...
Please remember to store your private key in a secure place.
Code Block | ||||
---|---|---|---|---|
| ||||
gpg --gen-key (verify that sha1 is avoided (last on list - see above web site) gpg -k (shows public key) gpg -K (shows private key) |
Upload Public Key
Upload your public key to a public key server. We recommend using https://pgp.mit.edu/.
Code Block | ||||
---|---|---|---|---|
| ||||
gpg --send-keys <keyID> --keyserver pgp.mit.edu |
Generate Revocation Certificate
Create a revocation certification using the instructions at: http://www.apache.org/dev/openpgp.html==revocation-certs.
Please remember to store it in a secure place separate from your PGP keys.
Code Block | ||||
---|---|---|---|---|
| ||||
gpg --output revoke-<keyD>.asc --armor --gen-revoke <keyID> |
Add PGP to KEYS File
Do the following:
Code Block | ||||
---|---|---|---|---|
| ||||
svn co https://dist.apache.org/repos/dist/release/incubator/trafodion traf_release cd traf_release gpg --list-sigs <keyID> >> KEYS gpg -armor -export <keyID> svn commit -m "added new public key to KEYS file" |
Get Your Key Signed
Link into the "Web of Trust" by having someone else sign your key.
You can sign other people's keys, but you must verify their identity in person and make sure the key fingerprint matches. See ASF guide for more info.
Prepare For Release
Prepare New Release
- Send a message out to the community indicating that a new release is being planned. In this message, indicate what is planned for the release and when the release is scheduled.
- Give contributors enough time to assimilate this information so they can make plans to deliver their changes. Recommend giving the community several weeks notice.
- Review open issues and planned features; determine what Jiras should be included in the release.
Verify Release Requirements
You need to ensure that:
- A DISCLAIMER file exists in the top level directory containing correct information. Please refer to:http://incubator.apache.org/guides/branding.html==disclaimers.
- NOTICE and LICENSE files exist in the top level directory which includes all third party licenses used in the product. Please refer to: http://www.apache.org/dev/licensing-howto.html.
- A README file exists and is up to date in the top level directory describing the release.
- The source release contains source code only, no binaries.
- The provenance of all source files is clear.
- All source files have Apache license headers, where possible. Where not possible, then the exceptions are written up in the RAT_README file located in the top level directory.
- RAT report is clean.
- Copyright dates are current.
- Build instructions are provided and can be run successfully.
- Test instructions are provided and can be run successfully.
Create Release Branch
Prior to releasing, send a message to the community indicating that a new release is imminent and that a new branch will be created to build the artifacts.
Code Block | ||
---|---|---|
| ||
git branch release2.0 apache/master git push apache release2.0:release2.0 |
Make sure that check-in automated testing is set up for new release.
After the new release branch is created, send another message to the community indicating that the branch is available and the deliveries will be monitored. Allow deliveries on the main branch to continue.
It is now time to change the release number on the master branch to the next release number, to avoid confusion with the release branch.
Create a Release Candidate
Verify that all required changes have been delivered.
Create Artifacts
Trafodion uses git as its repository. When a new version is created, mark the repository with the tag to make sure it source tar can be recreated.
Create Tag
Code Block | ||||
---|---|---|---|---|
| ||||
git tag -a x.x.xrc1 apache/<releaseX.X> git show x.x.xrc1 git push apache tag x.x.xrc1 git checkout x.x.xrc1 source env.sh make package-src |
Once completed, a new source tar file exist in the distribution directory.
Create Artifact Checksums and Signatures
Assumption
You’ve already created the signing key and registered it at the https://pgp.mit.edu/ repository.
Code Block | ||||
---|---|---|---|---|
| ||||
gpg --armor --output apache-trafodion-x.x.x-incubating-src.tar.gz.asc --detach-sig apache-trafodion-x.x.x-incubating-src.tar.gz gpg --verify apache-trafodion-x.x.x-incubating-src.tar.gz.asc md5sum apache-trafodion-x.x.x-incubating-src.tar.gz > apache-trafodion-x.x.x-incubating-src.tar.gz.md5 sha1sum apache-trafodion-x.x.x-incubating-src.tar.gz > apache-trafodion-x.x.x-incubating-src.tar.gz.sha |
Binary Artifacts
The convenience binary artifacts should be built from the source tar file, not from a git workspace. Best to create the build in a nice clean environment per the build instructions.
However, when creating these official binaries, we do want some version information built into the binaries.In the git workspace checked out to the tag, run this describe command:
- git describe --long --tags --dirty --always
The output should be a one-line string. Set the "PV_BUILDID" environment variable to that value and "PV_BRANCH" to the release branch name.
Code Block | ||||
---|---|---|---|---|
| ||||
tar xvf apache-trafodion-x.x.x-incubating-src.tar.gz
cd apache-trafodion-x.x.x-incubating
cd core/sqf ; source sqenvr.sh ; cd ../..
export PV_BUILDID=x.x.xrc2-0-g12345ab
export PV_BRANCH=releaseX.X
make package
sqvers # check version info |
Checksums and Signatures
For each of the tarfiles in the distribution directory, create checksums and signature files using same methods as above.
