Title: Release Process
Notice: Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
.
http://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
Releases are crucial aspects for an apache project and following the guidelines is very important. The [Release FAQ][release-faq] describes the foundation wide policies. The following instructions walkthrough Airavata specific release steps.
###One time release management setup
This section describes release management configuration steps, if you have previously configured these steps, jump directly to [Release Process](#release-process).
Performing a release will require:
* Generate, sign and upload gpg key, you can follow these [gpg instructions](#gpg-key).
* Configure Maven and get access to Nexus Repo, more [maven & nexus instructions](#maven-nexus-setup).
#### Generate GPG key
The releases have to be signed by public key cryptography signatures. Detailed instructions on why releases have to be signed are provided on [Release Signing][release-signing] page.
The popular software used Open Pretty Good Privacy (OpenPGP) is the GPG. The [GPG instructions][gpg-keys] list out detailed steps on managing your keps.
The steps can be summerized as:
* Generate 4096 bits RSA key pair using gpg: `gpg --gen-key`.
* Export the public key: `gpg --list-sigs && gpg --armor -- export `
* Upload the public key to [SURFNET PGP][surfnet-pgp] or [MIT PGP][mit-pgp] servers.
* Have your key signed by atleast three apache commiters, [key signing][key-sign] and [Henk Penning][henk-trust] websites provide instructions.
* Add the signed public key to the KEYS file on [Airavata Dist SVN][airavata-dist-svn].
For reference, the steps to sign a key:
* The person whom you know in person provides you his key, usually this happens at key signing party where you can verify each others ID's.
* Fetch the key `gpg --keyserver --recv-keys ` an example key server is pgp.mit.edu
* Sign the key `gpg --sign-key `
* Upload the key back to the server `gpg --keyserver --send-key `
#### Maven Configuration & Nexus Setup
* Airavata requires Maven 3 or later to build and release
* It is encouraged to use maven's password encryption capabilities and set the gpg password in
~/.m2/settings.xml. Detailed instructions are at [Publishing Maven Artifacts][maven-artificats]
* Make sure both the apache.snapshots.https and apache.releases.https are configured coreectly.
* Performing release will require maven to run series of commands, the heapsize has to be increased to avoid out of memory exceptions.
* Bash Shell: `export MAVEN_OPTS="-Xmx1024m -XX:MaxPermSize=256m"`.
* C Shell: `setenv MAVEN_OPTS "-Xmx1024m -XX:MaxPermSize=256m"`.
#### Release Process
1. Before performing the following release steps, ensure the [Release Setup](#release-setup) steps have been performed.
2. Ensure the source is ready for release. Verify:
* Cleanup JIRA so the Fix Version in issues resolved since the last release includes this release version correctly.
* Ensure all open issues are resolved before proceeding further, close all resolved issues.
* Test and make sure the release passes all regression tests.
* Update RELEASE_NOTES with all the features added.
* The release notes can be obtained from JIRA, by clicking the RoadMap, version, and then configuring the release notes to display text format and copying it.
* A suggested approach would be to reorganize the release notes as New Features, then Improvements then Tasks and Sub Tasks and finally Bug Fixes.
* Review and update README, INSTALL files.
* Commit any changes back to svn.
* Update website/wiki with Roadmap or Release landing pages.
3. Checkout a clean copy of the trunk to release using command line svn.
*Do not use Eclipse/Idea to do the checkout. The extra dot (.) and other metada files created by IDE's throws off the rat:check processing.*
`git clone https://git-wip-us.apache.org/repos/asf/airavata.git`
4. Verify the source has the required license headers before trying to release:
`mvn -P pedantic verify -DskipTests=true`
5. Do a dry run of the release:prepare step:
`mvn -P apache-release release:prepare -DautoVersionSubmodules=true -DdryRun=true`
The dry run will not commit any changes back to SVN and gives you the opportunity to verify that the release process will complete as expected. You will be prompted for the following information :
* Release version
* SCM release tag
* New development version
* GPG Passprhase - On a Mac if the passphrase is stored in keychain, the passphrase is not prompted.
