HowTo Release Apache Onami
This short guide is for volunteers that intend to cover the role of Release Manager. It also
contains a sections for voters with recommended
steps before casting a vote.
Prerequisites
- Install/Configure GPG - The artifacts that are deployed to the ASF central repository need to
be signed. To do this you will need to have a public and private keypair. There is a very good
guide that will
walk you though this.
- Install Apache Maven 2.2.1 or higher. 2.2.0 has a bug that will
produce invalid checksums; we strongly encourage our committers to install latest Apache Maven version.
- Configure Apache Maven settings.
Release steps
Prepare the source for release
- Clean up JIRA so the Fix Version in issues resolved since the last release includes this release
version correctly. Also, transition any Resolved issues to the Closed state.
- Update the text files in a working copy of the project root:
- Update the CHANGES based on the Text release reports from JIRA.
- Commit any changes back to svn:
svn commit -m "updating files for release"
- Perform a full build and deploy the SNAPSHOT artifacts:
Get source tree
- Only for new major releases (like 1.0.0 to 1.1.0):
Create a sub-branch from which to make the release.
Releasing from a branch will allow any cosmetic changes that need to be made for the release to be
approved to be done without preventing other more disruptive advances in the trunk from potentially
causing problems with the release. It also provides a future maintenance branch (like 1.0.x.)
A branch can be made by running:
mvn release:branch -DbranchName=1.0.x
- Checkout a clean copy of the branch to release using command line svn:
svn checkout https://svn.apache.org/repos/asf/onami/branches/${module}-${version}
Prepare the release
- Do a dry run of the release:prepare step.
mvn release:prepare -DdryRun=true
The dry run will not commit any changes back to SVN and gives you the opportunity to verify that the
release process will complete as expected.
If you cancel a release:prepare before it updates the pom.xml versions, then use the
release:clean goal to just remove the extra files that were created.
- Verify that the release process completed as expected:
- The release plugin will create pom.xml.tag files which contain the changes that would
have been committed to SVN. The only differences between pom.xml.tag and its corresponding
pom.xml file should be the version
number.
- If other formatting changes have been made you should review the changes and then commit them:
svn commit -m "fixing formatting for release"
- Assuming the .tag files look OK you may proceed and do any other validation you feel
necessary. The following list may be helpful:
- Check release.properties and make sure that the scm properties have the right version.
Sometimes the scm location can be the previous version not the next version.
- Verify signatures: On Un*x platforms the following command can be executed:
for file in `find . -type f -iname '*.asc'`
do
gpg --verify ${file}
done
You'll need to look at the output to ensure it contains only good signatures:
gpg: Good signature from ...
gpg: Signature made ...
- Once any failures or required updates have been committed to svn, rollback the release prepare files:
- Run the release:prepare step for real this time. You'll be prompted for the same version
information and optionally your GPG passphrase again.
Perform the release
-
From the directory where you have launched release:prepare execute (this step will create a maven staging repository):
mvn release:perform [-Duser.name=<your_apache_uid>]
If your local OS userid doesn't match your Apache userid, then you'll have to also override the value
provided by the OS to Maven for the site-deploy step to work. This is known to work for Linux,
but not for Mac and unknown for Windows.
- Verify the staged artifacts in the Nexus repository:
- https://repository.apache.org/
- Enterprise --> Staging
- Staging tab --> Name column --> org.apache.onami
- Navigate through the artifact tree and make sure that all binary,
javadoc,
sources, and
tests jars, as well as
poms, ... have
.asc (GPG signature) and checksum files (see
Repository FAQ and
Detached Signatures).
- Close the Nexus staging repo:
- https://repository.apache.org/
- Enterprise --> Staging
- Staging tab --> Name column --> org.apache.onami
- Right click on the open org.apache.onami-XXX staging repo and select
Close.