Test Artifacts
Build and Test Source tar File
Build and test the source tar file using the Build Source instructions. You should perform this test on the following environments:
Test build on a fresh VM.
Test build using the src tar file created above
Compare Tagged Version with Source tar File
Compare the code from the source tar file with the tagged version to make sure they match.
Code Block | ||||
---|---|---|---|---|
| ||||
mkdir artifacts mv incubator-trafodion/distribution/* artifacts/ # save artifacts cd incubator-trafodion ; git clean -xdf # clean any built files git checkout x.x.xrc1 # be sure we are on tagged version cd .. tar zxf artifacts/apache-trafodion-x.x.x-incubating-src.tar.gz diff -r incubator-trafodion apache-trafodion-x.x.x-incubating |
Compare the two versions; for example, by using diff, or a GUI tool such as BCompare and the "Folder Compare Report" feature.
Info |
---|
The source package may have a generated LICENSE file and exclude git folders, etc per the .gitattributes file. |
Verify Apache Requirements
Verify checksums and signatures using the Verify Signature instructions below. Ensure that the high-level directory contains valid version of:
DISCLAIMER
LICENSE
NOTICE
RAT_README
README
Stage Artifacts
Once all the artifacts have been created and tested, then it’s time to stage them. Upload the artifacts to the https://dist.apache.org/repos/dist/dev/incubator/trafodion directory.
Make sure
svn
exists. (It can be downloaded usingyum
.)Code Block language bash which svn svn --version # (version 1.6.11 works)
- Create a directory to store the
svn
repository. Checkout source code. This creates a directory called incubator.
Code Block language bash svn co https://dist.apache.org/repos/dist/dev/incubator
cd trafodion
- Create a new directory for the release:
mkdir apache-trafodion-x.x.x-incubating
cd <apache-trafodion-x.x.x-incubating>
- Copy the four files to the incubating directory.
- Ensure that you do an svn add for the new directory and all four files.
- Ask for a review of the changes.
Commit your changes.
Code Block language bash svn status svn commit -m "message..."
Go to https://dist.apache.org/repos/dist/dev/incubator to see if your changes were committed.
Also stage JDBC jar file in maven repo. http://www.apache.org/dev/publishing-maven-artifacts.html
Verification
All artifacts have been uploaded to the staging area.
Anchor release-verify-signature release-verify-signature
Verify Signature
Download all the artifacts from the staging area including:
Code Block | ||
---|---|---|
| ||
apache-trafodion-x.x.x-incubating-src.tar.gz apache-trafodion-x.x.x-incubating-src.tar.gz.asc apache-trafodion-x.x.x-incubating-src.tar.gz.md5 apache-trafodion-x.x.x-incubating-src.tar.gz.sha |
apache-trafodion-x.x.x-incubating-src.tar.gz.asc
Code Block language bash # View public key gpg apache-trafodion-x.x.x-incubating-src.tar.gz.asc # Expect gpg: Signature made Tue 03 Nov 2015 12:59:10 AM UTC using RSA key ID A44C5A05 gpg: Can't check signature: No public key # Extract public key from key ID returned above gpg --keyserver pgpkeys.mit.edu --recv-key A44C5A05 # Expect: gpg: requesting key A44C5A05 from hkp server pgpkeys.mit.edu gpg: /home/centos/.gnupg/trustdb.gpg: trustdb created gpg: key A44C5A05: public key "Jane Doe (CODE SIGNING KEY) <jdoe@apache.org>" imported # Verify signature gpg --verify apache-trafodion-x.x.x-incubating-src.tar.gz.asc # Expect: gpg: Signature made <date> using RSA key ID A44C5A05 gpg: Good signature from "Roberta Marton (CODE SIGNING KEY) <rmarton@apache.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
apache-trafodion-x.x.x-incugating-src.tar.gz.md5
Code Block language bash md5sum -c apache-trafodion-x.x.x-incubating-src.tar.gz.md5 # Expect: apache-trafodion-x.x.x-incubating-src.tar.gz: OK
apache-trafodion-x.x.x-incubating-x.x.x-incubating-src.tar.gz.sha
Code Block language bash sha1sum -c apache-trafodion-x.x.x-incubating-src.tar.gz.sha # Expect: apache-trafodion-x.x.x-incubating-src.tar.gz: OK
Verify Apache Requirements
Ensure that the high-level directory contains valid version of:
DISCLAIMER.txt
LICENSE.txt
NOTICE.txt
RAT_README.txt
README.txt
Next, run rat
to make sure all files have Apache copyrights.
Complete Release
To be written.
For Future release:
Also publish JDBC jar file in maven repo. http://www.apache.org/dev/publishing-maven-artifacts.html