Verify the candidate version
For detailed check list, please refer to the official check list
1. Download the candidate version
Download the candidate version to be released to the local environment Need to rely on gpg tool, if not, it is recommended to install gpg2.
If the network is poor, downloading may be time-consuming. The download is completed normally in about 20 minutes, please wait patiently.
#If there is svn locally, you can clone to the local
$ svn co https://dist.apache.org/repos/dist/dev/incubator/streampark/${release_version}-${rc_version}/
#or download the material file directly
$ wget https://dist.apache.org/repos/dist/dev/incubator/streampark/${release_version}-${rc_version}/xxx.xxx
2. Verify that the uploaded version is compliant
Start the verification process, which includes but is not limited to the following content and forms.
2.1 Check whether the release package is complete
The package uploaded to dist must include the source code package, and the binary package is optional.
- Whether to include the source code package
- Whether to include the signature of the source code package
- Whether to include the sha512 of the source code package
- If the binary package is uploaded, also check the contents listed in (2)-(4)
2.2 Check gpg signature
First import the publisher's public key. Import KEYS from the svn repository to the local environment. (The person who releases the version does not need to import it again, the person who helps to do the verification needs to import it, and the user name is enough for the person who issued the version)
2.2.1 Import public key
$ curl https://downloads.apache.org/incubator/streampark/KEYS > KEYS # Download KEYS
$ gpg --import KEYS # Import KEYS to local
2.2.2 Trust the public key
Trust the KEY used in this version:
$ gpg --edit-key xxxxxxxxxx #KEY user used in this version
gpg (GnuPG) 2.2.21; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg> trust #trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5 #choose 5
Do you really want to set this key to ultimate trust? (y/N) y #choose y
gpg>
2.2.3 Check the gpg signature
$ for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i; done
check result
If something like the following appears, it means the signature is correct. Keyword:
Good signature
apache-streampark-xxx-incubating-src.tar.gz
gpg: Signature made XXXX
gpg: using RSA key XXXXX
gpg: Good signature from "xxx @apache.org>"
2.3 Check sha512 hash
$ for i in *.tar.gz; do echo $i; sha512sum --check $i.sha512; done
2.4 Check the binary package
unzip apache-streampark_${scala.version}-${release.version}-incubating-bin.tar.gz
# scala 2.11
tar -xzvf apache-streampark_2.11-${release.version}-incubating-bin.tar.gz
# scala 2.12
tar -xzvf apache-streampark_2.12-${release.version}-incubating-bin.tar.gz
check as follows:
- Check whether the source package contains unnecessary files, which makes the tar package too large
- Folder contains the word
incubating - There are
LICENSEandNOTICEfiles - There is a
DISCLAIMERorDISCLAIMER-WIPfile - The year in the
NOTICEfile is correct - Only text files exist, not binary files
- All files have ASF license at the beginning
- Able to compile correctly
- Check for extra files or folders, such as empty folders, etc.
- .....
2.5 Check the source package
If the binary/web-binary package is uploaded, check the binary package.
Unzip apache-streampark-${release_version}-incubating-src.tar.gz
cd apache-streampark-${release_version}-incubating-src
# execute build.sh
./build.sh
***package mode, just select mixed mode ***
[StreamPark] StreamPark supports front-end and server-side mixed / detached packaging mode, Which mode do you need ?
mixed mode
detached mode
select 1
[StreamPark] StreamPark supports Scala 2.11 and 2.12. Which version do you need ?
- 2.11
- 2.12
It takes about 8 minutes to compile once. After the compilation is completed, the dist directory will be generated under the project root path, and the final compiled project binary will be placed here, and the following checks will be made:
and check as follows:
- There are
LICENSEandNOTICEfiles - There is a
DISCLAIMERorDISCLAIMER-WIPfile - The year in the
NOTICEfile is correct - All text files have ASF license at the beginning
- Check the third-party dependent license:
- Compatible with third-party dependent licenses
- All third-party dependent licenses are named in the
LICENSEfile - If you are relying on the Apache license and there is a
NOTICEfile, then theseNOTICEfiles also need to be added to the version of theNOTICEfile - .....
You can refer to this article: ASF Third Party License Policy
3. Email reply
If you initiate a posting vote, you can refer to this response example to reply to the email after verification
When replying to the email, you must bring the information that you have checked by yourself. Simply replying to +1 approve is invalid.
When PMC votes in the dev@streampark.apache.org streampark community, Please bring the binding suffix to indicate that it has a binding vote for the vote in the streampark community, and it is convenient to count the voting results.
When IPMC votes in the general@incubator.apache.org incubator community. Please bring the binding suffix to indicate that the voting in the incubator community has a binding vote, which is convenient for counting the voting results.
If you have already voted on dev@streampark.apache.org, you can take it directly to the incubator community when you reply to the vote, such as:
//Incubator community voting, only IPMC members have binding binding,PMC needs to be aware of binding changes
Forward my +1 from dev@listreamparknkis (non-binding)
Copy my +1 from streampark DEV ML (non-binding)
Non-PMC/Non-IPMC member:
+1 (non-binding)
I checked:
1. All download links are valid
2. Checksum and signature are OK
3. LICENSE and NOTICE are exist
4. Build successfully on macOS(Big Sur)
5.
PMC/IPMC member:
//Incubator community voting, only IPMC members have binding binding
+1 (binding)
I checked:
1. All download links are valid
2. Checksum and signature are OK
3. LICENSE and NOTICE are exist
4. Build successfully on macOS(Big Sur)
5.
4. Precautions
If you have maven tools installed, you can replace ./mvnw or mvnw.cmd with your own mvn command
mvnw is short for Maven Wrapper. It can support running Maven projects without installing Maven and configuring environment variables. If it can't find it, it will download the corresponding Maven version according to the configuration file