AGE community VOTE guide

Hey there and welcome all :)

The following article helps you to get the checks required by the AGE community for new releases I hope it helps anyone has struggling in understanding any of them.

Let's get started:

Following the release of AGE 1.3.0 and PG 12 to show our case on:

https://dist.apache.org/repos/dist/dev/age/PG12/1.3.0.rc1/ https://github.com/apache/age/releases/tag/PG12%2Fv1.3.0-rc1

We can see 3 files there:

  • apache-age-1.3.0-src.tar.gz

  • apache-age-1.3.0-src.tar.gz.asc

  • apache-age-1.3.0-src.tar.gz.sha512

All of them are needed for the verification:

Definitions

  • apache-age-1.3.0-src.tar.gz.sha512: That's a hash file for the release apache-age-1.3.0-src.tar.gz.

  • apache-age-1.3.0-src.tar.gz.asc: Signature verification file.

  • apache-age-1.3.0-src.tar.gz: Source code of the project.

Let's check our todo list

todo

TODO:

  • Signature and Hash

  • Tags and links

  • No unexpected binary files

  • Validity of release notes

  • Regression tests

Let's try to solve them :)

start

1- HASH

So that, we will need to reproduce the sha512 hash of the apache-age-1.3.0-src.tar.gz and compare that with the content of apache-age-1.3.0-src.tar.gz.sha512

sha512sum apache-age-1.3.0-src.tar.gz
# Output
71e8fb7eed7de3460d6bac7cc37a7ac8bea2164a59043250d7278f4ca17181eb4459db239c19a9b87cc3e4f00e0c0618aff751549a346a3c87f8806ba6b64f11  apache-age-1.3.0-src.tar.gz

Compare that with the content of apache-age-1.3.0-src.tar.gz.sha512

2- Signature

Firstly we need to download the KEYS file of the AGE maintainers

https://downloads.apache.org/age/KEYS

# download that
wget https://downloads.apache.org/age/KEYS
# import that
gpg --import KEYS

Then we will verify the output of that signature

gpg --verify apache-age-1.3.0-src.tar.gz.asc apache-age-1.3.0-src.tar.gz
# output
gpg: Signature made 22 أبر, 2023 EET 12:55:43 ص
gpg:                using RSA key 26B6CD9DCD5B0045
gpg: Good signature from "John Gemignani (Apache GPG key) <jgemignani@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4293 0603 8E35 AC05 4DBB  4B58 26B6 CD9D CD5B 0045

3- Binary files

It is done through two methods

  • Manually

  • Script

find . -type f -executable
# output
./drivers/jdbc/gradlew
./tools/gen_keywordlist.pl
./tools/git/commit-msg

4- Regression tests

It can done inside the source code of AGE through the following command

make installcheck PG_CONFIG=pg_config

6- Validity of release notes (manual check)

done

Conclusion:

  • ✅ Signature and Hash [DONE]

  • ✅ Tags and links [DONE]

  • ✅ No unexpected binary files [DONE]

  • ✅ Validity of release notes [DONE]

  • ✅ Regression tests [DONE]

References and resources