- signatures and checksums match
- source builds
- apache rat passes (after I excluded module/DEPENDENCIES)
+1
Below are the linux commands I used to verify the release of the
myfaces-core-assembly-2.1.9-src files:
=============================================
# check checksums
find . -name '*.md5' -exec cat {} \; -printf ' %f\n' | sed 's|\.md5$||' |
md5sum -c
find . -name '*.sha1' -exec cat {} \; -printf ' %f\n' | sed 's|\.sha1$||'
| sha1sum -c
# check signatures
wget http://www.apache.org/dist/myfaces/KEYS
gpg --import KEYS
find . -name '*.asc' -exec gpg --verify {} \;
# verify tar.gz and zip sources are identical
mkdir src
cd src
tar xvf ../myfaces-core-assembly-2.1.9-src.tar.gz
ls -l
mv myfaces-core-2.1.9-src/ myfaces-core-2.1.9-src-tar-gz
unzip ../myfaces-core-assembly-2.1.9-src.zip
# should be no output
diff -rq myfaces-core-2.1.9-src*
# should be "are identical" output
diff -srq myfaces-core-2.1.9-src*
# build source
cd myfaces-core-2.1.9-src/src
find \( -name '*.jar' -o -name '*.zip' \) -exec unzip -n {} \;
cd myfaces-core-module-2.1.9/
mvn install
mvn apache-rat:check
# To check for all errors, if more than one project is affected
# mvn -e -X apache-rat:check -Drat.numUnapprovedLicenses=9999
