DEV Community

Cover image for AGE community VOTE guide
Mohamed Mokhtar
Mohamed Mokhtar

Posted on • Edited on

AGE community VOTE guide

Hey there and welcome all :)

The following article helps you to get the checks required by the AGE community for new releases I hope it helps anyone has struggling in understanding any of them.

Let's get started:

Following the release of AGE 1.3.0 and PG 12 to show our case on:

https://dist.apache.org/repos/dist/dev/age/PG12/1.3.0.rc1/
https://github.com/apache/age/releases/tag/PG12%2Fv1.3.0-rc1

We can see 3 files there:

  • apache-age-1.3.0-src.tar.gz
  • apache-age-1.3.0-src.tar.gz.asc
  • apache-age-1.3.0-src.tar.gz.sha512

All of them are needed for the verification:

Definitions

  • apache-age-1.3.0-src.tar.gz.sha512: That's a hash file for the release apache-age-1.3.0-src.tar.gz.
  • apache-age-1.3.0-src.tar.gz.asc: Signature verification file.
  • apache-age-1.3.0-src.tar.gz: Source code of the project.

Let's check our todo list

todo

TODO:

  • Signature and Hash
  • Tags and links
  • No unexpected binary files
  • Validity of release notes
  • Regression tests

Let's try to solve them :)

start

1- HASH

So that, we will need to reproduce the sha512 hash of the apache-age-1.3.0-src.tar.gz and compare that with the content of apache-age-1.3.0-src.tar.gz.sha512

sha512sum apache-age-1.3.0-src.tar.gz
Enter fullscreen mode Exit fullscreen mode
# Output
71e8fb7eed7de3460d6bac7cc37a7ac8bea2164a59043250d7278f4ca17181eb4459db239c19a9b87cc3e4f00e0c0618aff751549a346a3c87f8806ba6b64f11  apache-age-1.3.0-src.tar.gz
Enter fullscreen mode Exit fullscreen mode

Compare that with the content of apache-age-1.3.0-src.tar.gz.sha512

2- Signature

Firstly we need to download the KEYS file of the AGE maintainers

https://downloads.apache.org/age/KEYS

# download that
wget https://downloads.apache.org/age/KEYS
# import that
gpg --import KEYS
Enter fullscreen mode Exit fullscreen mode

Then we will verify the output of that signature

gpg --verify apache-age-1.3.0-src.tar.gz.asc apache-age-1.3.0-src.tar.gz
# output
gpg: Signature made 22 أبر, 2023 EET 12:55:43 ص
gpg:                using RSA key 26B6CD9DCD5B0045
gpg: Good signature from "John Gemignani (Apache GPG key) <jgemignani@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4293 0603 8E35 AC05 4DBB  4B58 26B6 CD9D CD5B 0045
Enter fullscreen mode Exit fullscreen mode

3- Binary files

It is done through two methods

  • Manually
  • Script
find . -type f -executable
# output
./drivers/jdbc/gradlew
./tools/gen_keywordlist.pl
./tools/git/commit-msg
Enter fullscreen mode Exit fullscreen mode

4- Regression tests

It can done inside the source code of AGE through the following command

make installcheck PG_CONFIG=pg_config
Enter fullscreen mode Exit fullscreen mode

5- Tags and links (manual check)

6- Validity of release notes (manual check)

done

Conclusion:

  • ✅ Signature and Hash [DONE]
  • ✅ Tags and links [DONE]
  • ✅ No unexpected binary files [DONE]
  • ✅ Validity of release notes [DONE]
  • ✅ Regression tests [DONE]

References and resources

Top comments (0)