This is an automated email from the ASF dual-hosted git repository.
guanmingchiu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/mahout.git
The following commit(s) were added to refs/heads/main by this push:
new 493fc2dfe Fix license format for ATR (#988)
493fc2dfe is described below
commit 493fc2dfee0a4a4e785131e7a435f7661d1982ff
Author: Guan-Ming (Wesley) Chiu <[email protected]>
AuthorDate: Fri Jan 30 12:13:33 2026 +0800
Fix license format for ATR (#988)
* Fix license format for ATR
* Add GM pub key
* Update keys and release.md
* Update keys and release.md
---
KEYS | 59 +++++++++++++++++++++++++++++++++++++
NOTICE | 10 +++----
dev/release.md | 91 +++++++++++++++++++++++++++++++++++++++++++++++-----------
pyproject.toml | 15 ++++++++++
4 files changed, 152 insertions(+), 23 deletions(-)
diff --git a/KEYS b/KEYS
index 42df2fc51..081ef250a 100644
--- a/KEYS
+++ b/KEYS
@@ -1057,3 +1057,62 @@
PHraaqAHSrNEqbU9ltQnqpWEkEsRrmfRBW7qGQE8mnH/ZYaReBiEZBF8MlmWYy2L
AiZZrGqxvdbcWRTb4qNR0N2fIbeiY5M=
=0+dF
-----END PGP PUBLIC KEY BLOCK-----
+pub rsa4096 2026-01-30 [SC]
+ E73859CA7D4F3A59DC897E70D85FCCC629285CCC
+uid [ultimate] Guan-Ming Chiu <[email protected]>
+sig 3 D85FCCC629285CCC 2026-01-30 Guan-Ming Chiu
<[email protected]>
+sub rsa4096 2026-01-30 [E]
+sig D85FCCC629285CCC 2026-01-30 Guan-Ming Chiu
<[email protected]>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGl8KooBEACvg8Pt9u+Pxv98MgFutuCu3CvFaMoXWbAjbTsRHo+36MzBo/5X
+TbFQibJk210LcAgMhgCPpk2dGsqiGsQMvHJz8uLKbJ+JzmljLprIE6ZbR9pKS/+D
+AqzOtkKnv55XcH8bDe0LkSZm7ObUB+VreLKAu3zZ6lS+m3W9/AKNhCo8MoKpDSNr
+H1BvfrCC/LbmWC4BS2bb+iI/lL7bZEqb0gmW6UVwjB2H7jjkQySdPfQDXCDmvNHM
+pg4EgeEFWdZ5NBO6xFxiLa/XPj0fohzDwRXTGcpFCnwmXOhOzNP9yRPdZesRuh+K
+dOGZ5lo0pVlf5L7Pe6kNUdRiQCLZivVIaaKSHmJmKyeyUBCqKbpKKITKBig6ld5h
+ObCUJhQbds7gHtcEmBvzWN/moxRroMGjWFot30/xnKGjhhosZvvkZ7pD4geMB+Pq
+bl17+zfpZF3edjmQgxODhkwFFigg8+73OjrqwBxCb8lwTkFPog8Pg8emNZlXrF3n
+pBSZAoJHKSXMClvLPO0soTJ8VWldTH15eF1o47gDnGl0IYfJ5/1ZOzbbTn9q8wpF
+PitCpAafijpqI19zXf5T0VK3rwx4K3cb1b6uYDWOxEU6xBTDVgbNoHfNLpjOWwof
+XYRNaDfaiv8S5RJamgFzexHlbomy6ksNAZqLNJmAFUe+5dRmd6QiCC2YrwARAQAB
