taverna-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gale Naylor (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TAVERNA-936) Document review process for software releases
Date Fri, 11 Mar 2016 20:50:16 GMT

    [ https://issues.apache.org/jira/browse/TAVERNA-936?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15191492#comment-15191492
] 

Gale Naylor commented on TAVERNA-936:
-------------------------------------

In the wiki are two release review documents. The documents are fairly complete and ready
for review and comments.  (See links at end)

In particular, I need feedback on the minimum review requirements we are comfortable with.
My guess based on discussions during the last release is:

	All:
	  -  Download at least one distribution (source-release-zip) and ensure it builds successfully
	  - Verify checksums and signatures

	PPMC members (and others, if they want):
	  - Ensure accuracy of the following:
		- Top-level LICENSE and NOTICE files
		- Source file headers ("Apache" headers)
		- Dependency licenses
		- Source archive (does not include any binary files)
		- Verify commit ID (At least one PPMC member)   

One question: When we have multiple distributions, is it sufficient to download only one distribution
for a +1 vote? Maybe PPMC members should download and build all, but other reviewers can download
one?


Here are some other major areas needing work:

A) Check commit ID. I did not understand the notes about using the git repository to check
the commit ID. There are lots of questions in this section (Details, #2)

B) I don't have a good understanding of what is meant by "Clear provenance of source files."
How do you check it and how does it differ from checking licenses? (See Main, #6, and Details,
#6)


And finally, other miscellaneous questions:

1) Supporting the release manager means ...? (Other than communicating that you are reviewing
and bringing up any issues?)

2) Regarding verifying checksums: Is it the intent to make sure that all 3 sources match?
(vote email, zip file, md5 and sha1 files)

3) What files must have "incubating" in the title? Is it top-level folders and *.jar files
only? Is there an easy way to check?

4) Regarding review of source file headers: How does a reviewer know if a file is really Apache-developed
code, or if the header has been applied by mistake? 

5) How does "check dependency licenses" differ from "check source file headers?" Should we
have a master list that a reviewer can refer to?

5) Checking the build produces the binaries: Compare *.jar files in target folders to ...
what? The git repo? Example link?

LINKS:
	2016-03 Apache Taverna: How to Review a Release and Vote [AKA, Main] (https://cwiki.apache.org/confluence/display/TAVERNADEV/2016-03+Apache+Taverna%3A+How+to+Review+a+Release+and+Vote)

	2016-03 Apache Taverna: Detailed Instructions for Reviewing a Release [AKA, Details] (https://cwiki.apache.org/confluence/display/TAVERNADEV/2016-03+Apache+Taverna%3A+Detailed+Instructions+for+Reviewing+a+Release)


> Document review process for software releases
> ---------------------------------------------
>
>                 Key: TAVERNA-936
>                 URL: https://issues.apache.org/jira/browse/TAVERNA-936
>             Project: Apache Taverna
>          Issue Type: Task
>            Reporter: Gale Naylor
>            Assignee: Gale Naylor
>            Priority: Minor
>
> Collect information from recent emails, as well as online sources, and create comprehensive
documentation of what to verify as well as how to verify it.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message