Title: Release Process
Notice: Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
.
http://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
Releases are crucial aspects for an apache project and following the guidelines is very important.
The [Release FAQ][release-faq] describes the foundation wide policies. The [Incubator Release Management][inc-release-mgmt]
describes incubator project specific release process. The following instructions walkthrough Airavata specific release steps.
###One time release management setup
This section describes release management configuration steps, if you have previously configured these steps,
jump directly to [Release Process](#release-process).
Performing a release will require:
* Access to people.apache.org to stage builds, verify access by following these [instructions](#access-people).
* Generate, sign and upload gpg key, you can follow these [gpg instructions](#gpg-key).
* Configure Maven and get access to Nexus Repo, more [maven & nexus instructions](#maven-nexus-setup).
####Access to people.apache.org
Ensure you can access the apache gateway server by `ssh @people.apache.org`. If you have any trouble with your ASF LDAP, you can change or reset your password at [Apache Account Utility Page][asf-profile].
#### Generate GPG key
The releases have to be signed by public key cryptography signatures. Detailed instructions on why releases have to be signed are provided on [Release Signing][release-signing] page.
The popular software used Open Pretty Good Privacy (OpenPGP) is the GPG. The [GPG instructions][gpg-keys] list out detailed steps on managing your keps.
The steps can be summerized as:
* Generate 4096 bits RSA key pair using gpg: `gpg --gen-key`.
* Export the public key: `gpg --list-sigs && gpg --armor -- export `
* Upload the public key to [SURFNET PGP][surfnet-pgp] or [MIT PGP][mit-pgp] servers.
* Have your key signed by atleast three apache commiters, [key signing][key-sign] and [Henk Penning][henk-trust] websites provide instructions.
* Add the signed public key to the KEYS file on [Airavata Dist SVN][airavata-dist-svn].
#### Maven Configuration & Nexus Setup
* Airavata requires Maven 3 or later to build and release
* It is encouraged to use maven's password encryption capabilities and set the gpg password in
~/.m2/settings.xml. Detailed instructions are at [Publishing Maven Artifacts][maven-artificats]
* Performing release will require maven to run series of commands, the heapsize has to be increased
to avoid out of memory exceptions. For bash shell: `export MAVEN_OPTS="-Xmx1024m -XX:MaxPermSize=256m"`.
For c shell: `setenv MAVEN_OPTS "-Xmx1024m -XX:MaxPermSize=256m"`.
#### Release Process
1. Before performing the following release steps, ensure the [Release Setup](#release-setup) steps have been performed.
2. Ensure the source is ready for release. Verify:
* Cleanup JIRA so the Fix Version in issues resolved since the last release includes this release version correctly.
* Ensure all open issues are resolved before proceeding further, close all resolved issues.
* Test and make sure the release passes all regression tests.
* Update RELEASE_NOTES with all the features added.
* Review and update README, INSTALL files.
* Commit any changes back to svn.
* Update website/wiki with Roadmap or Release landing pages.
3. Checkout a clean copy of the trunk to release using command line svn.
*Do not use Eclipse to do the checkout. The extra dot (.) files created by Eclipse throws off the rat:check processing.*
4. Verify the source has the required license headers before trying to release: `mvn -P pedantic verify -DskipTests`
5. Do a dry run of the release:prepare step:
`mvn -P apache-release release:prepare -DautoVersionSubmodules=true -DdryRun=true`
The dry run will not commit any changes back to SVN and gives you the opportunity to verify that the release process will complete as expected. You will be prompted for the following information :
* Release version
* SCM release tag
* New development version
* GPG Passprhase - On a Mac if the passphrase is stored in keychain, the passphrase is not prompted.
*If you cancel a release:prepare before it updates the pom.xml versions, then use the release:clean goal to just remove the extra files that were created.*
The Maven release plugin checks for SNAPSHOT dependencies in pom's. It will not complete the prepare goal until all SNAPSHOT dependencies are resolved.
6. Verify that the release process completed as expected
* The release plugin will create pom.xml.tag files which contain the changes that would have been committed to SVN. The only differences between pom.xml.tag and it's corresponding pom.xml file should be the version number.
