Do we verify the artifacts after they are released?

[houshengbo]

Before the artifacts are moved into the release folder, they are still in staging status available under this link: https://dist.apache.org/repos/dist/dev/incubator/openwhisk/. We should definitely verify them before the release. I THINK this is something the release-verification tool has already covered.

However, after we release them by copying the artifacts into the release directory, do we also need the verification? The release links are different. Although they are available under https://dist.apache.org/repos/dist/release/incubator/openwhisk/, we are only allowed to publish the mirror links, like https://www.apache.org/dyn/closer.lua?filename=incubator/openwhisk/apache-openwhisk-0.9.0-incubating/openwhisk-catalog-0.9.0-incubating-sources.tar.gz for the catalog.

Shall we make it possible to verify the artifacts after the release, like the ones at the mirror links?

We trust the all the artifacts when they are under dev with the release-verification. Do we take it for granted that they are trustworthy after they are copied to release? :-)

[jthomas]

@houshengbo It is possible to modify the tool to also validate releases from the release as well as staging directories. Does anyone do this at the moment? I think we just trust it works... :)