apache · Xuanwo · Jun 26, 2023 · Jun 25, 2023 · Jun 25, 2023 · Jun 25, 2023
@@ -2,7 +2,7 @@
 title: Generate Release Note
 ---
 
-This document describes how to generate release notes using Github:
+This document describes how to generate release notes using GitHub:
 
 1. Go to https://github.com/apache/incubator-opendal/releases/new to start a new release.
 2. Fill the tag with `draft`.

@@ -4,15 +4,15 @@ title: Setup GPG Key
 
 > This section is a brief from the [Cryptography with OpenPGP](https://infra.apache.org/openpgp.html) guideline.
 
-## Install gpg
+## Install GPG
 
 For more details, please refer to [GPG official website](https://www.gnupg.org/download/index.html). Here shows one approach to install GPG with `apt`:
 
 ```shell
 sudo apt install gnupg2
 ```
 
-## Generate gpg Key
+## Generate GPG Key
 
 Attentions:
 
@@ -73,7 +73,7 @@ generator a better chance to gain enough entropy.
 │ │
 │ <OK> <Cancel> │
 └──────────────────────────────────────────────────────┘
-# key generatio[n will be done after your inputting the key with the following output
+# key generation will be done after your inputting the key with the following output
 gpg: key E49B00F626B marked as ultimately trusted
 gpg: revocation certificate stored as '/Users/hulk/.gnupg/openpgp-revocs.d/F77B887A4F25A9468C513E9AA3008E49B00F626B.rev'
 public and secret key created and signed.
@@ -84,7 +84,7 @@ uid [ultimate] hulk <hulk@apache.org>
 sub rsa4096 2022-07-12 [E]
 ```
 
-## Upload your key to public gpg keyserver
+## Upload your key to public GPG keyserver
 
 Firstly, list your key:
 
@@ -112,15 +112,15 @@ Among them, `keys.openpgp.org` is a randomly selected keyserver, you can use `ke
 
 ## Check whether the key is created successfully
 
-Uploading takes about one minute, after that, you can check by your email at the corresponding keyserver.
+Uploading takes about one minute; after that, you can check by your email at the corresponding keyserver.
 
 Uploading keys to the keyserver is mainly for joining a [Web of Trust](https://infra.apache.org/release-signing.html#web-of-trust).
 
-## Add your gpg public key to the KEYS document
+## Add your GPG public key to the KEYS document
 
 :::info
 
-SVN is required for this step.
+`SVN` is required for this step.
 
 :::
 
@@ -139,5 +139,5 @@ svn ci -m "add gpg key for YOUR_NAME" # Later on, if you are asked to enter a us
 
 ## Upload the GPG public key to your GitHub account
 
-- Enter https://github.com/settings/keys to add GPG KEYS.
+- Enter https://github.com/settings/keys to add your GPG key.
 - Please remember to bind the email address used in the GPG key to your GitHub account (https://github.com/settings/emails) if you find "unverified" after adding it.
@@ -0,0 +1,130 @@
+---
+title: Verify a release candidate
+---
+
+To verify a release candidate, the following checklist could be used:
+
+- [ ] Download links are valid.
+- [ ] Checksums and signatures.
+- [ ] LICENSE/NOTICE files exist.
+- [ ] No unexpected binary files.
+- [ ] All source files have ASF headers.
+- [ ] Can compile from source.
+
+:::note
+
+It is NOT necessary to run all checks to cast a vote for a release candidate.
+
+However, you should clearly state which checks you did. The release manager needs to ensure that each check was done.
+
+:::
+
+## Download links are valid
+
+To verify the release candidate, you need to download the release candidate from the [dist](https://dist.apache.org/repos/dist/dev/incubator/opendal/) directory.
+
+Use the following command to download all artifacts, replace "${release_version}-${rc_version}" with the version ID of the version to be released:
+
+```shell
+svn co https://dist.apache.org/repos/dist/dev/opendal/${release_version}-${rc_version}/
+```
+
+## Checksums and signatures
+
+The release candidate should have a checksum and signature file. 
