You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@taverna.apache.org by "Gale Naylor (JIRA)" <ji...@apache.org> on 2016/03/11 21:50:16 UTC
[jira] [Commented] (TAVERNA-936) Document review process for
software releases
[ https://issues.apache.org/jira/browse/TAVERNA-936?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15191492#comment-15191492 ]
Gale Naylor commented on TAVERNA-936:
-------------------------------------
In the wiki are two release review documents. The documents are fairly complete and ready for review and comments. (See links at end)
In particular, I need feedback on the minimum review requirements we are comfortable with. My guess based on discussions during the last release is:
All:
- Download at least one distribution (source-release-zip) and ensure it builds successfully
- Verify checksums and signatures
PPMC members (and others, if they want):
- Ensure accuracy of the following:
- Top-level LICENSE and NOTICE files
- Source file headers ("Apache" headers)
- Dependency licenses
- Source archive (does not include any binary files)
- Verify commit ID (At least one PPMC member)
One question: When we have multiple distributions, is it sufficient to download only one distribution for a +1 vote? Maybe PPMC members should download and build all, but other reviewers can download one?
Here are some other major areas needing work:
A) Check commit ID. I did not understand the notes about using the git repository to check the commit ID. There are lots of questions in this section (Details, #2)
B) I don't have a good understanding of what is meant by "Clear provenance of source files." How do you check it and how does it differ from checking licenses? (See Main, #6, and Details, #6)
And finally, other miscellaneous questions:
1) Supporting the release manager means ...? (Other than communicating that you are reviewing and bringing up any issues?)
2) Regarding verifying checksums: Is it the intent to make sure that all 3 sources match? (vote email, zip file, md5 and sha1 files)
3) What files must have "incubating" in the title? Is it top-level folders and *.jar files only? Is there an easy way to check?
4) Regarding review of source file headers: How does a reviewer know if a file is really Apache-developed code, or if the header has been applied by mistake?
5) How does "check dependency licenses" differ from "check source file headers?" Should we have a master list that a reviewer can refer to?
5) Checking the build produces the binaries: Compare *.jar files in target folders to ... what? The git repo? Example link?
LINKS:
2016-03 Apache Taverna: How to Review a Release and Vote [AKA, Main] (https://cwiki.apache.org/confluence/display/TAVERNADEV/2016-03+Apache+Taverna%3A+How+to+Review+a+Release+and+Vote)
2016-03 Apache Taverna: Detailed Instructions for Reviewing a Release [AKA, Details] (https://cwiki.apache.org/confluence/display/TAVERNADEV/2016-03+Apache+Taverna%3A+Detailed+Instructions+for+Reviewing+a+Release)
> Document review process for software releases
> ---------------------------------------------
>
> Key: TAVERNA-936
> URL: https://issues.apache.org/jira/browse/TAVERNA-936
> Project: Apache Taverna
> Issue Type: Task
> Reporter: Gale Naylor
> Assignee: Gale Naylor
> Priority: Minor
>
> Collect information from recent emails, as well as online sources, and create comprehensive documentation of what to verify as well as how to verify it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)