*If you cancel a release:prepare before it updates the pom.xml versions, then use the release:clean goal to just remove the extra files that were created.*
The Maven release plugin checks for SNAPSHOT dependencies in pom's. It will not complete the prepare goal until all SNAPSHOT dependencies are resolved.
6. Verify that the release process completed as expected
* The release plugin will create pom.xml.tag files which contain the changes that would have been committed to SVN. The only differences between pom.xml.tag and it's corresponding pom.xml file should be the version number.
* If other formatting changes have been made you should review the changes and then commit them `svn commit -m "fixing formatting for release"`
* Check release.properties and make sure that the scm properties have the right version. Sometimes the scm location can be the previous version not the next version.
* Verify signatures ([Verifying release signatures](#verify_signatures))
7. Once any failures or required updates have been committed to svn, rollback the release prepare files:
`mvn -P apache-release release:rollback`
8. Prepare the release: Run the "release:prepare" step for real this time. You'll be prompted for the same version information.
`mvn -P apache-release release:prepare -DautoVersionSubmodules=true`
Backup (zip or tar) your local release candidate directory in case you need to rollback the release after the next step is performed.
9. Perform the release
* This step will create a maven staging repository and site for use in testing and voting.
`mvn release:perform -Papache-release`
* If your local OS userid doesn't match your Apache userid, then you'll have to also override the value provided by the OS to Maven for the site-deploy step to work: -Duser.name=[your_apache_uid] --This is known to work for Linux, but not for Mac and unknown for Windows--.
10. Verify the Nexus release artifacts
* Verify the HTML links in site are correct
* Verify the staged artifacts in the nexus repo
* https://repository.apache.org/index.html
* Staging repositories (under Build Promotion) --> Name column --> org.apache.airavata
* Navigate through the artifact tree and make sure that all javadoc, sources, tests, jars, ... have .asc (GPG signature) and .md5 files. See http://people.apache.org/~henkp/repo/faq.html and http://www.apache.org/dev/release-signing.html#openpgp-ascii-detach-sig
* Close the nexus staging repo
* https://repository.apache.org/index.html
* Staging repositories (under Build Promotion) --> Name column --> org.apache.airavata
* Click checkbox for the open staging repo (org.apache.airavata-XXX) and press Close in the menu bar.
11. Sign the binary artifacts
* $ `cd modules/distribution/target`
* $ `gpg -ab apache-airavata-*${project.version}*-bin.tar.gz`
* $ `gpg -ab apache-airavata-*${project.version}*-bin.zip`
* $ `gpg --print-md SHA512 apache-airavata-*${project.version}*-bin.tar.gz > apache-airavata-*${project.version}*-bin.tar.gz.sha`
* $ `gpg --print-md SHA512 apache-airavata-*${project.version}*-bin.zip > apache-airavata-*${project.version}*-bin.zip.sha`
* $ `gpg --print-md MD5 apache-airavata-*${project.version}*-bin.tar.gz > apache-airavata-*${project.version}*-bin.tar.gz.md5`
* $ `gpg --print-md MD5 apache-airavata-*${project.version}*-bin.zip > apache-airavata-*${project.version}*-bin.zip.md5`
12. Stage the source and binary artifacts to the dist development repository
* Checkout Airavata development dist area:
`svn co https://dist.apache.org/repos/dist/dev/airavata airavata-dev-dist`
* Create the directory for ${project.version} and RC{number} within it. The RC number corresponds to the current release attempt.
* Copy the source and binaries into dist area.
* Copy the source and binaries into the development dist RC area created above.
* Sources and signed artificats can be downloaded from staging repo https://repository.apache.org/content/groups/staging/org/apache/airavata/airavata/${project.version}.
* Source artifacts should include airavata-{project.version}-source-release.zip, airavata-{project.version}-source-release.zip.asc, airavata-{project.version}-source-release.zip.sha, airavata-{project.version}-source-release.zip.md5
* Binaries and gpg signed artificats from step 11.
* Verify they are downloadable from https://dist.apache.org/repos/dist/dev/airavata/${project.version}/RC{number}.
