You can help validate a release. A [VOTE] thread (e.g. [VOTE] Release Apache jclouds-1.6.3-rc1) will begin on the dev list containing all of the relevant info.
* If you're running this on a Mac, you'll need brew and to do a brew install gpg first.
Wait for a BUILD SUCCESS message at the end. If something goes wrong, please notify the dev@ list by replying to the [DISCUSS] thread for the release candidate.
1. On your local machine create a directory and a pom.xml file to download the release candidate JARs from the staging repo. In the [VOTE] thread look for the "Maven staging repos" section and replace the xxxx below with the value from the "Maven staging repos" section.
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <properties> <jclouds.version>1.6.3</jclouds.version> </properties> <groupId>org.apache.jclouds.examples</groupId> <artifactId>jclouds-examples</artifactId> <version>1.0</version> <dependencies> <dependency> <groupId>org.apache.jclouds</groupId> <artifactId>jclouds-all</artifactId> <version>${jclouds.version}</version> </dependency> </dependencies> <profiles> <profile> <id>jclouds-staging</id> <repositories> <repository> <id>jclouds-staging</id> <url>https://repository.apache.org/content/repositories/orgapachejclouds-xxxx/</url> </repository> </repositories> </profile> </profiles> </project> |
2. Run the command mvn clean -Pjclouds-staging dependency:copy-dependencies "-DoutputDirectory=./lib" -U to download the JARs to a lib directory.
At the end of it you should have a simple directory structure like so.
jclouds-1.6.3$ ls lib pom.xml |
With the lib directory full of jclouds JARs. You can now use these JARs to do things like run the jclouds-examples. If something goes wrong, notify the dev list.
1. Validate the signature
See the Apache release signing guide - you'll need to import the KEYS file for jclouds, or the signer's key from people.apache.org before doing this. Check each tar.gz and .asc file in the release.
2. Verify the checksums
For each of the tar.gz files, check that the md5/sha1 checksum in .md5 and .sha1 match up to what you get if you run md5sum (or md5, depending on your system) and sha1sum (or sha1, depending on your system) against the tarball.