On Fri, Apr 29, 2016 at 6:33 PM, Eduardo Garcia <[email protected]> wrote: > I want to vote!!!!!!! > Ok, let me know the procedure to put a Yes!!!
Eduardo, sorry for taking so long to get back to you on this. The procedure for a successful release vote is to download the build artifacts, verify that they are properly signed and and have the right checksums, make sure that the release can build from source, and then check the licenses on all of the files to insure that they either are Apache licensed or legally acknowledged properly. Below are the steps I use to check all this for MyFaces core. I wasn't able to work through these steps for the first attempt to release Trinidad 2.1.1, and I didn't have time to try to work through them for last week's release. if you were able to document what needs to be done differently from MyFaces Core for Trinidad, that would make it much easier for us to approve releases in the future (at least for me). It also doesn't hurt to make sure that Trinidad works (the demos run, your own applications run) but that's not a legal requirement for us to have a release. Thanks for offering to help! Below are the linux commands I used to verify the release of the myfaces-core-assembly-2.2.9-src files. The idea is to be able to do all of this without much more work than copying & pasting and verifying that the output is correct through the process. -Mike ============================================= wget https://repository.apache.org/content/repositories/orgapachemyfaces-1057/org/apache/myfaces/core/myfaces-core-assembly/2.2.9/myfaces-core-assembly-2.2.9-src.tar.gz wget https://repository.apache.org/content/repositories/orgapachemyfaces-1057/org/apache/myfaces/core/myfaces-core-assembly/2.2.9/myfaces-core-assembly-2.2.9-src.tar.gz.asc wget https://repository.apache.org/content/repositories/orgapachemyfaces-1057/org/apache/myfaces/core/myfaces-core-assembly/2.2.9/myfaces-core-assembly-2.2.9-src.tar.gz.md5 wget https://repository.apache.org/content/repositories/orgapachemyfaces-1057/org/apache/myfaces/core/myfaces-core-assembly/2.2.9/myfaces-core-assembly-2.2.9-src.tar.gz.sha1 wget https://repository.apache.org/content/repositories/orgapachemyfaces-1057/org/apache/myfaces/core/myfaces-core-assembly/2.2.9/myfaces-core-assembly-2.2.9-src.zip wget https://repository.apache.org/content/repositories/orgapachemyfaces-1057/org/apache/myfaces/core/myfaces-core-assembly/2.2.9/myfaces-core-assembly-2.2.9-src.zip.asc wget https://repository.apache.org/content/repositories/orgapachemyfaces-1057/org/apache/myfaces/core/myfaces-core-assembly/2.2.9/myfaces-core-assembly-2.2.9-src.zip.md5 wget https://repository.apache.org/content/repositories/orgapachemyfaces-1057/org/apache/myfaces/core/myfaces-core-assembly/2.2.9/myfaces-core-assembly-2.2.9-src.zip.sha1 # check checksums find . -name '*.md5' -exec cat {} \; -printf ' %f\n' | sed 's|\.md5$||' | md5sum -c find . -name '*.sha1' -exec cat {} \; -printf ' %f\n' | sed 's|\.sha1$||' | sha1sum -c # check signatures wget http://www.apache.org/dist/myfaces/KEYS gpg --import KEYS find . -name '*.asc' -exec gpg --verify {} \; # verify tar.gz and zip sources are identical mkdir src cd src tar xvf ../myfaces-core-assembly-2.2.9-src.tar.gz mv myfaces-core-2.2.9-src/ myfaces-core-2.2.9-src-tar-gz unzip ../myfaces-core-assembly-2.2.9-src.zip # should be no output diff -rq myfaces-core-2.2.9-src* # should be "are identical" output diff -srq myfaces-core-2.2.9-src* # build source cd myfaces-core-2.2.9-src/src find \( -name '*.jar' -o -name '*.zip' \) -exec unzip -n {} \; cd myfaces-core-module-2.2.9/ mvn install mvn apache-rat:check # To check for all errors, if more than one project is affected # mvn apache-rat:check -Drat.numUnapprovedLicenses=9999 # To see details of rat failure, including location of rat report # mvn -e -X apache-rat:check
