Re: [VOTE] Release Apache Sedona (incubating) 1.0.0

Sat, 09 Jan 2021 21:12:19 -0800 

Dear all,

Just a reminder, please cast your vote at your earliest convenience.

To make it easier for you, I just wrote a script to verify the GPG
signature and SHA1 checksum for all 12 release jars. This script has been
tested on Mac OS Catalina and Ubuntu 18.04.

All you need to do is three steps:

1. gpg --import the-key-file   You can get my public key here:
https://gist.githubusercontent.com/jiayuasu/8b6cc263c538148490f7a090ee1dbeab/raw/09d3821e2794ddf22542f74c0db5195cf5c1ff49/gpg-public-key.gpg
2. chmod 777 verify-sedona-release.sh  to make the script runnable
3. Run the script

You will find three variables in the script if you open it. It will create
a "TMP" folder to store "1.0.0-incuabtor" jars from Sedona staging repo
"1006"

Please let me know if you have any questions.

Thanks,
Jia

On Thu, Jan 7, 2021 at 2:16 AM Jia Yu <ji...@apache.org> wrote:

> Hi All,
>
> After a fruitful discussion about our first Apache Sedona release
> 1.0.0-incubator, the release has been created. This is a call for vote to
> release Apache Sedona (incubating) 1.0.0.
>
> Note that: the current sha1 and checksum verification of Sedona will
> require us to manually download artifact jars, sha1, asc from
> repository.apache.org 12 times each. It is very annoying. Please let me
> know if you have any suggestions to speed up the process.
>
> Release note:
>
> https://sedona.staged.apache.org/download/GeoSpark-All-Modules-Release-notes/#sedona-100
>
> Build instructions:
> https://sedona.staged.apache.org/download/compile/
>
> Git tag:
>
> https://github.com/apache/incubator-sedona/releases/tag/sedona-1.0.0-incubator
>
> Maven staging repository (search for "sedona", 12 artifacts in total):
> https://repository.apache.org/#stagingRepositories
>
> Release Commit ID:
>
> https://github.com/apache/incubator-sedona/commit/29f897bbcaf65aa5b5b28ea4e93c6b7e783d83a6
>
> GPG public key to verify the Release:
>
> https://gist.githubusercontent.com/jiayuasu/8b6cc263c538148490f7a090ee1dbeab/raw/09d3821e2794ddf22542f74c0db5195cf5c1ff49/gpg-public-key.gpg
>
> The vote will be open for at least 72 hours or until a majority of at
> least 3 +1 PMC votes are cast
>
> Please vote accordingly:
>
> [ ] +1 approve
>
> [ ] +0 no opinion
>
> [ ] -1 disapprove with the reason
>
> Checklist for reference (because of DISCLAIMER-WIP, other checklist items
> are not blockers):
>
> [ ] Download links are valid.
>
> [ ] Checksums and PGP signatures are valid.
>
> [ ] DISCLAIMER is included.
>
> [ ] Source code artifacts have correct names matching the current release.
>
> For a detailed checklist  please refer to:
>
> https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist
>
> To verify the checksum,
> 1. open https://repository.apache.org
> 2 (1) click each release jar (12 in total) to see its current SHA1 (under
> Artifact tab) (2) download .jar.sha1 to see the content of the uploaded
> sha1. This two should match
>
> To verify the GPG key (12 in total),
> gpg --import the-key-file
> gpg --verify xxx.jar.asc xxx.jar
>
> You should see something like "gpg: Good signature from "Jia Yu (Arizona
> State University Data Systems Lab) <jia...@asu.edu>"  gpg: WARNING: This
> key is not certified with a trusted signature!"
>
> Thanks,
> Jia
>
>

#!/bin/bash
VERSION=1.0.0-incubator
STAGED_REPO_ID=1006
PATH_TMP=tmp

mkdir ${PATH_TMP}

for MODULE in core sql viz python-adapter; do
	for COMPAT in 3.0_2.12 2.4_2.12 2.4_2.11; do
		echo "downloading files for sedona-${MODULE}-${COMPAT}-${VERSION}"
		curl https://repository.apache.org/service/local/repositories/orgapachesedona-${STAGED_REPO_ID}/content/org/apache/sedona/sedona-${MODULE}-${COMPAT}/${VERSION}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar -o ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar
		curl https://repository.apache.org/service/local/repositories/orgapachesedona-${STAGED_REPO_ID}/content/org/apache/sedona/sedona-${MODULE}-${COMPAT}/${VERSION}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar.asc -o ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar.asc
		curl https://repository.apache.org/service/local/repositories/orgapachesedona-${STAGED_REPO_ID}/content/org/apache/sedona/sedona-${MODULE}-${COMPAT}/${VERSION}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar.sha1 -o ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar.sha1
	done
done

for MODULE in core sql viz python-adapter; do
	for COMPAT in 3.0_2.12 2.4_2.12 2.4_2.11; do
		echo "gpg signature verifying sedona-${MODULE}-${COMPAT}-${VERSION}.jar"
		gpg --verify ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar.asc ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar
	done
done

for MODULE in core sql viz python-adapter; do
	for COMPAT in 3.0_2.12 2.4_2.12 2.4_2.11; do
		echo "sha1 checksum verifying sedona-${MODULE}-${COMPAT}-${VERSION}.jar"
		sha1_generated=$(shasum ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar | awk '{print $1}')
		sha1_downloaded=$(cat ${PATH_TMP}/sedona-${MODULE}-${COMPAT}-${VERSION}.jar.sha1)
		if [ "$sha1_generated" = "$sha1_downloaded" ]; then
			echo "Sha1 checksum match"
		else
			echo "Sha1 checksum not match"
		fi
	done
done

Reply via email to