+tChHdWFuLU1pbmcgQ2hpdSA8Z3Vhbm1pbmdjaGl1QGFwYWNoZS5vcmc+iQJOBBMB
+CgA4FiEE5zhZyn1POlnciX5w2F/MxikoXMwFAml8KooCGwMFCwkIBwIGFQoJCAsC
+BBYCAwECHgECF4AACgkQ2F/MxikoXMywHw/+NLrvpTbWhnOtwVKqtX0jetsmiRQb
+0M6daSRd5UlGn0QtpO5GCEUZfCZ0+B4z1G4re0MffWe1/S584gUzEZnjb6Mz3N0N
++sMs5/fQWwmR3+0VY027vQZjdf+CsUZHuiL/qaGA74PUD15Otw3Ao5fc3nd6ecC3
+QZcxybl6VLrGyXflQggjuHjKTpfNwin6BfSRvS7f8JnWzOovcWxubAha0YcN7Mh+
+QVvcg5cQtlRMnVahc6QM/OQPs6bBm+JIKPSgVsngB81GagtQndPjmfCMAkgFzoAp
+GxmatkMbD0l6gVKwrdyG+4Sv4pt913zp4Ze7vGwrbX3MzM+LNRRhyc6yjb9H/d39
+yqD/3S7q2Vy1TT7l4rwXlSs9Eo8i4jpX7BAvveAoBjLz0RAYbNlmtToe7ntJdEPK
++xoW09SgEwQE8HMYtAjl/IN4PSMWaIz1DNXwTXHzx0C35/8tPxIGCRbm30E+30ss
++Sjx0h3V6sxVPcAklpAgoMHQRgy10220QNKVJtKFhymjgTghJti9GFDVT52vajTn
++1w2WhSPUrnmPbfDmm2l6o8lTHgkg3z96givomO0JP/m4DIiEyZPWLFDuZkHgXSp
+NLpQUymdsSYdQ4gh+l/KAdqRxjN8WHhgeTQylljBF4A2Y9eDAkl1MUhoZe8l3AAl
+7JKSd0C6eoCeQfm5Ag0EaXwqigEQAOcgJbLjPCDjtghOw52lsy2Nho06r7JGd19b
+7G06nd1IObKhPgqPQelA9nCn8KRiQhz2UbOx0WlNpYZ0JQuz9mhrtaPhE/Hf1dZY
+5EQMaLsNaVrkshLS9xl7K6rAevCkHL1EuYMl/hGT5BqBdGLvrtV9ZwjDO2RcvtnF
+uvSSYWXXCoAzsPXxCAsCZwPJOnZJoNYv7riP3jyXaPHFgIFMSKHeazCOCRTMgC5N
+6pOf126bb9R0vpEI4yzQYR4Df5hvN9Rr3omiZQQqtF3ZIgj1nj3tfy8CPIGKO0tk
+Bzv1MxKgk95w7CD384EIPaSFFSvzFhMls0F1w3//XfaC96QvbCy/sgcg+Yzn8H3h
+D3Q6Z8vmS/mBi/jMPqjTYW0JNxH+fsrHxxYDjddw0nJvpxgULkPy14ncf9s07fd9
+egCJ+vaqjZeq+lR5N2emLWEVR9kMqWNIOWhCbLPfrgvI/MLGPVsAJh9l2bARxB48
+q6BOWaKaSFdrnyZgY4c4+ILU4wS7bDex5q8mKNzOsnrINyRuwf/IgBRFqutmWZLY
+Re0AsUkiXxuf5n0peCwv0GJYE/Bdo+97JCiP3IVKDIzAm15MEp/k3waZHKVVUPg9
+5ZgsMfNFK/twuxuzfO6I4uT4W8CAIn8yplGUnQKDcPLgrFYFII32EYxa588RDz+1
+/br6GmKVABEBAAGJAjYEGAEKACAWIQTnOFnKfU86WdyJfnDYX8zGKShczAUCaXwq
+igIbDAAKCRDYX8zGKShczA2DD/4vAPHo3xoRVDoidgwI00YONPzf0Wdz9uNhe/mi
+PYMIfqYlvtR41er9r1lwO5MVTA1hcCD954Rcf1dLMB7aAlqQTPDdvRJHryo/euWB
+iwNgfKVtC2bKyzVvHn05gJBR9pv+rmzTv+8OnUA1Zv4IZljrIyl5Agp8XqL4BgRV
+pYUwQWppTbjU1mi+d9GXPMgHOcLvlfJRnWsdwwF/AuOGPkf/YDlkboHzT/mtD4NZ
+KsIbYLpp8Ylscn/AIwM2F13MYXFGfrPzLaydDDJr28vqWo8I20FNk5qjFJVLwJtI
+gglxqj6UZDw11zcGel+qeP09qT8I865lIheQFewW6FQJImbaPYX5xtlY4pb48ZYT
+Z2yq7NiL8f3WoAta2V1R+niTG7u/ILHClkbUK7ERvfl+gz5Gkfzq9hOUQB4OWqLP
+XH+p+7AQwis9T/gCbDW8ZeLZsBwaArQ52TDvfpmgpbjbwiPXJ2voFt1jlTo7lk7l
