Skip to content

Commit

Permalink
Update validate-release.md with non-interactive mode (#189)
Browse files Browse the repository at this point in the history
  • Loading branch information
imbajin authored Feb 10, 2023
1 parent 97b7948 commit 348d2aa
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 15 deletions.
21 changes: 14 additions & 7 deletions content/cn/docs/contribution-guidelines/validate-release.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,19 +56,25 @@ gpg --import KEYS

# 导入后可以看到如下输出, 这代表导入了 3 个用户公钥
gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
gpg: key B78B058CC255F6DC: public key "Imba Jin (apache mail) <jin@apache.org>" imported
gpg: key BA7E78F8A81A885E: public key "imbajin (apache mail) <jin@apache.org>" imported
gpg: key 818108E7924549CC: public key "vaughn <vaughn@apache.org>" imported
gpg: key 28DCAED849C4180E: public key "coderzc (CODE SIGNING KEY) <zhaocong@apache.org>" imported
gpg: Total number processed: 3
gpg: imported: 3

# 2. 信任发版用户 (这里需要信任 3 个, 对 Imba Jin, vaughn, coderzc 依次执行相同操作)
gpg --edit-key Imba Jin # 以第一个为例, 进入交互模式
# 2. 信任发版用户 (你需要信任 n 个邮件里提到的 gpg 用户名, >1则依次执行相同操作)
gpg --edit-key $USER # 这里填写具体用户名或者公钥串, 回车进入交互模式
gpg> trust
...输出选项..
Your decision? 5 #选择5
Do you really want to set this key to ultimate trust? (y/N) y #选择y, 然后 q 退出信任下一个用户
Your decision? 5 # 选择5
Do you really want to set this key to ultimate trust? (y/N) y # 选择y, 然后 q 退出信任下一个用户

# (可选) 你也可以直接使用非交互模式的如下命令:
echo -e "5\ny\n" | gpg --batch --command-fd 0 --edit-key $USER trust
# 或者是信任所有当前导入过的 gpg 公钥 (请小心检查)
for key in $(gpg --no-tty --list-keys --with-colons | awk -F: '/^pub/ {print $5}'); do
echo -e "5\ny\n" | gpg --batch --command-fd 0 --edit-key "$key" trust
done

# 3. 检查签名(确保没有 Warning 输出, 每一个 source/binary 文件都提示 Good Signature)
#单个文件验证
Expand Down Expand Up @@ -96,8 +102,9 @@ for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done
3. **不存在** 缺乏 License 的二进制文件
4. 源码文件都包含标准 `ASF License` 头 (这个用插件跑一下为主)
5. 检查每个父 / 子模块的 `pom.xml` 版本号是否一致 (且符合期望)
6. 检查前 3 ~ 5 个 commit 提交,点进去看看是否修改处和源码文件一致
7. 最后,确保源码可以正常 / 正确编译 (然后看看测试和规范)
6. 最后,确保源码可以正常 / 正确编译 (然后看看测试和规范)

PMC 同学请特别注意认真检查 `LICENSE` + `NOTICE` 文件, 确保文件严格遵循了 ASF 的发版要求, 大部分的发版问题都与之相关

```bash
# 请优先使用/切换到 java 11 版本进行后序的编译和运行操作
Expand Down
22 changes: 14 additions & 8 deletions content/en/docs/contribution-guidelines/validate-release.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,18 +55,25 @@ gpg --import KEYS

# After importing, you can see the following output, which means that 3 user public keys have been imported
gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
gpg: key B78B058CC255F6DC: public key "Imba Jin (apache mail) <jin@apache.org>" imported
gpg: key BA7E78F8A81A885E: public key "imbajin (apache mail) <jin@apache.org>" imported
gpg: key 818108E7924549CC: public key "vaughn <vaughn@apache.org>" imported
gpg: key 28DCAED849C4180E: public key "coderzc (CODE SIGNING KEY) <zhaocong@apache.org>" imported
gpg: Total number processed: 3
gpg: imported: 3

# 2. Trust release users (here you need to trust 3 users, perform the same operation for Imba Jin, vaughn, coderzc in turn)
gpg --edit-key Imba Jin # Take the first one as an example, enter the interactive mode
# 2. Trust release users (trust n username mentioned in voting mail, if more than one user, just repeat the steps in turn or use the script below)
gpg --edit-key $USER # input the username, enter the interactive mode
gpg> trust
...output options..
Your decision? 5 #select five
Do you really want to set this key to ultimate trust? (y/N) y #slect y, then q quits trusting the next user
Your decision? 5 # select 5
Do you really want to set this key to ultimate trust? (y/N) y # slect y, then q quits trusting the next user

# (Optional) You could also use the command to trust one user in non-interactive mode:
echo -e "5\ny\n" | gpg --batch --command-fd 0 --edit-key $USER trust
# Or use the script to auto import all public gpg keys (be carefully):
for key in $(gpg --no-tty --list-keys --with-colons | awk -F: '/^pub/ {print $5}'); do
echo -e "5\ny\n" | gpg --batch --command-fd 0 --edit-key "$key" trust
done


# 3. Check the signature (make sure there is no Warning output, every source/binary file prompts Good Signature)
Expand Down Expand Up @@ -94,10 +101,9 @@ After decompressing `*hugegraph*src.tar.gz`, Do the following checks:
1. folders with `incubating`, and no **empty** files/folders
2. `LICENSE` + `NOTICE` + `DISCLAIM` file exists and the content is normal
3. **does not exist** binaries (without LICENSE)
4. The source code files all contain the standard `ASF License` header (this could be done with the Maven-MAT plugin)
4. The source code files all contain the standard `ASF License` header (this could be done with the `Maven-MAT` plugin)
5. Check whether the `pom.xml` version number of each parent/child module is consistent (and meet expectations)
6. Check the first 3 to 5 commits, click to see if the modification is consistent with the source file
7. Finally, make sure the source code works/compiles correctly
6. Finally, make sure the source code works/compiles correctly

```bash
# prefer to use/switch to java 11 for the following operations (compiling/running)
Expand Down

0 comments on commit 348d2aa

Please sign in to comment.