From bf511ec0c6d1561ef093e12793d88f32aeef762a Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@vmware.com>
Date: Thu, 3 Mar 2022 16:04:08 +0200
Subject: [PATCH] docs: Update release docs

* version number is single sourced now
* Mention that using pip against test.pypi.org is unsafe
* Fix some filenames in the examples

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
---
 docs/RELEASE.md | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/docs/RELEASE.md b/docs/RELEASE.md
index c964407a..8ed9ce6a 100644
--- a/docs/RELEASE.md
+++ b/docs/RELEASE.md
@@ -5,14 +5,18 @@
   tracked by git
 * Ensure `docs/CHANGELOG.md` contains a one-line summary of each [notable
   change](https://keepachangelog.com/) since the prior release
-* Update `setup.cfg` and `tuf/__init__.py` to the new version number vA.B.C
+* Update `tuf/__init__.py` to the new version number "A.B.C"
 * Test packaging, uploading to Test PyPI and installing from a virtual environment
   (ensure commands invoking `python` below are using Python 3)
   * Remove existing dist build dirs
   * Create source dist and wheel `python3 -m build`
-  * Sign the dists `gpg --detach-sign -a dist/tuf-vA.B.C.tar.gz`
+  * Sign source dist `gpg --detach-sign -a dist/tuf-A.B.C.tar.gz`
+  * Sign wheel `gpg --detach-sign -a dist/tuf-A.B.C-py3-none-any.whl`
   * Upload to test PyPI `twine upload --repository testpypi dist/*`
-  * Verify the uploaded package https://testpypi.python.org/pypi/tuf/
+  * Verify the uploaded package at https://test.pypi.org/project/tuf/:
+    Note that installing packages with pip using test.pypi.org is potentially
+    dangerous (as dependencies may be squatted): download the file and install
+    the local file instead.
 * Create a PR with updated `CHANGELOG.md` and version bumps
 * Once the PR is merged, pull the updated `develop` branch locally
 * Create a signed tag matching the updated version number on the merge commit
@@ -24,11 +28,10 @@
   (ensure commands invoking `python` below are using Python 3)
   * Remove existing dist build dirs
   * Create source dist and wheel `python3 -m build`
-  * Sign source dist `gpg --detach-sign -a dist/tuf-vA.B.C.tar.gz`
-  * Sign wheel `gpg --detach-sign -a dist/tuf-vA.B.C-py3-none-any.whl`
-  * Upload to test PyPI `twine upload --repository testpypi dist/*`
-  * Verify the uploaded package https://testpypi.python.org/pypi/tuf/
+  * Sign source dist `gpg --detach-sign -a dist/tuf-A.B.C.tar.gz`
+  * Sign wheel `gpg --detach-sign -a dist/tuf-A.B.C-py3-none-any.whl`
   * Upload to PyPI `twine upload dist/*`
+  * Verify the package at https://pypi.org/project/tuf/ and by installing with pip
 * Attach both signed dists and their detached signatures to the release on GitHub
 * Announce the release on [#tuf on CNCF Slack](https://cloud-native.slack.com/archives/C8NMD3QJ3)
 * Ensure [POUF 1](https://github.com/theupdateframework/taps/blob/master/POUFs/reference-POUF/pouf1.md), for the reference implementation, is up-to-date