snazy commented on code in PR #2824: URL: https://github.com/apache/polaris/pull/2824#discussion_r2549205465
########## site/content/release-verify.md: ########## @@ -0,0 +1,252 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> + +# Release Verification Guide + +**Audience**: Committers and interested contributors. + +This guide walks you through the process of **verifying** a staged Apache Polaris release candidate. + +Verifying a (staged) release of an Apache project has to follow a bunch of tasks, which can be +grouped into tasks that can be automated and those that need human intervention. +Polaris provides a tool to automate the tasks that can be automated. + +Tasks that are automated: +* Checksums and PGP signatures are valid. +* All expected artifacts are present. +* Source code artifacts have correct names matching the current release. +* Built artifacts are [reproducible](#reproducible-builds). +* Build passes. +* `DISCLAIMER`, `LICENSE` and `NOTICE` files are included. +* main and sources jar artifacts contain `META-INF/LICENSE` and `META-INF/NOTICE` files. +* main distribution artifacts contain `DISCLAIMER`, `LICENSE` and `NOTICE` files in the top-level directory. + +Tasks that need human intervention: +* Download links are valid. Check all links in the `[VOTE]` email for the release: + * Tag on the GitHub website + * Commit on the GitHub website + * SVN repository with the source tarball and binary release artifacts + * SVN repository with the Helm chart + * Link to the KEYS file (_MUST_ be equal to `https://downloads.apache.org/incubator/polaris/KEYS`) + * Maven staging repository +* `DISCLAIMER`, `LICENSE` and `NOTICE` files are correct for the repository. +* Contents of jar artifacts `META-INF/LICENSE` and `META-INF/NOTICE` files are correct. +* All files have license headers if necessary. + This is (mostly) verified using the "rat" tool during builds/CI. +* No disallowed binary artifacts are bundled in the source archive. + This is a (soft) requirement to be held true by committers. + +**Imply good intent!** +Although the release manager is responsible for producing a "proper" release, mistakes can and will happen. +The Polaris project is committed to providing reproducible builds as an essential building block of +_Apache trusted releases_. +The project depends on frameworks which also strive to provide reproducible builds, but not all +these frameworks can provide fully reproducible builds yet. +The Polaris project's release verification tool will therefore report some issues that are currently expected. +See [below](#reproducible-builds) for details. + +# Verifying a release candidate + +Instead of performing all mentioned steps manually, you can leverage the script +`tools/verify-release/verify-release.sh` available in the main repository to perform the +automatable tasks. + +Always run the most recent version of the script using the following command: +```bash +bash <(curl \ + -s https://raw.githubusercontent.com/apache/polaris/refs/heads/main/tools/verify-release/verify-release.sh) \ + --help +``` + +The tool is intended for Polaris versions 1.3 and newer. +The tool may report issues, see [below](#reproducible-builds) for details. + +That script requires a couple of tools installed and will check that those are available +and report those that need to be installed. + +To run the script, you need the following pieces of information: +* The *full* Git SHA of the corresponding source commit. +* The version number of the release, something like `1.3.0` +* The RC number of the release, for example `1` or `2` +* The Maven staging repository ID, for example `1033` (the full number at the end of the Maven repository URL `https://repository.apache.org/content/repositories/orgapachepolaris-1033/`). + +Example (values taken from the 1.2.0-rc2 release) +```bash +bash <(curl \ + -s https://raw.githubusercontent.com/apache/polaris/refs/heads/main/tools/verify-release/verify-release.sh) \ + --git-sha 354a5ef6b337bf690b7a12fefe2c984e2139b029 \ + --version 1.2.0 \ Review Comment: Agree. Updated the script to accept `9.8.7-incubating-rc42`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