13. Put the release candidate up for a vote
1. Create a VOTE email thread on dev@ to record votes as replies, like [this](release-vote.txt)
2. Create a DISCUSS email thread on dev@ for any vote questions, [this](release-discuss.txt)
3. Perform a review of the release and cast your vote. For elaborate instructions, please consult [Apache Release FAQ][release-faq].
4. A -1 vote does not necessarily mean that the vote must be redone, however it is usually a good idea to rollback the release if a -1 vote is received. See - Recovering from a vetoed release
5. After the vote has been open for at least 72 hours, has at least three +1 PMC votes and no -1 votes, then post the results to the vote thread by -
* reply to the initial email and prepend to the original subject "[RESULT]"
* Include a list of everyone who voted +1, 0 or -1.
14. Finalizing a release
1. The artificats in the repository are not yet mirrored and available for maven to download. Promote the staged nexus artifacts, but releasing them.
* https://repository.apache.org/index.html
* Staging repositories (under Build Promotion) --> Name column --> org.apache.airavata
* Click checkbox of the closed staging repo (org.apache.airavata-XXX) and select Release.
2. Checkin the source and binary artifcats into distribution svn which will be pulled by all mirrors within 24 hours. The dist/dev svn is not mirrored, but the dist/release is.
* `svn copy https://dist.apache.org/repos/dist/dev/airavata/${project.version}/RC{number} https://dist.apache.org/repos/dist/release/airavata/${project.version} -m "Committing Airavata Source and Binary Release for ${project.name}-${project.version}`
3. Update the staged website
* Update the downloads page to add new version using the mirrored URLs
* Modify the URL for the prior release to the archived URL for the release
4. Publish the website
* WAIT 24hrs after committing releases for mirrors to replicate
* Publish updates to the download page
5. Delete the prior versions
* Navigate to the release directories checked out in the prior steps
* Delete the prior release artifacts using the svn delete command
* Commit the deletion
15. Update the JIRA versions page to close all issues, mark the version as "released", and set the date to the date that the release was approved. You may also need to make a new release entry for the next release.
16. Announcing the release
* Make a news announcement on the Airavata homepage.
* Make an announcement about the release on the dev@airavata.apache.org, users@airavata.apache.org, and announce@apache.org.
* Sample announce [email](release-announce.txt).
####Recovering from a vetoed release
1. Reply to the initial vote email and prepend to the original subject -
[CANCELED]
3. Delete the svn tag created by the release:perform step -
$ svn del https://svn.apache.org/repos/asf/airavata/tags/${project.version} -m "deleting tag from rolled back release"
4. Revert the svn to old version `mvn -P apache-release release:rollback`
5.
5. Delete the build artifacts on people & www
* $ rm -rfv /www/people.apache.org/builds/airavata/${project.version}
6. Drop the nexus staging repo
1. https://repository.apache.org/index.html
2. Enterprise --> Staging
3. Staging tab --> Name column --> org.apache.airavata
4. Right click on the closed staging repo (org.apache.airavata-XXX) and select Drop.
7. Remove the staged site
8. Make the required updates that caused the vote to be canceled during the next release cycle
####Verifying release signatures
On unix platforms and mac's download all source and binary artifacts into a new directory and cd to the download directory.
for file in `find . -type f -iname '*.asc'`
do
gpg --verify ${file}
done
The output will indicate the You'll need to look at the output to ensure it contains only good signatures -
gpg: Good signature from ...
gpg: Signature made ...
[release-faq]: http://www.apache.org/dev/release.html
[gpg-keys]: http://www.apache.org/dev/openpgp.html
[release-signing]: http://www.apache.org/dev/release-signing.html
[surfnet-pgp]: http://pgp.surfnet.nl:11371/
[mit-pgp]: http://pgp.mit.edu/
[key-sign]: http://www.apache.org/dev/release-signing.html#key-signing-party
[henk-trust]: http://people.apache.org/~henkp/trust/
[maven-artificats]: http://www.apache.org/dev/publishing-maven-artifacts.html#dev-env
[airavata-dist-svn]: https://dist.apache.org/repos/dist/release/airavata/