Hi all,I used (a modified version of) Andrea's RC verifier script, which he shared for 0.9.0 RC testing - see attached.
This passed, except for two things worth noting below: _*gpg: WARNING: This key is not certified with a trusted signature*__* *_ + gpg --verify apache-brooklyn-0.10.0-rc1-src.tar.gz.asc apache-brooklyn-0.10.0-rc1-src.tar.gz gpg: Signature made Mon 5 Dec 08:28:23 2016 GMT using RSA key ID 59D0A896 gpg: Good signature from "Svetoslav Neykov <[email protected]>" gpg: aka "Svetoslav Neykov <[email protected]>" gpg: aka "Svetoslav Neykov <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9F9C CBDA 89B3 0F81 162C 673C 0FE9 0F00 C0DE F000 Subkey fingerprint: BA79 6AAA 77D1 2C96 4B3A 27E1 9790 90BE 59D0 A896Do we need to worry about that? Do I need to import more keys into my chain of trust? (Note that the script had previously executed `curl https://dist.apache.org/repos/dist/release/brooklyn/KEYS | gpg --import`).
_*`vagrant up` fails (expected!)*_The download url in the vagrant installer file will only become valid when 0.10.0 is released. To test vagrant, we'll need to tweak the file apache-brooklyn-0.10.0-vagrant/files/install_brooklyn.sh to use the rc download url.
==> brooklyn: Installing Apache Brooklyn version 0.10.0 from [https://www.apache.org/dyn/closer.lua?action=download&filename=brooklyn/apache-brooklyn-0.10.0/apache-brooklyn-0.10.0-bin.tar.gz] ==> brooklyn: Downloading Brooklyn release archive On 05/12/2016 12:11, Svetoslav Neykov wrote:
This thread is for discussions related to the release vote. I should clarify what we are looking for in a release vote. Particularly, we are looking for people to download,validate, and test the release. Only if you are satisfied that the artifacts are correct and the quality is high enough, should you make a "+1" vote. Alongside your vote you should list the checks that you made. Here is a good example: http://markmail.org/message/gevsz2pdciraw6jw The vote is not simply about "the master branch contains the features I wanted" - it is about making sure that *these* artifacts are *correct* (e.g. they are not corrupted, hashes and signatures pass) and are of *sufficiently high quality* to be stamped as an official release of The Apache Software Foundation. Why test the artifacts when master is looking good? Here are some reasons: - somebody could have made a commit that broke it, since you last git pulled - the release branch could have been made at the wrong point, or inconsistently between all of the submodules - something in the release process could have broken it - I could have made a mistake and corrupted the files - a problem with the Apache infrastructure could mean that the release files are unobtainable or corrupted This is why the release manager needs you to download the actual release artifacts and try them out. The way Apache works can be a bit arcane sometimes, but it's all done with a reason. If the vote passes then the contents of the email and its links become "endorsed" by The Apache Software Foundation, and the Foundation will take on legal liability for them, forever. And of course we want the best possible experience for our users - so we need the actual release files to be tested manually to make sure that a mistake does not ruin the experience for users. So if you can spare an hour or more to download some of the artifacts and try them out, then it will be *very* useful! The vote lasts for three days so there's no need to rush to get a vote in. Thanks! Svet.On 5.12.2016 г., at 13:52, Svetoslav Neykov <[email protected]> wrote: This is to call for a vote for the release of Apache Brooklyn 