> On Apr 19, 2025, at 12:48 PM, Henrik Ingo <hen...@nyrkio.com> wrote:
>
> This is a question mainly to mentors I guess:
>
> https://www.apache.org/legal/release-policy.html
>
> ...emphasises that:
>
>> Before casting +1 binding votes, individuals are REQUIRED to download all
> signed source code packages onto their own hardware, verify that they meet
> all requirements of ASF policy on releases as described below, validate all
> cryptographic signatures, compile as provided, and test the result on their
> own platform.
>
> Question: Is it frowned upon if project committers distribute to each other
> bash scripts to automate the individually performed review?
You can certainly share bash scripts.
Here’s one I often use:
#!/bin/bash
export DISTURL='https://dist.apache.org/repos/dist/dev'
export PROJECT=${1}
export ARTIFACT=${2}
export DISTRO=${DISTURL}/${PROJECT}/${ARTIFACT}
echo ${DISTRO}
export TMPDIR=/tmp/${PROJECT}
mkdir -p $TMPDIR
cd $TMPDIR
pwd
curl -f -L ${DISTRO} --output ${ARTIFACT}
curl -f -L ${DISTRO}.asc --output ${ARTIFACT}.asc
curl -f -L ${DISTRO}.sha256 --output ${ARTIFACT}.sha256
curl -f -L ${DISTRO}.sha512 --output ${ARTIFACT}.sha512
echo 'Check signature'
gpg --verify ${ARTIFACT}.asc
echo 'Compare checksum to sha256'
cat ${ARTIFACT}.sha256
shasum -a 256 ${ARTIFACT}
echo 'Compare checksum to sha512'
cat ${ARTIFACT}.sha512
shasum -a 512 ${ARTIFACT}
echo
———
I also do a RAT_CHECK, but I think that poetry can do license checks as well.
#!/bin/bash
java -jar ~/Development/apache-rat-0.12.jar -E .rat-excludes .
Best,
Dave
> I mean do we
> expect each individual to contribute some randomness and diversity, beyond
> just another hw and os platform?
>
> henrik