Vote the Release
- Create a VOTE email thread on dev@
to record votes as replies, e.g.:
To: "Apache Onami Developers List" <dev@onami.apache.org>
Subject: [VOTE] Release Apache Onami XXXX major.minor.patch
Hi,
We solved N issues:
http://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311100&styleName=Html&version=X.Y
There are still a couple of issues left in JIRA:
http://issues.apache.org/jira/secure/IssueNavigator.jspa?reset=true&pid=12311100&status=1
SVN source tag
https://svn.apache.org/repos/asf/onami/tags/org.apache.onami.xxxx-major.minor.patch/
Staging repo:
https://repository.apache.org/content/repositories/orgapacheonami-[YOUR REPOSITORY ID]/
Release artifact:
https://repository.apache.org/content/repositories/orgapacheonami-[YOUR REPOSITORY ID]/org/apache/onami/org.apache.onami.xxxx/major.minor.patch/org.apache.onami.xxx-major.minor.patch-source-release.zip
PGP release keys (signed using ABCDEFG):
http://www.apache.org/dist/onami/KEYS
Vote will be open for 72 hours.
[ ] +1, let's get it ruuuumbleeeeee!!!
[ ] +/-0, fine, but consider to fix few issues before...
[ ] -1, nope, because... (and please explain why)
- Create a DISCUSS email thread on dev@ for any vote questions, e.g.:
To: "Apache Onami Developers List" <dev@onami.apache.org>
Subject: [DISCUSS] Apache Onami XXXX major.minor.patch
Discussion thread for vote on <version> release candidate, with SVN source tag.
For more information on the release process, check out http://www.apache.org/dev/release.html
Some of the things to check before voting are:
- does "mvn rat:check" pass on the source
- can you build the contents of source-release.zip and svn tag
- do all of the staged jars/zips contain the required LICENSE and NOTICE files
- are all of the staged jars signed and the signature verifiable
- is the signing key in the project's KEYS file and on a public server (i.e. http://www.apache.org/dist/onami/)
- Perform a review of the release and cast your vote. For more details on Apache releases see
http://www.apache.org/dev/release.html.
- A -1 vote does not necessarily mean that the vote must be redone, however it is usually a
good idea to rollback the release if a -1 vote is received
(see "Recovering from a vetoed release" below).
- After the vote has been open for at least 72 hours, has at least three +1 PMC votes and no -1 votes, then
post the results to the vote thread, replying to the initial email prepending [RESULT] to the
original subject and include a list of every binding +1, 0 and -1 vote.
To: "Apache Onami Developers List" <dev@onami.apache.org>
Subject: [RESULT] [VOTE] Release Onami XXXX major.minor.patch
Hi,
The vote has passed with the following result :
+1 (binding):
Christian Grobmeier
Mohammad Nour El-Din
Olivier Lamy
Jordi Gerona
Marco Speranza
Simone Tripodi
+1 (non binding):
Mario Rossi
John Doe
I will promote the artifacts to the central repo.
Finalize the Release
- Add the distribution artifacts to the distribution area
svn co https://dist.apache.org/repos/dist/release/onami onami-dist
cd onami-dist
# if the component dir doesn't exist
svn mkdir org.apache.onami.xxxx
cd org.apache.onami.xxxx
wget -e robots=off -nH --cut-dirs=7 -np --no-check-certificate -m -A *.zip* -R .asc.sha1,.asc.md5 \
https://repository.apache.org/content/repositories/orgapacheonami-[YOUR REPOSITORY ID]/org/apache/onami/org.apache.onami.xxxx/major.minor.patch/
svn add major.minor.patch
svn commit -m "Promoting the voted release artifacts" major.minor.patch
Please keep the distribution area clean. Remove any "old" release soon after it is superseded by a "new" release in the same development branch.
- Promote the staged nexus artifacts:
- https://repository.apache.org/
- Enterprise --> Staging
- Staging tab --> Name column --> org.apache.onami
- Right click on the closed org.apache.onami-XXX staging repo and select Release.
- Deploy the component site:
- in the component dir, go under target/checkout directory (or checkout the tag);
- if the component is a single-module project, then run mvn site-deploy -Dusername=${committer.id} -Dpassword=${committer.password}
- if the component is a multi-module project, then run sh ./deploySite.sh -Dusername=${committer.id} -Dpassword=${committer.password}
- Update the
JIRA versions
page to mark the version as Released, and set the date to the date that
the release was approved. You may also need to make a new release entry for the next release.
