Open kinow opened 6 years ago
Yes, we can work on this an improve it! But I think it is important that everybody has their own checklist. asf-sigs.sh looks useful, so we could add it here or implement something new. I also need a way to check the SHA hashes.
Furthermore I do these steps, when verifying releases:
@kinow another approach I was thinking about is to create a gradle project with several custom plugins, which automate the steps of verifying a release. This way the build script would be quite declarative, only describing what to check but now how.
That'd work for me as well. Sometimes I have little time, and wish I had a bit of automation on my side to help me with the review. Having a tool that tells me what to check, then later I can either have other tools/scripts that help me with the how.
This looks interesting!!! I only have a small one that I use to verify signatures: https://github.com/kinow/dork-scripts/blob/master/gpg/asf-sigs/asf-sigs.sh
But if you create a better one, I'd be happy to adopt it too and send enhancement/feature requests!
Things that sometimes I try to remember doing for a release:
Thanks! B