* If other formatting changes have been made you should review the changes and then commit them `svn commit -m "fixing formatting for release"`
* Check release.properties and make sure that the scm properties have the right version. Sometimes the scm location can be the previous version not the next version.
* Verify signatures ([Verifying release signatures](#verify_signatures))
7. Once any failures or required updates have been committed to svn, rollback the release prepare files: `mvn -P apache-release release:rollback`
8. Prepare the release
* Run the "release:prepare" step for real this time. You'll be prompted for the same version information.
`mvn -P apache-release release:prepare -DautoVersionSubmodules=true`
* Backup (zip or tar) your local release candidate directory in case you need to rollback the release after the next step is performed.
9. Perform the release
* This step will create a maven staging repository and site for use in testing and voting.
`mvn release:perform -Papache-release`
* If your local OS userid doesn't match your Apache userid, then you'll have to also override the value provided by the OS to Maven for the site-deploy step to work. This is known to work for Linux, but not for Mac and unknown for Windows.*
-Duser.name=[your_apache_uid]
10. Verify the Nexus release artifacts
* Verify the HTML links in site are correct
* Verify the staged artifacts in the nexus repo
* https://repository.apache.org/index.html
* Staging repositories (under Build Promotion) --> Name column --> org.apache.airavata
* Navigate through the artifact tree and make sure that all javadoc, sources, tests, jars, ... have .asc (GPG signature) and .md5 files. See http://people.apache.org/~henkp/repo/faq.html and http://www.apache.org/dev/release-signing.html#openpgp-ascii-detach-sig
* Close the nexus staging repo
* https://repository.apache.org/index.html
* Staging repositories (under Build Promotion) --> Name column --> org.apache.airavata
* Click checkbox for the open staging repo (org.apache.airavata-XXX) and press Close in the menu bar.
11. Sign the binary artifacts
* $ `cd modules/distribution/target`
* $ `gpg -ab apache-airavata-*${project.version}*-incubating-bin.tar.gz`
* $ `gpg -ab apache-airavata-*${project.version}*-incubating-bin.zip`
* $ `gpg --print-md SHA512 apache-airavata-*${project.version}*-incubating-bin.tar.gz > apache-airavata-*${project.version}*-incubating-bin.tar.gz.sha`
* $ `gpg --print-md SHA512 apache-airavata-*${project.version}*-incubating-bin.zip > apache-airavata-*${project.version}*-incubating-bin.zip.sha`
* $ `gpg --print-md MD5 apache-airavata-*${project.version}*-incubating-bin.tar.gz > apache-airavata-*${project.version}*-incubating-bin.tar.gz.md5`
* $ `gpg --print-md MD5 apache-airavata-*${project.version}*-incubating-bin.zip > apache-airavata-*${project.version}*-incubating-bin.zip.md5`
12. Stage the source and binary artifacts to a web staging area
* $ `ssh people.apache.org mkdir /www/people.apache.org/builds/airavata/${project.version}`
* $ `scp .apache-airavata-*${project.version}*-incubating-bin.zip* ${user.name}@people.apache.org:/www/people.apache.org/builds/airavata/${project.version}/`
* $ `ssh people.apache.org cd /www/people.apache.org/builds/airavata/${project.version}`
* $ `wget https://repository.apache.org/content/repositories/releases/org/apache/airavata/${project.name}/${project.version}/${project.name}-${project.version}-source-release.zip`
* $ `wget https://repository.apache.org/content/repositories/releases/org/apache/airavata/${project.name}/${project.version}/${project.name}-${project.version}-source-release.zip.asc`
* $ `wget https://repository.apache.org/content/repositories/releases/org/apache/airavata/${project.name}/${project.version}/${project.name}-${project.version}-source-release.zip.md5 `
* $ `wget https://repository.apache.org/content/repositories/releases/org/apache/airavata/${project.name}/${project.version}/${project.name}-${project.version}-source-release.zip.sha1`
* Verify they are downloadable from http://people.apache.org/builds/airavata/${project.version}/
13. Put the release candidate up for a vote
1. Create a VOTE email thread on dev@ to record votes as replies, like [this](release-vote.txt)
2. Create a DISCUSS email thread on dev@ for any vote questions, [this](release-discuss.txt)
3. Perform a review of the release and cast your vote. For elaborate instructions, please consult [Apache Release FAQ][release-faq] and [Incubator Release Management][inc-release-mgmt] Guides.
