(tooling-docs) branch main updated: Write Evaluate Claims Phase

Wed, 05 Feb 2025 15:29:24 -0800 

This is an automated email from the ASF dual-hosted git repository.

wave pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-docs.git


The following commit(s) were added to refs/heads/main by this push:
     new 4005521  Write Evaluate Claims Phase
4005521 is described below

commit 400552168145fcaa338cf8dec992b1faa2864640
Author: Dave Fisher <dave2w...@comcast.net>
AuthorDate: Wed Feb 5 15:28:59 2025 -0800

    Write Evaluate Claims Phase
---
 apache-trusted-release/evaluate.md | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/apache-trusted-release/evaluate.md 
b/apache-trusted-release/evaluate.md
index 73d343d..c610eaf 100644
--- a/apache-trusted-release/evaluate.md
+++ b/apache-trusted-release/evaluate.md
@@ -1,3 +1,28 @@
-# Evaluate Phase
+# Evaluate Claims Phase
 
-The ATR will do a number of checks on release packages to enforce policy and 
assure the richest possible SBOM.
+In this phase the ATR will check claims about the release artifacts to enforce 
policy.
+
+## Policies
+
+- [Proper application of 
license](https://www.apache.org/legal/apply-license.html)
+- [Release Policy](https://www.apache.org/legal/release-policy.html)
+- [Source Header and Copyright Notice 
Policy](https://apache.org/legal/src-headers.html)
+- [3rd Party License Policy](https://apache.org/legal/resolved.html)
+
+## Claims
+
+1. Source files have the correct license headers.
+2. LICENSE and NOTICE are provided in the correct location in every artifact.
+3. Dependencies are acceptably licensed.
+4. Release artifacts have correct GPG detached signatures and checksums.
+5. Reproducible build claims are validated.
+6. SBOMs are well formed and have proper claims.
+
+## Tasks
+
+1. Validate Packaging.
+2. Validate License Headers including double checking "RAT excludes" to check 
for valid excludes.
+3. Validate LICENSE and NOTICE.
+4. Validate Dependency Licensing.
+5. Validate Reprodicible Build Packaging.
+6. Validate SBOMs (generate?).


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org
For additional commands, e-mail: dev-h...@tooling.apache.org

Reply via email to