+
+For example, if the release candidate is `0.36.0-rc1`, the checksum and signature file should be:
+
+```
+https://dist.apache.org/repos/dist/dev/incubator/opendal/0.36.0-rc1/apache-opendal-0.36.0-rc1-src.tar.gz.sha512
+https://dist.apache.org/repos/dist/dev/incubator/opendal/0.36.0-rc1/apache-opendal-0.36.0-rc1-src.tar.gz.asc
+```
+
+### Verify checksums and signatures
+
+GnuPG is recommended here. It can be installed with the following command:
+
+```shell
+apt-get install gnupg
+# or
+yum install gnupg
+# or
+brew install gnupg
+```
+
+Firstly, import the OpenDAL release manager's public key:
+
+```shell
+curl https://downloads.apache.org/opendal/KEYS > KEYS # Download KEYS
+gpg --import KEYS # Import KEYS to local
+```
+
+Then, trust the public key:
+
+```shell
+gpg --edit-key <KEY-used-in-this-version> # Edit the key
+```
+
+It will enter the interactive mode, use the following command to trust the key:
+
+```shell
+gpg> trust
+```
+
+And then, select the level of trust, for example:
+
+```
+Please decide how far you trust this user to correctly verify other users' keys
+(by looking at passports, checking fingerprints from different sources, etc.)
+
+ 1 = I don't know or won't say
+ 2 = I do NOT trust
+ 3 = I trust marginally
+ 4 = I trust fully
+ 5 = I trust ultimately
+ m = back to the main menu
+```
+
+Select `5` to trust the key ultimately.
+
+Now, we could start the verification. 
+
+We've provided a script to verify the checksum and signature of the release candidate. 
+
+The script is in the `scripts` directory of our repository.
+You can download it directly from [here](https://raw.githubusercontent.com/apache/incubator-opendal/main/scripts/check.sh)
+or check it out from the repository:
+
+```shell
+git clone git@github.com:apache/incubator-opendal.git
+```
+
+Run the script on a specific release candidate:
+
+```shell
+./scripts/check.sh apache-opendal-${release_version}-${rc_version}-src.tar.gz
+```
+
+You will see the following output if the verification is successful:
+
+```
+gpg: Signature made Wed 21 Jul 2021 10:00:00 AM CST
+gpg: using RSA key 0x1234567890ABCDEF
+gpg: Good signature from "Xuanwo<xuanwo@apache.org" [ultimate]
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg: There is no indication that the signature belongs to the owner.
+Primary key fingerprint: 1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234 5678
+Success to verify the gpg sign
+apache-opendal-0.36.0-rc1-src.tar.gz: OK
+Success to verify the checksum
+```
+
+## Check the file content of the source package
+
+Unzip `apache-opendal-${release_version}-${rc_version}-src.tar.gz` and check the follows:
+
+- LICENSE and NOTICE files are correct for the repository.
+- All files have ASF license headers if necessary.
+- Building is OK.
+
+
@@ -3,13 +3,16 @@ title: Release
 sidebar_position: 1
 ---
 
-This document mainly introduces how the Release Manager releases a new version in accordance with the Apache requirements.
+This document mainly introduces
+how the release manager releases a new version in accordance with the Apache requirements.
 
 ## Introduction
 
-Source Release is the key point which Apache values, also, is necessary for a release. And OpenDAL will only have source release.
+`Source Release` is the key point which Apache values, also, is necessary for a release. And OpenDAL will only have source release.
 
-Please remember that publishing software has legal consequences. This guide complements the foundation-wide policies and guides:
+Please remember that publishing software has legal consequences. 
+
+This guide complements the foundation-wide policies and guides:
 
 - [Release Policy](https://www.apache.org/legal/release-policy.html)
 - [Release Distribution Policy](https://infra.apache.org/release-distribution)
