Add more tools?

[kinow]

This looks interesting!!! I only have a small one that I use to verify signatures: https://github.com/kinow/dork-scripts/blob/master/gpg/asf-sigs/asf-sigs.sh

But if you create a better one, I'd be happy to adopt it too and send enhancement/feature requests!

Things that sometimes I try to remember doing for a release:

• [ ] check NOTICE.txt to see if current year is there
• [ ] grep for >>> and === (those git merge markers...)
• [ ] check a few commit messages to see if there's anything that was accidentally not included in changes.xml or jira report
• [ ] compare number of issues in PMD/Checkstyle/CPD/SpotBugs/etc and make a quick table like PMD +2, Checkstyle 0, CPD -1, etc (oh, automating that would save me a lot of time, though SonarQube I think can do that?)

Thanks! B

[britter]

Yes, we can work on this an improve it! But I think it is important that everybody has their own checklist. asf-sigs.sh looks useful, so we could add it here or implement something new. I also need a way to check the SHA hashes.

Furthermore I do these steps, when verifying releases:

• compare source distribution with the release tag
• build the release from the source distribution
• check RELEASE-NOTES.txt date, version, java requirement, etc.

[britter]

@kinow another approach I was thinking about is to create a gradle project with several custom plugins, which automate the steps of verifying a release. This way the build script would be quite declarative, only describing what to check but now how.

[kinow]

That'd work for me as well. Sometimes I have little time, and wish I had a bit of automation on my side to help me with the review. Having a tool that tells me what to check, then later I can either have other tools/scripts that help me with the how.