Announce the Release
Make an announcement about the release on the
user@,
dev@, and
announce@ lists as per
the Apache Announcement Mailing Lists page
From: YOUR_APACHE_USERNAME@apache.org
To: "ASF Announcements" <announce@apache.org>, "Apache Onami Users List" <user@onami.apache.org>
CC: "Apache Onami Developers List" <dev@onami.apache.org>, "Google Guice Users List" <google-guice@googlegroups.com>
Subject: [ANNOUNCE] Apache Onami XXXX major.minor.patch
The Apache Onami Team is pleased to announce the release of Apache Onami XXXX major.minor.patch.
(put XXXX extension description here)
Release Notes:
(put JIRA release notes here)
Have Fun,
(committer name), on behalf of the Apache Onami PMC
Recovering from a vetoed release
- Reply to the initial vote email prepending [CANCELED] to the original subject.
- Rollback the version upgrades in trunk by either:
- Restore the 0.1-rc1.tar.gz and run or
manually revert the versions in trunk to the prior version and commit
- Delete the svn tag created by the release:perform step:
svn rm https://svn.apache.org/repos/asf/onami/tags/org.apache.onami.xxxx-major.minor.patch -m "deleting tag from rolled back release"
- Drop the Nexus staging repo:
- https://repository.apache.org/
- Enterprise --> Staging
- Staging tab --> Name column --> org.apache.onami
- Right click on the closed org.apache.onami-XXX staging repo and select Drop.
- Make the required updates that caused the vote to be canceled.
- Spin another release attempt!
Recommended steps before casting a vote
Making releases is a serious job at the ASF. And a time-eater.
The following gives you some ideas to check a release and cast your vote (as written by Christian Grobmeier on the Onami dev mailing list).
- Check out the source tag and test/package it.
- Then take a look at the site to check the branding requirements (read more on http://www.apache.org/foundation/marks/pmcs).
- The RAT plugin outputs license header issues (read more on http://creadur.apache.org/rat/apache-rat-plugin/index.html).
- This command helps to download artifacts from nexus to check them: wget -e robots=off --cut-dirs=3 -r -p -np --no-check-certificate https://repository.apache.org/content/repositories/orgapacheonami-149/org/apache/onami/org.apache.onami.test/
- Then we need to take care our code signing keys are in the KEYS file. MD5 checking i do with a scripts such as [1] or [2]
- Also try to open artifacts (avoid zip problems and such).
[1] https://gist.github.com/3504123 from our mate Ivan (over from logging land)
from os.path import join, splitext, basename
import os
import sys
import hashlib
def file_get_contents(path):
with open(path, 'rb') as file:
return file.read()
for root, dirs, files in os.walk('.'):
for file in files:
file = join(root, file)
name, ext = splitext(file)
if ext == '.md5':
file_contents = file_get_contents(name)
md5_given = file_get_contents(file)
md5_actual = hashlib.md5(file_contents).hexdigest()
if (md5_given == md5_actual):
print "%s md5 OK" % basename(name)
else:
print "\nERROR: md5 mismatch\nfile : %s\ncalculated: %s\ngiven : %s\n" % (name, md5_actual, md5_given)
if ext == '.sha1':
file_contents = file_get_contents(name)
sha1_given = file_get_contents(file)
sha1_actual = hashlib.sha1(file_contents).hexdigest()
if (sha1_given == sha1_actual):
print "%s sha1 OK" % basename(name)
else:
print "\nERROR: sha1 mismatch\nfile : %s\ncalculated: %s\ngiven : %s\n" % (name, sha1_actual, sha1_given)
[2] http://www.grobmeier.de/checking-md5-and-signatures-with-a-shell-script-29062011.html
#!/bin/bash
file1=`md5 -q $1`
file2=`cut -d* -f1 $1.md5`
echo "Checking file: $1"
echo "Using MD5 file: $1.md5"
echo $file1
echo $file2
if [ $file1 != $file2 ]
then
echo "md5 sums mismatch"
else
echo "checksums OK"
fi
echo "GPG verification output"
gpg --verify $1.asc $1