+B5C3/u4txhq0DdLcL/nU/dq+iaDL2Iw9uF6vVW7hi0GS6wsJOnkCOQP7J6h402on
+Lqvjz9OsyhciDo1szjvW/jaEPW+fAu12IAu8+q6SV0V1IXI/3mykq1cBcRHYk2h9
+6eij8vLC9JtkFNqYUhtBT+yN9hJSu3N+n+BXTzNFJ10IHimNglcGw2kQ3izy4rA1
+34DJRw==
+=6SCE
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/NOTICE b/NOTICE
index a44bb3a8c..7018a3bab 100644
--- a/NOTICE
+++ b/NOTICE
@@ -1,7 +1,5 @@
-==============================================================
- Apache Mahout
- Copyright 2009-2026 The Apache Software Foundation
-==============================================================
+Apache Mahout
+Copyright 2009-2026 The Apache Software Foundation
-This product includes software developed by
-The Apache Software Foundation (http://www.apache.org/).
+This product includes software developed at
+The Apache Software Foundation (https://www.apache.org/).
diff --git a/dev/release.md b/dev/release.md
index 2ecdf9bff..825c91612 100644
--- a/dev/release.md
+++ b/dev/release.md
@@ -9,6 +9,46 @@ This document describes the process for releasing `qumat` and
`qumat-qdp`. The p
- **ASF Account**: Required for PMC members to log in to the ATR platform.
- **PyPI Account**: Required for uploading RCs for community testing.
+- **GPG Key**: Required for signing release artifacts. See [GPG Key
Setup](#gpg-key-setup) below.
+
+### GPG Key Setup
+
+If you don't have a GPG key yet, generate one:
+
+```bash
+# Generate a 4096-bit RSA key (use your Apache email)
+gpg --full-generate-key
+# Select: RSA and RSA, 4096 bits, your_name <[email protected]>
+
+# Find your key ID
+gpg --list-secret-keys --keyid-format SHORT
+# Example output: rsa4096/8EEFC01F
+
+# Upload your public key to a key server
+gpg --keyserver keys.openpgp.org --send-keys <YOUR_KEY_ID>
+
+# Append your public key to the project KEYS file
+(gpg --list-sigs <YOUR_KEY_ID> && gpg --armor --export <YOUR_KEY_ID>) >> KEYS
+```
+
+### PyPI Token Setup
+
+**Important:** Store your `.pypirc` in your **home directory** (`~/.pypirc`),
**never** in the project directory — it can accidentally be included in source
distributions.
+
+```bash
+# Create ~/.pypirc (not in the project directory!)