@@ -19,47 +22,49 @@ Please remember that publishing software has legal consequences. This guide comp
 
 :::caution
 
-This section is the requirements for release manager who is the first time to be a release manager
+This section is the requirements for the release manager who is the first time to be a release manager
 
 :::
 
-Refer to [Setup GPG Key](reference/setup_gpg.md) to make sure GPG key has been setup.
+Refer to [Setup GPG Key](reference/setup_gpg.md) to make sure the GPG key has been set up.
 
-## Github Release
+## GitHub Release
 
 ### Bump Version
 
-OpenDAL will release all package in the same version.
+OpenDAL will release all packages in the same version.
 
-- Bump version in `Cargo.toml`
-- For nodejs binding, bump version in `bindings/nodejs/npm/*/package.json`
-- For java binding, bump version in `bindings/java/pom.xml`
+- Bump version in `Cargo.toml`.
+- For the nodejs binding, bump version in `bindings/nodejs/package.json` and `bindings/nodejs/npm/*/package.json`.
+- For the java binding, bump version in `bindings/java/pom.xml`.
 - Update `CHANGELOG.md`, refer to [Generate Release Note](reference/generate_release_note.md) for more information.
-- If there are breaking changes in `core`, please also update `core/src/docs/upgrade.md`
-- After all those changes, submit a PR with name `Bump to version x.y.z`
+- If there are breaking changes in `core`, please also update `core/src/docs/upgrade.md`.
+- After all those changes, submit a PR with name `Bump to version x.y.z`.
 
-Take [Bump to version 0.36.1](https://github.com/apache/incubator-opendal/pull/2401) as an example.
+Take [Bump to version 0.36.0](https://github.com/apache/incubator-opendal/pull/2366) as an example.
 
-### Create Github Release
+### Create a GitHub Release
 
-After bump version PR get merged, we can create a github release:
+After bump version PR gets merged, we can create a GitHub release:
 
-- Create a tag at `main` branch on the `Bump Version` commit: `git tag -s "v0.36.1"`
-- Push tags to Github: `git push --tags`.
+- Create a tag at `main` branch on the `Bump Version` commit: `git tag -s "v0.36.0"`
+- Push tags to GitHub: `git push --tags`.
 - Create Release on the newly created tag
  - If there are breaking changes, please add the content from `upgrade.md` before.
 
 ## ASF Release
 
-If any step in the ASF Release process fails and requires code changes, we will abandon that version and prepare for the next one. Our release page will only display ASF releases instead of Github Releases.
+If any step in the ASF Release process fails and requires code changes,
+we will abandon that version and prepare for the next one.
+Our release page will only display ASF releases instead of GitHub Releases.
 
-### Create ASF Release
+### Create an ASF Release
 
-After Github Release has been created, we can start to create ASF Release.
+After GitHub Release has been created, we can start to create ASF Release.
 
 - Checkout to released tag.
-- Use release script to create a new release: `OPENDAL_VERSION=<version> OPENDAL_VERSION_RC=<rc_version> ./scripts/release.sh`
-- Push the newly created branch to github
+- Use the release script to create a new release: `OPENDAL_VERSION=<version> OPENDAL_VERSION_RC=<rc_version> ./scripts/release.sh`
+- Push the newly created branch to GitHub
 
 This script will create a new release under `dist`.
 
@@ -73,7 +78,7 @@ dist
 └── apache-opendal-incubating-0.36.0-src.tar.gz.sha512
 ```
 
-### Upload artifacts to SVN dist repo
+### Upload artifacts to the SVN dist repo
 
 :::info
 
@@ -110,7 +115,7 @@ svn status
 svn commit -m "Prepare for ${release_version}"
 ```
 
-Visit <https://dist.apache.org/repos/dist/dev/incubator/opendal/> to make sure the artifacts is uploaded correctly.
+Visit <https://dist.apache.org/repos/dist/dev/incubator/opendal/> to make sure the artifacts are uploaded correctly.
 
 ## Voting