4. A -1 vote does not necessarily mean that the vote must be redone, however it is usually a good idea to rollback the release if a -1 vote is received. See - Recovering from a vetoed release
5. After the vote has been open for at least 72 hours, has at least three +1 PMC votes and no -1 votes, then post the results to the vote thread by -
* reply to the initial email and prepend to the original subject "[RESULT]"
* Include a list of everyone who voted +1, 0 or -1.
14. Finalizing a release
1. The artificats in the repository are not yet mirrored and available for maven to download. Promote the staged nexus artifacts, but releasing them.
* https://repository.apache.org/index.html
* Staging repositories (under Build Promotion) --> Name column --> org.apache.airavata
* Click checkbox of the closed staging repo (org.apache.airavata-XXX) and select Release.
2. Checkin the source and binary artifcats into distribution svn which will be pulled by all mirrors within 24 hours.
* $ `svn co https://dist.apache.org/repos/dist/release/incubator/airavata ./airavata-releases` (KEEP this directory until after the release process has been completed)
* $ `cd ./airavata-releases`
* $ `scp people.apache.org:/www/people.apache.org/builds/airavata/${project.version}/* ./`
* $ `svn add ${project.name}-*`
* $ `svn commit -m "Committing Airavata Source and Binary Release for ${project.name}-${project.version}`
3. Update the staged website
* Update the downloads page to add new version using the mirrored URLs
* Modify the URL for the prior release to the archived URL for the release
4. Publish the website
* WAIT 24hrs after committing releases for mirrors to replicate
* Publish updates to the download page
5. Delete the prior versions
* Navigate to the release directories checked out in the prior steps
* Delete the prior release artifacts using the svn delete command
* Commit the deletion
15. Update the JIRA versions page to close all issues, mark the version as "released", and set the date to the date that the release was approved. You may also need to make a new release entry for the next release.
16. Announcing the release
* Make a news announcement on the Airavata homepage.
* Make an announcement about the release on the airavata-dev@incubator.apache.org, and announce@apache.org.
####Recovering from a vetoed release
1. Reply to the initial vote email and prepend to the original subject -
[CANCELED]
3. Delete the svn tag created by the release:perform step -
$ svn del https://svn.apache.org/repos/asf/airavata/tags/${project.version} -m "deleting tag from rolled back release"
4. Delete the build artifacts on people & www
* $ rm -rfv /www/people.apache.org/builds/airavata/${project.version}
4. Drop the nexus staging repo
1. https://repository.apache.org/index.html
2. Enterprise --> Staging
3. Staging tab --> Name column --> org.apache.airavata
4. Right click on the closed staging repo (org.apache.airavata-XXX) and select Drop.
5. Remove the staged site
6. Make the required updates that caused the vote to be canceled during the next release cycle
####Verifying release signatures
On unix platforms and mac's download all source and binary artifacts into a new directory and cd to the download directory.
for file in `find . -type f -iname '*.asc'`
do
gpg --verify ${file}
done
The output will indicate the You'll need to look at the output to ensure it contains only good signatures -
gpg: Good signature from ...
gpg: Signature made ...
[release-faq]: http://www.apache.org/dev/release.html
[inc-release-mgmt]: http://incubator.apache.org/guides/releasemanagement.html
[asf-profile]: https://id.apache.org/
[gpg-keys]: http://www.apache.org/dev/openpgp.html
[release-signing]: http://www.apache.org/dev/release-signing.html
[surfnet-pgp]: http://pgp.surfnet.nl:11371/
[mit-pgp]: http://pgp.mit.edu/
[key-sign]: http://www.apache.org/dev/release-signing.html#key-signing-party
[henk-trust]: http://people.apache.org/~henkp/trust/
[maven-artificats]: http://www.apache.org/dev/publishing-maven-artifacts.html#dev-env
[airavata-dist-svn]: https://dist.apache.org/repos/dist/release/incubator/airavata/