[
https://issues.apache.org/jira/browse/TAVERNA-936?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15191492#comment-15191492
]
Gale Naylor commented on TAVERNA-936:
-------------------------------------
In the wiki are two release review documents. The documents are fairly complete
and ready for review and comments. (See links at end)
In particular, I need feedback on the minimum review requirements we are
comfortable with. My guess based on discussions during the last release is:
All:
- Download at least one distribution (source-release-zip) and ensure
it builds successfully
- Verify checksums and signatures
PPMC members (and others, if they want):
- Ensure accuracy of the following:
- Top-level LICENSE and NOTICE files
- Source file headers ("Apache" headers)
- Dependency licenses
- Source archive (does not include any binary files)
- Verify commit ID (At least one PPMC member)
One question: When we have multiple distributions, is it sufficient to download
only one distribution for a +1 vote? Maybe PPMC members should download and
build all, but other reviewers can download one?
Here are some other major areas needing work:
A) Check commit ID. I did not understand the notes about using the git
repository to check the commit ID. There are lots of questions in this section
(Details, #2)
B) I don't have a good understanding of what is meant by "Clear provenance of
source files." How do you check it and how does it differ from checking
licenses? (See Main, #6, and Details, #6)
And finally, other miscellaneous questions:
1) Supporting the release manager means ...? (Other than communicating that you
are reviewing and bringing up any issues?)
2) Regarding verifying checksums: Is it the intent to make sure that all 3
sources match? (vote email, zip file, md5 and sha1 files)
3) What files must have "incubating" in the title? Is it top-level folders and
*.jar files only? Is there an easy way to check?
4) Regarding review of source file headers: How does a reviewer know if a file
is really Apache-developed code, or if the header has been applied by mistake?
5) How does "check dependency licenses" differ from "check source file
headers?" Should we have a master list that a reviewer can refer to?
5) Checking the build produces the binaries: Compare *.jar files in target
folders to ... what? The git repo? Example link?
LINKS:
2016-03 Apache Taverna: How to Review a Release and Vote [AKA, Main]
(https://cwiki.apache.org/confluence/display/TAVERNADEV/2016-03+Apache+Taverna%3A+How+to+Review+a+Release+and+Vote)
2016-03 Apache Taverna: Detailed Instructions for Reviewing a Release
[AKA, Details]
(https://cwiki.apache.org/confluence/display/TAVERNADEV/2016-03+Apache+Taverna%3A+Detailed+Instructions+for+Reviewing+a+Release)
> Document review process for software releases
> ---------------------------------------------
>
> Key: TAVERNA-936
> URL: https://issues.apache.org/jira/browse/TAVERNA-936
> Project: Apache Taverna
> Issue Type: Task
> Reporter: Gale Naylor
> Assignee: Gale Naylor
> Priority: Minor
>
> Collect information from recent emails, as well as online sources, and create
> comprehensive documentation of what to verify as well as how to verify it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
