- signatures and checksums match - source builds - apache rat passes +1
Below are the linux commands I used to verify the release of the cayenne-4.0.M4 files: ============================================= wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/cayenne-4.0.M4-macosx.dmg wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/cayenne-4.0.M4-macosx.dmg.asc wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/cayenne-4.0.M4-macosx.dmg.md5 wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/cayenne-4.0.M4-src.tar.gz wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/cayenne-4.0.M4-src.tar.gz.asc wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/cayenne-4.0.M4-src.tar.gz.md5 wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/cayenne-4.0.M4-win.zip wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/cayenne-4.0.M4-win.zip.asc wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/cayenne-4.0.M4-win.zip.md5 wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/cayenne-4.0.M4.tar.gz wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/cayenne-4.0.M4.tar.gz.asc wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/cayenne-4.0.M4.tar.gz.md5 # check checksums ## made with gpg --print-md MD5 cayenne-X.X.tar.gz cat *.md5 | tr -d ' ' | awk 'BEGIN{OFS=" "; FS=":"} {tmp=$1;$1=$2;$2=tmp;print}' | md5sum -c # check signatures wget http://www.apache.org/dist/cayenne/KEYS gpg --import KEYS find . -name '*.asc' -exec gpg --verify {} \; # verify .tar.gz and -win.zip files are identical -- flawed process due to platform building differences mkdir src cd src tar xvf ../cayenne-4.0.M4.tar.gz mv cayenne-4.0.M4/ cayenne-4.0.M4-tar-gz unzip ../cayenne-4.0.M4-win.zip # should be no output # but windows and tar package are built with different java versions. ## differences in jars, pdfs, html resources, css, html, package-info between tar.gz and zip(win) diff -rq cayenne-4.0.M4* | grep -v "jar differ" | grep -v "html differ" | grep -v "pdf differ" | grep -v ".css differ" # should be "are identical" output diff -srq cayenne-4.0.M4* | grep -v "jar differ" | grep -v "html differ" | grep -v "pdf differ" | grep -v ".css differ" | grep -v "are identical" # unpack source tar xvzf ../cayenne-4.0.M4-src.tar.gz # build source cd cayenne-4.0.M4-src mvn install ## mvn apache-rat currently unused for cayenne # manually verify that there are no unknown or unapproved licensed files ./rat.sh ../../../../java/apache-rat-0.11/apache-rat-0.11.jar ##mvn apache-rat:check # To check for all errors, if more than one project is affected # mvn apache-rat:check -Drat.numUnapprovedLicenses=9999 # To see details of rat failure # mvn -e -X apache-rat:check On Tue, Dec 6, 2016 at 10:26 AM, Savva Kolbachev <[email protected]> wrote: > Hi All, > I'm glad to tell you that I've prepared 4.0.M4 artifacts for voting. > > Maven artifacts: > https://repository.apache.org/content/repositories/orgapachecayenne-1011/ > Assemblies: https://dist.apache.org/repos/dist/dev/cayenne/4.0.M4/ > > Please evaluate and cast your votes. > > -- > Best Regards, > Savva Kolbachev
