Update validate-release.md with non-interactive mode (#189)

apache · Feb 10, 2023 · 348d2aa · 348d2aa
1 parent 97b7948
commit 348d2aa
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 15 deletions.
diff --git a/content/cn/docs/contribution-guidelines/validate-release.md b/content/cn/docs/contribution-guidelines/validate-release.md
@@ -56,19 +56,25 @@ gpg --import KEYS
 
 # 导入后可以看到如下输出, 这代表导入了 3 个用户公钥
 gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
-gpg: key B78B058CC255F6DC: public key "Imba Jin (apache mail) <[email protected]>" imported
+gpg: key BA7E78F8A81A885E: public key "imbajin (apache mail) <[email protected]>" imported
 gpg: key 818108E7924549CC: public key "vaughn <[email protected]>" imported
 gpg: key 28DCAED849C4180E: public key "coderzc (CODE SIGNING KEY) <[email protected]>" imported
 gpg: Total number processed: 3
 gpg:               imported: 3
 
-# 2. 信任发版用户 (这里需要信任 3 个, 对 Imba Jin, vaughn, coderzc 依次执行相同操作)
-gpg --edit-key Imba Jin # 以第一个为例, 进入交互模式
+# 2. 信任发版用户 (你需要信任 n 个邮件里提到的 gpg 用户名, ＞1则依次执行相同操作)
+gpg --edit-key $USER # 这里填写具体用户名或者公钥串, 回车进入交互模式
 gpg> trust
 ...输出选项..
-Your decision? 5 #选择5
-Do you really want to set this key to ultimate trust? (y/N) y #选择y, 然后 q 退出信任下一个用户
+Your decision? 5 # 选择5
+Do you really want to set this key to ultimate trust? (y/N) y # 选择y, 然后 q 退出信任下一个用户
 
+# (可选) 你也可以直接使用非交互模式的如下命令:
+echo -e "5\ny\n" | gpg --batch --command-fd 0 --edit-key $USER trust
+# 或者是信任所有当前导入过的 gpg 公钥 (请小心检查)
+for key in $(gpg --no-tty --list-keys --with-colons | awk -F: '/^pub/ {print $5}'); do
+  echo -e "5\ny\n" | gpg --batch --command-fd 0 --edit-key "$key" trust
+done
 
 # 3. 检查签名(确保没有 Warning 输出, 每一个 source/binary 文件都提示 Good Signature)
 #单个文件验证
@@ -96,8 +102,9 @@ for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i ; done
 3. **不存在** 缺乏 License 的二进制文件
 4. 源码文件都包含标准 `ASF License` 头 (这个用插件跑一下为主)
 5. 检查每个父 / 子模块的 `pom.xml` 版本号是否一致 (且符合期望)
-6. 检查前 3 ~ 5 个 commit 提交，点进去看看是否修改处和源码文件一致
-7. 最后，确保源码可以正常 / 正确编译 (然后看看测试和规范)
+6. 最后，确保源码可以正常 / 正确编译 (然后看看测试和规范)
+
+PMC 同学请特别注意认真检查 `LICENSE` + `NOTICE` 文件, 确保文件严格遵循了 ASF 的发版要求, 大部分的发版问题都与之相关
 
 ```bash
 # 请优先使用/切换到 java 11 版本进行后序的编译和运行操作

diff --git a/content/en/docs/contribution-guidelines/validate-release.md b/content/en/docs/contribution-guidelines/validate-release.md
@@ -55,18 +55,25 @@ gpg --import KEYS
 
 # After importing, you can see the following output, which means that 3 user public keys have been imported
 gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
-gpg: key B78B058CC255F6DC: public key "Imba Jin (apache mail) <[email protected]>" imported
+gpg: key BA7E78F8A81A885E: public key "imbajin (apache mail) <[email protected]>" imported
 gpg: key 818108E7924549CC: public key "vaughn <[email protected]>" imported
 gpg: key 28DCAED849C4180E: public key "coderzc (CODE SIGNING KEY) <[email protected]>" imported
 gpg: Total number processed: 3
 gpg:               imported: 3
 
-# 2. Trust release users (here you need to trust 3 users, perform the same operation for Imba Jin, vaughn, coderzc in turn)
-gpg --edit-key Imba Jin # Take the first one as an example, enter the interactive mode
+# 2. Trust release users (trust n username mentioned in voting mail, if more than one user, just repeat the steps in turn or use the script below)
+gpg --edit-key $USER # input the username, enter the interactive mode
 gpg> trust
 ...output options..
-Your decision? 5 #select five
-Do you really want to set this key to ultimate trust? (y/N) y #slect y, then q quits trusting the next user
+Your decision? 5 # select 5
+Do you really want to set this key to ultimate trust? (y/N) y # slect y, then q quits trusting the next user
+
+# (Optional) You could also use the command to trust one user in non-interactive mode:
+echo -e "5\ny\n" | gpg --batch --command-fd 0 --edit-key $USER trust
+# Or use the script to auto import all public gpg keys (be carefully):
+for key in $(gpg --no-tty --list-keys --with-colons | awk -F: '/^pub/ {print $5}'); do
+  echo -e "5\ny\n" | gpg --batch --command-fd 0 --edit-key "$key" trust
+done
 
 
 # 3. Check the signature (make sure there is no Warning output, every source/binary file prompts Good Signature)
@@ -94,10 +101,9 @@ After decompressing `*hugegraph*src.tar.gz`, Do the following checks:
 1. folders with `incubating`, and no **empty** files/folders
 2. `LICENSE` + `NOTICE` + `DISCLAIM` file exists and the content is normal
 3. **does not exist** binaries (without LICENSE)
-4. The source code files all contain the standard `ASF License` header (this could be done with the Maven-MAT plugin)
+4. The source code files all contain the standard `ASF License` header (this could be done with the `Maven-MAT` plugin)
 5. Check whether the `pom.xml` version number of each parent/child module is consistent (and meet expectations)
-6. Check the first 3 to 5 commits, click to see if the modification is consistent with the source file
-7. Finally, make sure the source code works/compiles correctly
+6. Finally, make sure the source code works/compiles correctly
 
 ```bash
 # prefer to use/switch to java 11 for the following operations (compiling/running)