.0` from
`branch-1.4`
diff --git a/community/how-to-verify.md b/community/how-to-verify.md
index 0064bf257d..5e23bb926c 100644
--- a/community/how-to-verify.md
+++ b/community/how-to-verify.md
@@ -1,146 +1,74 @@
---
-title: How to Verify release
+title: How to verify release candidate
sidebar_position: 7
---
-To verify the release, the following checklist can be used to reference:
-- [ ] Download links are valid.
-- [ ] Checksums and PGP signatures are valid.
-- [ ] Source code artifacts have correct names matching the current release.
-- [ ] LICENSE and NOTICE files are correct for the repository.
-- [ ] All files have license headers if necessary.
-- [ ] No compiled archives bundled in source archive.
-- [ ] Building is OK.
-
-
-## Download the release package to be verified to the local environment
-> Use the following command to download all artifacts, replace
"${release_version}-${rc_version}" with the version ID of the version to be
released:
+## Download the release candidate
+`release_version` is the upcoming version number, such as 1.4.0; `rc_version`
is the Release Candidate, such as RC0, RC1...; KEY_ID is the GPG Key ID you
created.
```shell
svn co
https://dist.apache.org/repos/dist/dev/inlong/${release_version}-${rc_version}/
```
-## Verify signature and hash
-> Start the verification process, which includes but is not limited to the
following content and verification methods.
-> GnuPG is recommended, which can install by yum install gnupg or apt-get
install gnupg.
-
-### Check if the release package is complete
-The package to release must check:
-- Whether to include the source code package
-- Whether to include the signature of the source code package
-- Whether to include the sha512 of the source code package
-- (if include) Check the binary package, also check the contents listed in
(2)-(4)
+## verify the version
+### Check whether the release package is complete
+- Whether to include the source package
+- Whether to include the signature and sha512 of the source package
+- If a binary package is uploaded, the signature and sha512 are also checked
-### Verify signature and hash
-GnuPG is recommended, which can install by yum install GnuPG or apt-get
install GnuPG.
- - Import public key
- ```shell
- curl https://downloads.apache.org/inlong/KEYS > KEYS # Download KEYS
- gpg --import KEYS # Import KEYS to local
- ```
- - Trust the public key
- > Trust the KEY used in this version
- ```shell
- gpg --edit-key xxxxxxxxxx # KEY used in this
version
- gpg (GnuPG) 2.2.21; Copyright (C) 2020 Free Software Foundation, Inc.
- This is free software: you are free to change and redistribute it.
- There is NO WARRANTY, to the extent permitted by law.
-
- Secret key is available.
-
- sec rsa4096/5EF3A66D57EC647A
- created: 2020-05-19 expires: never usage: SC
- trust: ultimate validity: ultimate
- ssb rsa4096/17628566FEED6AF7
- created: 2020-05-19 expires: never usage: E
- [ultimate] (1). Guangxu Cheng <[email protected]>
-
- gpg> trust # Trust the KEY
- sec rsa4096/5EF3A66D57EC647A
- created: 2020-05-19 expires: never usage: SC
- trust: ultimate validity: ultimate
- ssb rsa4096/17628566FEED6AF7
- created: 2020-05-19 expires: never usage: E
- [ultimate] (1). Guangxu Cheng <[email protected]>
-
- Please decide how far you trust this user to correctly verify other users'
keys
- (by looking at passports, checking fingerprints from different sources,
etc.)
-
- 1 = I don't know or won't say
- 2 = I do NOT trust
- 3 = I trust marginally
- 4 = I trust fully
- 5 = I trust ultimately
- m = back to the main menu
-
- Your decision? 5 #
select 5
- Do you really want to set this key to ultimate trust? (y/N) y #
select y
-
- sec rsa4096/5EF3A66D57EC647A
- created: 2020-05-19 expires: never usage: SC
- trust: ultimate validity: ultimate
- ssb rsa4096/17628566FEED6AF7
- created: 2020-05-19 expires: never usage: E
- [ultimate] (1). Guangxu Cheng <[email protected]>
-
- gpg>
-
- sec rsa4096/5EF3A66D57EC647A
- created: 2020-05-19 expires: never usage: SC
- trust: ultimate validity: ultimate
- ssb rsa4096/17628566FEED6AF7
- created: 2020-05-19 expires: never usage: E
- [ultimate] (1). Guangxu Cheng <[email protected]>
- ```
- - Check signature and hash
- ```shell
- for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done
- # or
- gpg --verify apache-inlong-${release_version}-src.tar.gz.asc
apache-inlong-${release_version}-src.tar.gz
- # Attention: if you upload a binary package, you also need to check whether
the signature of the binary package is correct
- gpg --verify apache-inlong-server-${release_version}-bin.tar.gz.asc
apache-inlong-server-${release_version}-bin.tar.gz
- gpg --verify apache-inlong-client-${release_version}-bin.tar.gz.asc
apache-inlong-client-${release_version}-bin.tar.gz
+### Check the GPG signature
+- Import public key
+```shell
+# Download KEYS
+curl https://downloads.apache.org/inlong/KEYS > KEYS
+# Import KEYS to local
+gpg --import KEYS
```
- - Confirm result
- > If something similar to the following appears, it means that the signature
is correct, and the keywords: **`Good signature`**
+
+- trust the public key
+ Replace `THE_KEY_USED` with the KEY used for this version.
