dev, When voting on a release I attempt to verify the source packages signed by the release manager and the commit ID listed as part of the VOTE announcement.
For a long time I found the process a painful step - albeit important - that required all sort of weird bash-fu. Anyhow., I suspect that I found a way - which some of you may already know - to do that using GIT and decided to share here so it can be validated by others: ASSUMPTIONS: NiFi repo (linked to git) => /home/username/nifi unzipped release files => /home/username/temp/nifi-release-version PROCEDURE: 1. ensure the main repo is set to the correct commit: $ cd /home/username/nifi $ git checkout commit_id 2. change to the unziped source directory $ cd /home/username/temp/nifi-release-version 3. validate the sources: $ git --git-dir=/home/username/nifi/.git status --short | grep -v ".gitignore$" ?? DEPENDENCIES 4. If you are feeling paranoid, you can further validate the command by introducing changes to a file $ echo AAA >> nifi-assembly/pom.xml And re-running the command: $ git --git-dir=/home/username/nifi/.git status --short | grep -v ".gitignore$" M nifi-assembly/pom.xml ?? DEPENDENCIES 5. Continue review of the release with the piece of mind offerded by knowing the Release Manager has not introduced adware to the source packages. 8-D For more information: https://git-scm.com/blog/2010/04/11/environment.html Cheers
