This page details how Windows binaries are validated and voted on. Any Apache CouchDB committer is free to make a binary package, but they are usually made by the committers. There is an important distinction between regular packages and snapshot packages, namely:
- Packages to be distributed via the official Apache mirrors must be built from an official source release or signed tag equivalent
- Snapshots may be provided at any time, from any tree-ish, but should be restricted to personal Apache space or elsewhere
Regular packages may be linked to from the CouchDB website, and promoted alongside the source releases. Snapshot packages are for developers only, and will not be promoted. This distinction ensures that the user community can rely on binary packages corresponding to source releases, and that the developer community can test binary packages while not being obligated to maintain or support them.
Following an official source vote, a Windows binary is created. The procedure for this is documented in INSTALL.Windows and a scripted approach is available in the appropriate branch of glazier, branched and tagged per source release.
Overall we are interested that the binary is malware free, correctly signed, and digests match, and functionality matches that of the original source tarball.
Validate the MD5 and SHA digests using md5 and sha for Windows or similar
Run the installer directly, into a separate directory, or use the Inno setup unpacker. There is no requirement to uninstall your existing CouchDB.
Confirm using antivirus software there are no viruses or malware present. Microsoft provides the free Security Essentials.
Start CouchDB via the provided couchdb.bat script.
Use Futon to run the basic user verification tests. There is no need to run the full dev test suite, as these are being removed in coming releases anyway, for a more robust command-line test suite during build time.
FIX LATER: Double-check README, INSTALL.Windows, NEWS, LICENSE, and CHANGES files are present in %COUCHDIR%/share/doc/couchdb/ and contents is appropriate. At present these are gzipped but this should be fixed, and added as shortcuts.
Giving Feedback on the Binaries
- Reply to the original binary package proposal - for example;
+1 Windows 7 x64 SP1 Firefox 10.12 gpg sig OK md5 & sha OK No malware detected End-user verification OK
- If the original source artefact vote is aborted, please ensure you remove any copies of the binary to avoid these escaping into the wild.
Full details are on the main CouchDB Release procedure.
After the source artefact vote is successful, three things must be updated:
Approved binaries and sha/md5/asc keys to be moved into the official Apache CouchDB /www/www.apache.org/dist/couchdb/binary/win32/x.y.z/ environment
- Subsequent update of CouchDB downloads page.
- Once these are available on mirrors, the confirmation announcement can be sent.
- currently working with HTTPD team to see if the new fancypants code signing is usable
- still need way of referencing the detailed build process, and labelling artefacts.
If you'd like to help out, let us know on the couchdb-dev mailing list.