```shell
-apache-inlong-1.3.0-src.tar.gz
-gpg: Signature made Sat May 30 11:45:01 2020 CST
-gpg: using RSA key 9B12C2228BDFF4F4CFE849445EF3A66D57EC647A
-gpg: Good signature from "Guangxu Cheng <[email protected]>" [ultimate]gular2
+# After execution, enter trust -> 5(I trust ultimately) -> Y(Yes) -> quit
+gpg --edit-key THE_KEY_USED
```
-### Verify sha512 hash
-> Calculate the sha512 hash locally, and verify that it is consistent with the
one on dist
+- Check the signature using the following command
```shell
-for i in *.tar.gz; do echo $i; gpg --print-md SHA512 $i; done
-# or
-gpg --print-md SHA512 apache-inlong-${release_version}-src.tar.gz
-# If include a binary package, you also need to check the sha512 hash of the
binary package
-gpg --print-md SHA512 apache-inlong-server-${release_version}-bin.tar.gz
-gpg --print-md SHA512 apache-inlong-client-${release_version}-bin.tar.gz
-# or
-for i in *.tar.gz.sha512; do echo $i; sha512sum -c $i; done
+cd ${release_version}-${rc_version}
+for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i; done
```
+:::note
+If the keyword **`Good signature`** appears, the signature is correct.
+:::
+
### Check the file content of the source package
-Unzip `apache-inlong-${release_version}-src.tar.gz` and check as follows:
-- [ ] LICENSE and NOTICE files are correct for the repository.
-- [ ] All files have ASF license headers if necessary.
-- [ ] The source code can be compiled normally.
-- [ ] The single test can run through.
-- [ ] Building is OK.
+Unzip `apache-inlong-${release_version}-src.tar.gz` and check the following:
+- Whether the LICENSE and NOTICE file exists and whether the content is correct
+- Whether all files have an ASF License header
+- Whether the source code can be compiled normally
+- Whether the single test can run through
+
+:::note
+You can check the compilation and unit test through `mvn clean package
install`. If the compilation fails, clean up the local warehouse first.
+:::
-Attentions:
- In the process of practice, it is found that many troublesome problems
affect our version verification. The following processing is for reference:
- - Clean up the local repository before verifying the version;
- - The compilation commands are not limited, but since the modules in the
project are dockerized, "mvn clean package install" is recommended for the
first compilation, other recommended operations include "mvn clean compile",
"mvn clean package";
- - When executing unit tests, you should run them separately with "mvn clean
test" to ensure that there are no hidden problems.
+### Check binary packages
+Unzip `apache-inlong-${release_version}-bin.tar.gz` and
`apache-inlong-${release_version}-sort-connectors.tar.gz` and check the
following:
+- Whether the LICENSE and NOTICE file exists and whether the content is correct
+- Whether the normal deployment is successful
+- Deploy the test environment and verify whether the production and
consumption can run normally
+- Verify what you think might be going wrong
-### Check the binary package (if the binary package is included)
- Unzip `apache-inlong-client-${release_version}-src.tar.gz` and `
- apache-inlong-server-${release_version}-src.tar.gz`, check as follows:
-- [ ] LICENSE and NOTICE files are correct for the repository.
-- [ ] The deployment can be successful
-- [ ] Deploy a test environment to verify whether production and consumption
can run normally.
-- [ ] Verify what you think might go wrong.
+## Reply the email
+If the verification is passed, you can refer to the following template for
email replies.
+```shell
++1 from me, and I checked the following items:
+- [X] Download links are valid.
+- [X] Checksums and PGP signatures are valid.
