You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by jo...@apache.org on 2019/10/29 18:06:56 UTC

[nifi-site] branch master updated: NIFI-6377 updating release guidance to ensure the source artifact we put in dist matches the staging repo source and sig

This is an automated email from the ASF dual-hosted git repository.

joewitt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi-site.git


The following commit(s) were added to refs/heads/master by this push:
     new 4fb34b6  NIFI-6377 updating release guidance to ensure the source artifact we put in dist matches the staging repo source and sig
4fb34b6 is described below

commit 4fb34b6f843d0e5e26536d564a395c491bcbfc90
Author: Joe Witt <jo...@apache.org>
AuthorDate: Tue Oct 29 11:06:42 2019 -0700

    NIFI-6377 updating release guidance to ensure the source artifact we put in dist matches the staging repo source and sig
---
 src/pages/markdown/release-guide.md | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/pages/markdown/release-guide.md b/src/pages/markdown/release-guide.md
index 236e771..a2ad07c 100644
--- a/src/pages/markdown/release-guide.md
+++ b/src/pages/markdown/release-guide.md
@@ -97,15 +97,15 @@ when evaluating a release for a vote.
     - Does the overall LICENSE and NOTICE appear correct?
     - Do all licenses fit within the ASF approved licenses?
     - Here is an example path to a sources artifact that has been prepared but not released:  
-      `https://repository.apache.org/content/repositories/${STAGING_REPO_ID}/org/apache/nifi/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-source-release.zip`
+      `https://dist.apache.org/repos/dist/dev/nifi/nifi-${NIFI_VERSION}/nifi-${NIFI_VERSION}-source-release.zip`
   - Is there a README available that explains how to build the application and to execute it?
     - Look in the *-sources.zip artifact root for the readme.
   - Are the signatures and hashes correct for the source release?
     - Validate the hashes of the sources artifact do in fact match:
-      `https://repository.apache.org/content/repositories/${STAGING_REPO_ID}/org/apache/nifi/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-source-release.zip.sha256`
-      `https://repository.apache.org/content/repositories/${STAGING_REPO_ID}/org/apache/nifi/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-source-release.zip.sha512`
+      `https://dist.apache.org/repos/dist/dev/nifi/nifi-${NIFI_VERSION}/nifi-${NIFI_VERSION}-source-release.zip.sha256`
+      `https://dist.apache.org/repos/dist/dev/nifi/nifi-${NIFI_VERSION}/nifi-${NIFI_VERSION}-source-release.zip.sha512`
     - Validate the signature of the source artifact.  Here is an example path:
-      `https://repository.apache.org/content/repositories/${STAGING_REPO_ID}/org/apache/nifi/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-source-release.zip.asc`
+      `https://dist.apache.org/repos/dist/dev/nifi/nifi-${NIFI_VERSION}/nifi-${NIFI_VERSION}-source-release.zip.asc`
     - Need a quick reminder on how to [verify a signature][apache-signature-verify]?
   - Do all sources have necessary headers?
     - Unzip the sources file into a directory and execute `mvn install -Pcontrib-check,include-grpc`
@@ -242,7 +242,9 @@ login with your Apache committer credentials and you should see the newly create
 click on that you can inspect the various staged artifacts.
 
 1. Validate that all the various aspects of the staged artifacts appear correct
-    - Download the sources.  Do they compile cleanly?  If the result is a build does it execute?
+    - Download the sources and signature at the following URL. Do they compile cleanly?  If the result is a build does it execute?  We download the sources and signature from the nexus artifacts so that these sources and signature match what we put in dist and thus all signatures and such match.  If you pull the sources from your local build it will differ and can create confusion during RC validation.  These are the first two primary artifacts you need for the voting (the sources and th [...]
+       `wget https://repository.apache.org/service/local/repositories/orgapachenifi-nnnn/content/org/apache/nifi/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-source-release.zip`
+       `wget https://repository.apache.org/service/local/repositories/orgapachenifi-nnnn/content/org/apache/nifi/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-source-release.zip.asc`
     - Validate the hashes match.
     - Validate that the sources contain no unexpected binaries.
     - Validate the signature for the build and hashes. [Verifying a release signature](https://nifi.apache.org/gpg.html#verifying-a-release-signature).
@@ -259,10 +261,9 @@ click on that you can inspect the various staged artifacts.
     ```
     git push asf nifi-${NIFI_VERSION}-RC${RC}
     ```
-1. Create the signature and hashes for the source release and convenience binary files.
+1. Create the signature and hashes for the source release and convenience binary files.  You take the source release and signature from steps above.  You grab the other conveniece binaries from your local build directories.
     1. ASCII armored GPG signatures (`--digest-algo=SHA512` select the SHA512 hash algorithm). [Configure GPG to always prefer stronger hashes](https://www.apache.org/dev/openpgp.html#key-gen-avoid-sha1).
         ```
-        $ gpg -a -b --digest-algo=SHA512 nifi-${NIFI_VERSION}-source-release.zip  # produces nifi-${NIFI_VERSION}-source-release.zip.asc
         $ gpg -a -b --digest-algo=SHA512 nifi-${NIFI_VERSION}-bin.tar.gz          # produces nifi-${NIFI_VERSION}-bin.tar.gz.asc
         $ gpg -a -b --digest-algo=SHA512 nifi-${NIFI_VERSION}-bin.zip             # produces nifi-${NIFI_VERSION}-bin.zip.asc
         $ gpg -a -b --digest-algo=SHA512 nifi-toolkit-${NIFI_VERSION}-bin.zip     # produces nifi-toolkit-${NIFI_VERSION}-bin.zip.asc
@@ -286,7 +287,7 @@ click on that you can inspect the various staged artifacts.
         ```
 
 1. For reviewing of the release candidate, commit the source release and convenience binaries files along with their
-hashes and signatures to `https://dist.apache.org/repos/dist/dev/nifi/nifi-${NIFI_VERSION}`.
+hashes and signatures to `https://dist.apache.org/repos/dist/dev/nifi/nifi-${NIFI_VERSION}`. There should be in total 20 files (5 primary artifacts, 5 signatures, 5 sha256, 5 sha512).
 
 ### Step 4. Error recovery (RM)
 
@@ -322,6 +323,9 @@ and more positive than negative binding votes._
     The source zip, including signatures, digests, etc. can be found at:
     https://repository.apache.org/content/repositories/orgapachenifi-nnnn
 
+    The source being voted upon and the convenience binaries can be found at:
+    https://dist.apache.org/repos/dist/dev/nifi/nifi-${NIFI_VERSION}/
+
     The Git tag is nifi-${NIFI_VERSION}-RC${RC}
     The Git commit ID is ${RC_TAG_COMMIT_ID}
     https://gitbox.apache.org/repos/asf?p=nifi.git;a=commit;h=${RC_TAG_COMMIT_ID}