From 09a4a8d7e2c866b2a2845149b1285c66020dd2b4 Mon Sep 17 00:00:00 2001 From: Shahar Epstein <60007259+shahar1@users.noreply.github.com> Date: Wed, 21 Jan 2026 09:27:21 +0200 Subject: [PATCH] [v3-1-test] Add checksum verification to Apache RAT downloading in release instructions (#60841) (cherry picked from commit db9368bb75b625afae60e6bc5bba456795039b4c) Co-authored-by: Shahar Epstein <60007259+shahar1@users.noreply.github.com> --- dev/README_RELEASE_AIRFLOW.md | 7 +++++-- dev/README_RELEASE_AIRFLOWCTL.md | 7 +++++-- dev/README_RELEASE_HELM_CHART.md | 11 ++++++++--- dev/README_RELEASE_PROVIDERS.md | 7 +++++-- dev/README_RELEASE_PYTHON_CLIENT.md | 7 +++++-- 5 files changed, 28 insertions(+), 11 deletions(-) diff --git a/dev/README_RELEASE_AIRFLOW.md b/dev/README_RELEASE_AIRFLOW.md index d1fecd192c9de..3f3bf2849c186 100644 --- a/dev/README_RELEASE_AIRFLOW.md +++ b/dev/README_RELEASE_AIRFLOW.md @@ -744,10 +744,13 @@ This can be done with the Apache RAT tool. Download the latest jar from https://creadur.apache.org/rat/download_rat.cgi (unpack the binary, the jar is inside) -You can run this command to do it for you: +You can run this command to do it for you (including checksum verification for your own security): ```shell script -wget -qO- https://dlcdn.apache.org//creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz | gunzip | tar -C /tmp -xvf - +# Checksum value is taken from https://downloads.apache.org/creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz.sha512 +wget -q https://dlcdn.apache.org//creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz -O /tmp/apache-rat-0.17-bin.tar.gz +echo "32848673dc4fb639c33ad85172dfa9d7a4441a0144e407771c9f7eb6a9a0b7a9b557b9722af968500fae84a6e60775449d538e36e342f786f20945b1645294a0 /tmp/apache-rat-0.17-bin.tar.gz" | sha512sum -c - +tar -xzf /tmp/apache-rat-0.17-bin.tar.gz -C /tmp ``` Unpack the release source archive (the `-source.tar.gz` file) to a folder diff --git a/dev/README_RELEASE_AIRFLOWCTL.md b/dev/README_RELEASE_AIRFLOWCTL.md index 330ec3119306c..51592a6d398cd 100644 --- a/dev/README_RELEASE_AIRFLOWCTL.md +++ b/dev/README_RELEASE_AIRFLOWCTL.md @@ -545,10 +545,13 @@ This can be done with the Apache RAT tool. Download the latest jar from https://creadur.apache.org/rat/download_rat.cgi (unpack the binary, the jar is inside) -You can run this command to do it for you: +You can run this command to do it for you (including checksum verification for your own security): ```shell script -wget -qO- https://dlcdn.apache.org//creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz | gunzip | tar -C /tmp -xvf - +# Checksum value is taken from https://downloads.apache.org/creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz.sha512 +wget -q https://dlcdn.apache.org//creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz -O /tmp/apache-rat-0.17-bin.tar.gz +echo "32848673dc4fb639c33ad85172dfa9d7a4441a0144e407771c9f7eb6a9a0b7a9b557b9722af968500fae84a6e60775449d538e36e342f786f20945b1645294a0 /tmp/apache-rat-0.17-bin.tar.gz" | sha512sum -c - +tar -xzf /tmp/apache-rat-0.17-bin.tar.gz -C /tmp ``` Unpack the release source archive (the `-source.tar.gz` file) to a folder diff --git a/dev/README_RELEASE_HELM_CHART.md b/dev/README_RELEASE_HELM_CHART.md index 081e0a0cae4b5..1933236005daa 100644 --- a/dev/README_RELEASE_HELM_CHART.md +++ b/dev/README_RELEASE_HELM_CHART.md @@ -524,10 +524,15 @@ cd ${SVN_REPO_ROOT}/dev/airflow/helm-chart/${VERSION}${VERSION_SUFFIX} ## Licence check -This can be done with the Apache RAT tool. +You can run this command to do it for you (including checksum verification for your own security): + +```shell script +# Checksum value is taken from https://downloads.apache.org/creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz.sha512 +wget -q https://dlcdn.apache.org//creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz -O /tmp/apache-rat-0.17-bin.tar.gz +echo "32848673dc4fb639c33ad85172dfa9d7a4441a0144e407771c9f7eb6a9a0b7a9b557b9722af968500fae84a6e60775449d538e36e342f786f20945b1645294a0 /tmp/apache-rat-0.17-bin.tar.gz" | sha512sum -c - +tar -xzf /tmp/apache-rat-0.17-bin.tar.gz -C /tmp +``` -* Download the latest jar from https://creadur.apache.org/rat/download_rat.cgi (unpack the binary, - the jar is inside) * Unpack the release source archive (the `-source.tar.gz` file) to a folder * Enter the sources folder run the check diff --git a/dev/README_RELEASE_PROVIDERS.md b/dev/README_RELEASE_PROVIDERS.md index 938812707197e..3ed579fd4d9d0 100644 --- a/dev/README_RELEASE_PROVIDERS.md +++ b/dev/README_RELEASE_PROVIDERS.md @@ -948,10 +948,13 @@ This can be done with the Apache RAT tool. Download the latest jar from https://creadur.apache.org/rat/download_rat.cgi (unpack the binary, the jar is inside) -You can run this command to do it for you: +You can run this command to do it for you (including checksum verification for your own security): ```shell script -wget -qO- https://dlcdn.apache.org//creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz | gunzip | tar -C /tmp -xvf - +# Checksum value is taken from https://downloads.apache.org/creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz.sha512 +wget -q https://dlcdn.apache.org//creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz -O /tmp/apache-rat-0.17-bin.tar.gz +echo "32848673dc4fb639c33ad85172dfa9d7a4441a0144e407771c9f7eb6a9a0b7a9b557b9722af968500fae84a6e60775449d538e36e342f786f20945b1645294a0 /tmp/apache-rat-0.17-bin.tar.gz" | sha512sum -c - +tar -xzf /tmp/apache-rat-0.17-bin.tar.gz -C /tmp ``` Unpack the release source archive (the `-source.tar.gz` file) to a folder diff --git a/dev/README_RELEASE_PYTHON_CLIENT.md b/dev/README_RELEASE_PYTHON_CLIENT.md index 016fabfab44a8..70a0bc00ae9c1 100644 --- a/dev/README_RELEASE_PYTHON_CLIENT.md +++ b/dev/README_RELEASE_PYTHON_CLIENT.md @@ -443,10 +443,13 @@ This can be done with the Apache RAT tool. Download the latest jar from https://creadur.apache.org/rat/download_rat.cgi (unpack the binary, the jar is inside) -You can run this command to do it for you: +You can run this command to do it for you (including checksum verification for your own security): ```shell script -wget -qO- https://dlcdn.apache.org//creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz | gunzip | tar -C /tmp -xvf - +# Checksum value is taken from https://downloads.apache.org/creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz.sha512 +wget -q https://dlcdn.apache.org//creadur/apache-rat-0.17/apache-rat-0.17-bin.tar.gz -O /tmp/apache-rat-0.17-bin.tar.gz +echo "32848673dc4fb639c33ad85172dfa9d7a4441a0144e407771c9f7eb6a9a0b7a9b557b9722af968500fae84a6e60775449d538e36e342f786f20945b1645294a0 /tmp/apache-rat-0.17-bin.tar.gz" | sha512sum -c - +tar -xzf /tmp/apache-rat-0.17-bin.tar.gz -C /tmp ``` Unpack the release source archive (the `-source.tar.gz` file) to a folder