+- [X] Source code artifacts have correct names matching the current release.
+- [X] LICENSE and NOTICE files are correct for the repository.
+- [X] All files have license headers if necessary.
+- [X] No compiled archives bundled in the source archive.
+- [X] Building is OK.
+```
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs-community/current/how-to-verify.md
b/i18n/zh-CN/docusaurus-plugin-content-docs-community/current/how-to-verify.md
index b786776af7..5b7f426cdb 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs-community/current/how-to-verify.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs-community/current/how-to-verify.md
@@ -1,135 +1,73 @@
---
-title: 如何验证版本
+title: 如何验证发布版本
sidebar_position: 7
---
-## 下载要发布的候选版本到本地环境
+## 下载候选版本
+`release_version` 为即将发布的版本号,比如 1.4.0;`rc_version` 为 Releae Candidate,比如
RC0,RC1...;KEY_ID 是你创建的 GPG Key ID.
```shell
svn co
https://dist.apache.org/repos/dist/dev/inlong/${release_version}-${rc_version}/
```
-## 验证上传的版本是否合规
-> 开始验证环节,验证包含但不局限于以下内容和形式
+## 验证版本
### 查看发布包是否完整
-> 上传到 dist 的包必须包含源码包,二进制包可选
+- 是否包含源码包
+- 是否包含源码包的签名和 sha512
+- 如果上传了二进制包,则同样检查的签名和 sha512
-1. 是否包含源码包
-2. 是否包含源码包的签名
-3. 是否包含源码包的 sha512
-4. 如果上传了二进制包,则同样检查(2)-(4)所列的内容
-
-### 检查 gpg 签名
- - 导入公钥
- ```shell
- curl https://downloads.apache.org/inlong/KEYS > KEYS # 下载KEYS
- gpg --import KEYS # 导入KEYS到本地
- ```
- - 信任公钥
- > 信任此次版本所使用的KEY
- ```shell
- gpg --edit-key xxxxxxxxxx #此次版本所使用的KEY
- gpg (GnuPG) 2.2.21; Copyright (C) 2020 Free Software Foundation, Inc.
- This is free software: you are free to change and redistribute it.
- There is NO WARRANTY, to the extent permitted by law.
-
- Secret key is available.
-
- sec rsa4096/5EF3A66D57EC647A
- created: 2020-05-19 expires: never usage: SC
- trust: ultimate validity: ultimate
- ssb rsa4096/17628566FEED6AF7
- created: 2020-05-19 expires: never usage: E
- [ultimate] (1). Guangxu Cheng <[email protected]>
-
- gpg> trust #信任
- sec rsa4096/5EF3A66D57EC647A
- created: 2020-05-19 expires: never usage: SC
- trust: ultimate validity: ultimate
- ssb rsa4096/17628566FEED6AF7
- created: 2020-05-19 expires: never usage: E
- [ultimate] (1). Guangxu Cheng <[email protected]>
-
- Please decide how far you trust this user to correctly verify other users'
keys
- (by looking at passports, checking fingerprints from different sources,
etc.)
-
- 1 = I don't know or won't say
- 2 = I do NOT trust
- 3 = I trust marginally
- 4 = I trust fully
- 5 = I trust ultimately
- m = back to the main menu
-
- Your decision? 5 #选择5
- Do you really want to set this key to ultimate trust? (y/N) y #选择y
-
- sec rsa4096/5EF3A66D57EC647A
- created: 2020-05-19 expires: never usage: SC
- trust: ultimate validity: ultimate
- ssb rsa4096/17628566FEED6AF7
- created: 2020-05-19 expires: never usage: E
- [ultimate] (1). Guangxu Cheng <[email protected]>
-
- gpg>
-
- sec rsa4096/5EF3A66D57EC647A
- created: 2020-05-19 expires: never usage: SC
- trust: ultimate validity: ultimate
- ssb rsa4096/17628566FEED6AF7
- created: 2020-05-19 expires: never usage: E
- [ultimate] (1). Guangxu Cheng <[email protected]>
- ```
- - 使用如下命令检查签名
- ```shell
- for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done
