In this phase the ATR will check claims about the release artifacts to enforce policy.
- Proper application of license
- Release Policy
- Signing Releases
- Source Header and Copyright Notice Policy
- 3rd Party License Policy
- Source files have the correct license headers.
- LICENSE and NOTICE are provided in the correct location in every artifact.
- Dependencies are acceptably licensed.
- Release artifacts have correct GPG detached signatures and checksums.
- Reproducible build claims are validated.
- SBOMs are well formed and have proper claims.
- Validate Packaging.
- Validate License Headers including double checking "RAT excludes" to check for valid excludes.
- Validate LICENSE and NOTICE.
- Validate Dependency Licensing.
- Validate Reprodicible Build Packaging.
- Validate SBOMs (generate?).