+cat > ~/.pypirc << 'EOF'
+[testpypi]
+username = __token__
+password = pypi-xxxxx
+
+[pypi]
+username = __token__
+password = pypi-xxxxx
+EOF
+
+chmod 600 ~/.pypirc
+```
---
@@ -102,27 +142,44 @@ uv tool run maturin build --release --interpreter
python3.12
- `dist/qumat-0.5.0rc1.tar.gz`
- `qdp/target/wheels/qumat_qdp-0.1.0rc1-cp3XX-*.whl`
-### 1.3 Upload to PyPI (RC Version)
+### 1.3 Sign and Hash Artifacts
-**Configure `.pypirc`:**
-Create a `.pypirc` file with your API token (from
https://pypi.org/manage/account/token/):
-```ini
-[testpypi]
-username = __token__
-password = pypi-xxxxx
+Sign each artifact with your GPG key and generate SHA-512 checksums:
-[pypi]
-username = __token__
-password = pypi-xxxxx
+```bash
+# Sign and hash Qumat artifacts
+cd dist
+for f in qumat-0.5.0rc1*; do
+ gpg --armor --detach-sign "$f"
+ sha512sum "$f" > "$f.sha512"
+done
+
+# Sign and hash Qumat-QDP wheels
+cd ../qdp/target/wheels
+for f in qumat_qdp-0.1.0rc1-*.whl; do
+ gpg --armor --detach-sign "$f"
+ sha512sum "$f" > "$f.sha512"
+done
+```
+
+This produces `.asc` (GPG signature) and `.sha512` (checksum) files for each
artifact. These are required by ATR for release validation.
+
+**Verify signatures locally:**
+```bash
+gpg --verify qumat-0.5.0rc1.tar.gz.asc qumat-0.5.0rc1.tar.gz
```
+### 1.4 Upload to PyPI (RC Version)
+
+Ensure `~/.pypirc` is configured (see [PyPI Token Setup](#pypi-token-setup)).
+
**Upload to TestPyPI first (recommended):**
```bash
# Upload Qumat
-uv tool run twine upload --repository testpypi --config-file .pypirc dist/*
+uv tool run twine upload --repository testpypi --config-file ~/.pypirc dist/*
# Upload Qumat-QDP
-uv tool run twine upload --repository testpypi --config-file .pypirc
qdp/target/wheels/qumat_qdp-<version>-cp31{0,1,2}-*.whl
+uv tool run twine upload --repository testpypi --config-file ~/.pypirc
qdp/target/wheels/qumat_qdp-<version>-cp31{0,1,2}-*.whl
```
**Test install from TestPyPI:**
@@ -139,15 +196,15 @@ pytest testing/
**Upload to PyPI:**
```bash
# Upload Qumat
-uv tool run twine upload --repository pypi --config-file .pypirc dist/*
+uv tool run twine upload --repository pypi --config-file ~/.pypirc dist/*
# Upload Qumat-QDP (exclude Python versions outside requires-python)
-uv tool run twine upload --repository pypi --config-file .pypirc
qdp/target/wheels/qumat_qdp-<version>-cp31{0,1,2}-*.whl
+uv tool run twine upload --repository pypi --config-file ~/.pypirc
qdp/target/wheels/qumat_qdp-<version>-cp31{0,1,2}-*.whl
```
*Note: This makes the RC available on PyPI for testing with `pip install --pre
qumat==0.5.0rc1`.*
-### 1.4 Open Testing Issue
+### 1.5 Open Testing Issue
Use the script to generate the RC testing issue:
```bash
@@ -166,7 +223,7 @@ The script generates an issue with:
- All PRs from the milestone with checkboxes
- Contributor mentions for testing
-### 1.5 Community Testing & Closure
+### 1.6 Community Testing & Closure
- Allow a testing interval (e.g., 3-5 days).
- If critical bugs are found: Fix them, increment the RC number (e.g., RC2),
and repeat from Step 1.2.
- Once the community is satisfied and the issue shows positive feedback,
close the issue and proceed to Phase 2.
@@ -184,7 +241,7 @@ This phase is executed by a PMC member or Release Manager
using the ATR platform
4. Upload the **source tarballs** from Phase 1.2:
- `qumat/dist/qumat-1.0.0.tar.gz`
- `qdp/qdp-python/target/wheels/qumat_qdp-1.0.0.tar.gz`
- - ATR will handle GPG signing and generate checksums (SHA256/SHA512).
+ - You must sign artifacts and generate checksums yourself before
uploading (see [Step 1.3](#13-sign-and-hash-artifacts)).
### 2.2 Verify Release
Check the "Release Candidates" section in ATR to ensure:
diff --git a/pyproject.toml b/pyproject.toml
index 51d9a89b7..d7c04897f 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,3 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
[project]
name = "qumat"
version = "0.5.0.dev0"