- #或者
- gpg --verify apache-inlong-${release_version}-src.tar.gz.asc
apache-inlong-${release_version}-src.tar.gz
- # 如果上传二进制包,则同样需要检查二进制包的签名是否正确
- gpg --verify apache-inlong-server-${release_version}-bin.tar.gz.asc
apache-inlong-server-${release_version}-bin.tar.gz
- gpg --verify apache-inlong-client-${release_version}-bin.tar.gz.asc
apache-inlong-client-${release_version}-bin.tar.gz
+### 检查 GPG 签名
+- 导入公钥
+```shell
+# 下载KEYS
+curl https://downloads.apache.org/inlong/KEYS > KEYS
+# 导入KEYS到本地
+gpg --import KEYS
```
- - 检查结果
- > 出现类似以下内容则说明签名正确,关键字:**`Good signature`**
+
+- 信任公钥
+替换 `THE_KEY_USED` 为此次版本所使用的 KEY。
```shell
-apache-inlong-1.3.0-src.tar.gz
-gpg: Signature made Sat May 30 11:45:01 2020 CST
-gpg: using RSA key 9B12C2228BDFF4F4CFE849445EF3A66D57EC647A
-gpg: Good signature from "Guangxu Cheng <[email protected]>" [ultimate]gular2
+# 执行后依次输入 trust -> 5(I trust ultimately) -> Y(Yes) -> quit
+gpg --edit-key THE_KEY_USED
```
-### 检查 sha512 哈希
-> 本地计算 sha512 哈希后,验证是否与 dist 上的一致
+- 使用如下命令检查签名
```shell
-for i in *.tar.gz; do echo $i; gpg --print-md SHA512 $i; done
-#或者
-gpg --print-md SHA512 apache-inlong-${release_version}-src.tar.gz
-# 如果上传二进制包,则同样需要检查二进制包的sha512哈希
-gpg --print-md SHA512 apache-inlong-server-${release_version}-bin.tar.gz
-gpg --print-md SHA512 apache-inlong-client-${release_version}-bin.tar.gz
-# 或者
-for i in *.tar.gz.sha512; do echo $i; sha512sum -c $i; done
+cd ${release_version}-${rc_version}
+for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done
```
-### 检查源码包的文件内容
+:::note
+如果出现 **`Good signature`** 关键字,则说明签名正确。
+:::
- 解压缩 `apache-inlong-${release_version}-src.tar.gz`,进行如下检查:
+### 检查源码包的文件内容
+解压缩 `apache-inlong-${release_version}-src.tar.gz`,进行如下检查:
+- LICENSE and NOTICE 文件是否存在及内容是否正确
+- 所有文件是否带有 ASF License 头
+- 源码是否能够正常编译
+- 单测是否能够跑通
- - LICENSE and NOTICE 文件是否存在及内容是否正确
- - 所有文件是否带有 ASF License 头
- - 源码是否能够正常编译
- - 单测是否能够跑通
- - ....
-
- 注意事项:
- 在实践过程中,发现比较多的困扰问题影响到我们的版本验证,如下处理供参考:
- - 校验版本前先清理掉本地仓库;
- - 编译方法不限制,但由于项目里的模块做了 docker 化处理,首次编译建议先 “mvn clean package
install”,其他推荐的操作还有 “mvn compile”,“mvn clean package”;
- - 执行单元测试时,大家要用 “mvn clean test” 单独运行,确保没有隐藏问题。
+:::note
+可以通过 `mvn clean package install` 检查编译和单测,如果编译失败,先清理掉本地仓库。
+:::
### 检查二进制包
- 解压缩 `apache-inlong-client-${release_version}-src.tar.gz` 和 `
- apache-inlong-server-${release_version}-src.tar.gz`,进行如下检查:
- - LICENSE and NOTICE 文件是否存在及内容是否正确
- - 能否正常部署成功
- - 部署测试环境、验证生产消费能否正常运行
- - 验证你认为可能会出问题的地方
- - ....
\ No newline at end of file
+解压缩 `apache-inlong-${release_version}-bin.tar.gz` 和
`apache-inlong-${release_version}-sort-connectors.tar.gz`,进行如下检查:
+- LICENSE and NOTICE 文件是否存在及内容是否正确
+- 能否正常部署成功
+- 部署测试环境、验证生产消费能否正常运行
+- 验证你认为可能会出问题的地方
+
+## 回复邮件
+如果验证通过,可参考以下模板进行邮件回复。
+```shell
++1 from me, and I checked the following items:
+- [X] Download links are valid.
+- [X] Checksums and PGP signatures are valid.
+- [X] Source code artifacts have correct names matching the current release.
+- [X] LICENSE and NOTICE files are correct for the repository.
+- [X] All files have license headers if necessary.
+- [X] No compiled archives bundled in the source archive.
+- [X] Building is OK.
+```
\ No newline at end of file
