The artifacts to review are an integral part of the voting thread. Therefore I suggest you follow this small how to:
1. build the release artifact (JAR for Java, other archive type for other languages) that have the exact same structure as the release's SCM tag; you can use the script from [0] to check this 2. sign them with your PGP key 3. provide checksums for the artifact (md5 and sha1 should be enough) 4. make sure that the binary can be built using the source code contained by the artifact from 1; if the binary relies on 3rd party dependencies provide instructions (probably in a README) on how to get them and describe their licensing; *never ever* include them directly in our artifacts if they are not provided under an Apache license, or any other compatible one [1] 5. use the check release script [2] to verify that you've properly signed the artifact 6. stage the artifact 7. start the voting thread What I wrote here is probably just the gist of [3], which everybody at ASF should understand and obey. Cheers, Radu [0] - https://svn.apache.org/repos/asf/devicemap/trunk/check_release_matches_tag.sh [1] - http://apache.org/legal/resolved.html#category-a [2] - https://svn.apache.org/repos/asf/devicemap/trunk/check_staged_release.sh [3] - http://www.apache.org/dev/release.html On Tue, 1 Sep 2015 at 14:34 Werner Keil <werner.k...@gmail.com> wrote: > I'll probably give you a heads-up and put stuff to review before the > actual vote. > >