0.10.0. This release comprises of a source code distribution, and a corresponding binary distribution, and Maven artifacts. The source and binary distributions, including signatures, digests, etc. can be found at: https://dist.apache.org/repos/dist/dev/brooklyn/apache-brooklyn-0.10.0-rc1 The artifact SHA-256 checksums are as follows: 9b75abf099e1b0ac2ff3193ef58b53e4d323bd377faefac1672aef61d994b45c *apache-brooklyn-0.10.0-1.noarch.rpm 6d86188fe2e210fa3f0e40220d236c43512298da1c158c95f4497ea54c3882e7 *apache-brooklyn-0.10.0-rc1-bin.tar.gz 5b37d0d2da964c91bc1655a5ce1bb277e5f84265906c479c697821a855235a2e *apache-brooklyn-0.10.0-rc1-bin.zip f1d66690fbf4786b1abc762b2c215dd392e96c1ac0eee49088857c91594b4f79 *apache-brooklyn-0.10.0-rc1-karaf.tar.gz 54d3b492e477c1877cb0bb9fd17063403596a02fbc3fdf9af588827053175bad *apache-brooklyn-0.10.0-rc1-karaf.zip 7d8ed704cc2146756f6ac6616de03c3d5d71953ff60094c1e017efdefb17c079 *apache-brooklyn-0.10.0-rc1-src.tar.gz a9e652596800010d01982703aaf90f0ca76e8d471b0399717c1d96619c72865c *apache-brooklyn-0.10.0-rc1-src.zip 55e5044ce2a6ae76886bb10d6e68582ef94b8f024513840c1aa8203c068eccd0 *apache-brooklyn-0.10.0-rc1-client-cli-linux.tar.gz 45799528ed0444b6a600918d33419bcf4d7c0eaf5cb58620a2c9ae3f7320ca62 *apache-brooklyn-0.10.0-rc1-client-cli-linux.zip 21bb2186787414226220101c6080ec0afffbb8d008c46a33a39b51bceb65600a *apache-brooklyn-0.10.0-rc1-client-cli-macosx.tar.gz 8d80ed81d5f1940700e838b3d6bf1255214706ede5a51a48bf46214a0b87d5c4 *apache-brooklyn-0.10.0-rc1-client-cli-macosx.zip a2cb0b1efc7f93da96cae2495e2db63834cfaec29b5eefcf8107f7bec38e6bd3 *apache-brooklyn-0.10.0-rc1-client-cli-windows.tar.gz 61b96bc68306aedb0e3477083077c940893e27b1a58322ad296f120fd5f40978 *apache-brooklyn-0.10.0-rc1-client-cli-windows.zip 13462d97693607a33d59a0a8288c20a2cd2d62607df796a5db5b332a183a7234 *apache-brooklyn-0.10.0-rc1-vagrant.tar.gz c67e134d4eb93ce1e6cc8124c31ca29bedd38bd2ea41eb9389a6335ee7c1ba0b *apache-brooklyn-0.10.0-rc1-vagrant.zip The Nexus staging repository for the Maven artifacts is located at: https://repository.apache.org/content/repositories/orgapachebrooklyn-1030 All release artifacts are signed with the key with the following fingerprint: 9F9C CBDA 89B3 0F81 162C 673C 0FE9 0F00 C0DE F000 KEYS file available here: https://dist.apache.org/repos/dist/release/brooklyn/KEYS The artifacts were built from git commit IDs: brooklyn: c496c5e9167f9320d08c21d5bce50f16a2325268 brooklyn-client: 0594d27aa68ac1c86e2b4672a447336042d92496 brooklyn-dist: 09a1ca89cd7d5a468438025d7f2121ec7c52ffc6 brooklyn-docs: f75d094f51c49cd5aa51e213bafc51da3d4ff01c brooklyn-library: 1a1962382413b0e5adbfb52bb33968df265b35c5 brooklyn-server: 635068a6985edf2e5dfbb9598d8dde2890c32ad3 brooklyn-ui: a6e2e8bccfdd98b4f7155b5be86f5b85149e0f33 All of the above have been tagged as "apache-brooklyn-0.10.0-rc1" Please vote on releasing this package as Apache Brooklyn 0.10.0. The vote will be open for at least 72 hours. [ ] +1 Release this package as Apache Brooklyn 0.10.0 [ ] +0 no opinion [ ] -1 Do not release this package because ... Thanks! Svet. CHECKLIST for reference [ ] Download links work. [ ] Binaries work. [ ] Checksums and PGP signatures are valid. [ ] Expanded source archive matches contents of RC tag. [ ] Expanded source archive builds and passes tests. [ ] LICENSE is present and correct. [ ] NOTICE is present and correct, including copyright date. [ ] All files have license headers where appropriate. [ ] All dependencies have compatible licenses. [ ] No compiled archives bundled in source archive. [ ] I follow this project’s commits list.
verify_brooklyn_rc.sh
Description: Bourne shell script
