|
| 1 | +<!-- |
| 2 | + Licensed to the Apache Software Foundation (ASF) under one |
| 3 | + or more contributor license agreements. See the NOTICE file |
| 4 | + distributed with this work for additional information |
| 5 | + regarding copyright ownership. The ASF licenses this file |
| 6 | + to you under the Apache License, Version 2.0 (the |
| 7 | + "License"); you may not use this file except in compliance |
| 8 | + with the License. You may obtain a copy of the License at |
| 9 | +
|
| 10 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 11 | +
|
| 12 | + Unless required by applicable law or agreed to in writing, |
| 13 | + software distributed under the License is distributed on an |
| 14 | + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| 15 | + KIND, either express or implied. See the License for the |
| 16 | + specific language governing permissions and limitations |
| 17 | + under the License. |
| 18 | +--> |
| 19 | + |
| 20 | +# Release Verification |
| 21 | + |
| 22 | +This guide walks you through the process of verifying a staged Apache Polaris release candidate. |
| 23 | + |
| 24 | +Verifying a (staged) release of an Apache project has to follow a bunch of tasks, which can be |
| 25 | +grouped into tasks that can be automated and those that need human intervention. |
| 26 | + |
| 27 | +Tasks that are automated: |
| 28 | +* Checksums and PGP signatures are valid. |
| 29 | +* All expected artifacts are present. |
| 30 | +* Built artifacts are [reproducible](#reproducible-builds). |
| 31 | +* Build passes. |
| 32 | +* `DISCLAIMER`, `LICENSE` and `NOTICE` files are included. |
| 33 | +* main and sources jar artifacts contain `META-INF/LICENSE` and `META-INF/NOTICE` files. |
| 34 | +* main distribution artifacts contain `DISCLAIMER`, `LICENSE` and `NOTICE` files in the top-level directory. |
| 35 | + |
| 36 | +Tasks that need human intervention: |
| 37 | +* Download links are valid. |
| 38 | +* Source code artifacts have correct names matching the current release. |
| 39 | +* `DISCLAIMER`, `LICENSE` and `NOTICE` files are correct for the repository. |
| 40 | +* Contents of jar artifacts `META-INF/LICENSE` and `META-INF/NOTICE` files are correct. |
| 41 | +* All files have license headers if necessary. |
| 42 | + This is (mostly) verified using the "rat" tool during builds/CI. |
| 43 | +* No compiled archives bundled in source archive. |
| 44 | + This is a (soft) requirement to be held true by committers. |
| 45 | + |
| 46 | +# Verifying a release candidate |
| 47 | + |
| 48 | +Instead of performing all mentioned steps manually, you can leverage the script |
| 49 | +`tools/verify-release/verify-release.sh` available in the main repository to perform the |
| 50 | +automatable tasks. |
| 51 | + |
| 52 | +That script requires a couple of tools installed. |
| 53 | +The script will check for the presence of these tools. |
| 54 | + |
| 55 | +To run the script, you need the following pieces of information: |
| 56 | +* The version number of the release. |
| 57 | +* The RC number of the release. |
| 58 | +* The Git SHA of the corresponding source commit. |
| 59 | +* The Maven staging repository ID. |
| 60 | + |
| 61 | +Example (from the 1.2.0-rc2 release) |
| 62 | +```bash |
| 63 | +tools/verify-release/verify-release.sh -s 354a5ef6b337bf690b7a12fefe2c984e2139b029 -v 1.2.0 -r 2 -m 1033 |
| 64 | +``` |
| 65 | + |
| 66 | +# Reproducible builds |
| 67 | + |
| 68 | +A build is reproducible if the built artifacts are identical on every build from the same source. |
| 69 | + |
| 70 | +The Apache Polaris build is currently mostly reproducible, with some release version specific exceptions. |
| 71 | + |
| 72 | +## Exceptions for all Apache Polaris versions |
| 73 | + |
| 74 | +Pending on full support for reproducible builds in Quarkus: |
| 75 | +* Jars containing generated code are not guaranteed to be reproducible. Affects the following jars: |
| 76 | + * */quarkus/generated-bytecode.jar |
| 77 | + * */quarkus/transformed-bytecode.jar |
| 78 | + * */quarkus/quarkus-application.jar |
| 79 | +* Re-assembled jars are not guaranteed to be reproducible: Affects the following jars: |
| 80 | + * admin/app/polaris-admin-*.jar |
| 81 | + * server/app/polaris-server-*.jar |
| 82 | +* Zips and tarballs containing any of the above are not guaranteed to be reproducible. |
| 83 | + |
| 84 | +Helm chart package tarball is not binary reproducible because there is no option to influence the |
| 85 | +mtime and POSIX attributes of the archive entries. |
| 86 | +The actual content of the archive entries is reproducible. |
| 87 | + |
| 88 | +## Exceptions for Apache Polaris up to 1.2 (including) |
| 89 | + |
| 90 | +* Depending on the operating system being used by the release manager and the "verifier", jar and zip files |
| 91 | + might be reported as different, even if the content of the jar and zip files is identical. |
| 92 | + This also leads to reported differences of the Gradle *.module files, because the checksums are different. |
| 93 | + Fixed via https://github.com/apache/polaris/pull/2819 |
| 94 | +* Source tarball is not binary reproducible because of non-constant mtime for tar entries. |
| 95 | + Fixed via https://github.com/apache/polaris/pull/2823 |
| 96 | +* The content of the parent pom contains dynamically generated content for the lists of developers and |
| 97 | + contributors. |
| 98 | + Fixed via https://github.com/apache/polaris/pull/2826 |
| 99 | + |
| 100 | +## Exceptions for Apache Polaris up to 1.1 (including) |
| 101 | + |
| 102 | +Apache Polaris builds up to 1.1 are not reproducible. |
0 commit comments