taverna-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gale Naylor (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TAVERNA-936) Document review process for software releases
Date Fri, 11 Mar 2016 20:50:16 GMT

    [ https://issues.apache.org/jira/browse/TAVERNA-936?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15191492#comment-15191492

Gale Naylor commented on TAVERNA-936:

In the wiki are two release review documents. The documents are fairly complete and ready
for review and comments.  (See links at end)

In particular, I need feedback on the minimum review requirements we are comfortable with.
My guess based on discussions during the last release is:

	  -  Download at least one distribution (source-release-zip) and ensure it builds successfully
	  - Verify checksums and signatures

	PPMC members (and others, if they want):
	  - Ensure accuracy of the following:
		- Top-level LICENSE and NOTICE files
		- Source file headers ("Apache" headers)
		- Dependency licenses
		- Source archive (does not include any binary files)
		- Verify commit ID (At least one PPMC member)   

One question: When we have multiple distributions, is it sufficient to download only one distribution
for a +1 vote? Maybe PPMC members should download and build all, but other reviewers can download

Here are some other major areas needing work:

A) Check commit ID. I did not understand the notes about using the git repository to check
the commit ID. There are lots of questions in this section (Details, #2)

B) I don't have a good understanding of what is meant by "Clear provenance of source files."
How do you check it and how does it differ from checking licenses? (See Main, #6, and Details,

And finally, other miscellaneous questions:

1) Supporting the release manager means ...? (Other than communicating that you are reviewing
and bringing up any issues?)

2) Regarding verifying checksums: Is it the intent to make sure that all 3 sources match?
(vote email, zip file, md5 and sha1 files)

3) What files must have "incubating" in the title? Is it top-level folders and *.jar files
only? Is there an easy way to check?

4) Regarding review of source file headers: How does a reviewer know if a file is really Apache-developed
code, or if the header has been applied by mistake? 

5) How does "check dependency licenses" differ from "check source file headers?" Should we
have a master list that a reviewer can refer to?

5) Checking the build produces the binaries: Compare *.jar files in target folders to ...
what? The git repo? Example link?

	2016-03 Apache Taverna: How to Review a Release and Vote [AKA, Main] (https://cwiki.apache.org/confluence/display/TAVERNADEV/2016-03+Apache+Taverna%3A+How+to+Review+a+Release+and+Vote)

	2016-03 Apache Taverna: Detailed Instructions for Reviewing a Release [AKA, Details] (https://cwiki.apache.org/confluence/display/TAVERNADEV/2016-03+Apache+Taverna%3A+Detailed+Instructions+for+Reviewing+a+Release)

> Document review process for software releases
> ---------------------------------------------
>                 Key: TAVERNA-936
>                 URL: https://issues.apache.org/jira/browse/TAVERNA-936
>             Project: Apache Taverna
>          Issue Type: Task
>            Reporter: Gale Naylor
>            Assignee: Gale Naylor
>            Priority: Minor
> Collect information from recent emails, as well as online sources, and create comprehensive
documentation of what to verify as well as how to verify it.

This message was sent by Atlassian JIRA

View raw message