Content

Building Steps (Struts)

Getting ready

1. Prepare new Security Bulletin - use just brief description about the security vulnerability, no examples, no proof-of-concept, anything that could be used against users, secure the page to allow access only member of struts-committers group in Confluence
2. Create a new Version Notes page in Confluence, link from Migration Guide, and link to prior release page and JIRA DONE filters of the version to release, secure the page to allow access only member of struts-committers group in Confluence

3. When a serious security issue arises, we should try to create a STRUTS_#_#_#_X branch from the last GA release (from tag - check it out and use mvn release:branch as below).

   No Format
   svn co https://svn.apache.org/repos/asf/struts/struts2/tags/STRUTS_#_#_# cd STRUTS_#_#_# mvn release:branch -DbranchName=STRUTS_#_#_#_X -DupdateBranchVersions=true -DupdateWorkingCopyVersions=false -DautoVersionSubmodules=true

   Read the maven release:branch docs for further details or alternatively

4. Apply ), and apply to that branch only the security patch
5. Commit the security patchfix. No reference should be make to the commit being related to a security vulnerability.
6. If the patch first applies to some other dependency, implore the other group to do the same, to avoid side-effects from other changes.
7. Release the upcoming version in JIRA (under Administration/Manage Releases) and tag the release date
8. Create DONE and TODO filters for the new version, share with all, and remove obsolete TODO filter
9. Create a new Version Notes page in Confluence, link from Migration Guide, and link to prior release page and JIRA DONE filters of the version to release, secure the page to allow access only member of struts-committers group in Confluence

Obtain a fresh checkout.

svn co https://svn.apache.org/repos/asf/struts/struts2/branches/STRUTS_#_#_#_X STRUTS_#_#_#_X

Change site target

Edit the top pom.xml file and replace 2.x the url below with version number that's going to be released

...

    <distributionManagement>
        <site>
            <id>apache-site</id>
            <url>scp://people.apache.org/www/struts.apache.org/2.x/</url>
        </site>
    </distributionManagement>

mvn versions:set -DnewVersion=2.3.16.1-SNAPSHOT -DgenerateBackupPoms=false

Update version of archetypes

Edit src/site/resources/archetype-catalog.xml and change version of archetypes to current $VERSION, save and commit.

Apply security patch

Apply and commit security patch.

commit the change

Revert to -SNAPSHOT

Maven the release plugin can create a release only from -SNAPSHOT version, replace the current version in all poms with the planned release version plus -SNASPHOT suffix, eg.

2.3.1 -> 2.3.1.1-SNAPSHOT

build locally and commit

Prepare release

Tag the release by using the "{{release:prepare" goal }} goal of Maven:

mvn release:prepare -Dusername=yourSvnUsername -Dpassword=yourSvnPassword -DautoVersionSubmodules=true

For a dry run, add '-DdryRun=true'. If you do a dry run, use 'mvn release:clean' to clean up after you have looked at the output.

Wiki MarkupWhen prompted for the SCM tag name, follow this pattern: STRUTS_2_3_\[PATCH_VERSION\]

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-release-plugin:2.0-beta-7:prepare (default-cli) on project struts2-parent: Unable to tag SCM
[ERROR] Provider message:
[ERROR] The svn tag command failed.
[ERROR] Command output:
[ERROR] svn: Commit failed (details follow):
[ERROR] svn: No such revision 1223030

...

Perform the release

mvn release:perform -Dusername=yourSvnUsername

...

• Checkout from an SCM URL with optional tag
• Run the predefined Maven goals to release the project (by default, deploy site-deploy)

After this step the artifacts will be hosted by Nexus

If you need to run perform again, (or in a different box), do:

svngit coclone httphttps://svngit-wip-us.apache.org/repos/asf/struts/struts2/tags/.git
git checkout $VERSION
cd $VERSION
mvn deploy site-deploy --no-plugin-updates -DperformRelease=true 

...

After closing repository in Nexus, check if the version is available from staging repository as below:

https://repository.apache.org/content/groups/staging/org/apache/struts/struts2-assembly/$VERSION/

In order to move the assemblies login to people.apache.org and execute the following code:

#!/bin/sh
# create the destination directory
mkdir $VERSION
cd $VERSION

# get the distro
wget -erobots=off -nv  -l 1 --accept=zip,md5,sha1,asc -r --no-check-certificate -nd -nH https://repository.apache.org/content/groups/staging/org/apache/struts/struts2-assembly/$VERSION

# rename files
for f in *2-assembly*.zip*
do
 mv $f `echo $f | sed s/2-assembly//g`
done

# remove unneeded files
for f in struts2-assembly-*.pom*
do
 rm $f
done

# remove unneeded hashes
rm *.asc.md5
rm *.asc.sha1

After that move the assemblies directory to the builds destination with

mv $VERSION /www/people.apache.org/builds/struts/

...

• Update JIRA roadmap with tag/release date - release the version in JIRA
• Add next milestone to the JIRA roadmap
• Create DONE and TODO filters, share with all, and remove obsolete TODO filter
• Create new release page, link from Migration Guide, and link to prior release page and JIRA filters

Vote on it

...

Post a release/quality vote to the dev list (and *only* the dev list). The example mail is on [Sample Announcements] Sample announcements page. Include the term "fast-track" in the subject, as: \ [VOTE\] Struts 2.0.9.1 quality (fast track).

Copy files

After the vote, if the distribution is being mirrored (there was a favourable release vote) copy the Sources and Binaries:

ssh people.apache.org
cd /www/people.apache.org/builds/struts/$VERSION
cp struts-$VERSION-src.*  /www/www.apache.org/dist/struts/source
cp struts-$VERSION-docs.*  /www/www.apache.org/dist/struts/documentation
cp struts-$VERSION-lib.* /www/www.apache.org/dist/struts/library
cp struts-$VERSION-apps.* /www/www.apache.org/dist/struts/examples
cp struts-$VERSION-all.* /www/www.apache.org/dist/struts/binaries   

...

Remove the old files from under /www/www.apache.org/dist/struts/ to synchronize only the latest version with peers. All the files from /www/www.apache.org/dist/ are always mirrored to http://archive.apache.org/dist/struts/^{Image Removed}

Wait for rsync

...

If the release will fix a - hopefully yet undisclosed - security issue, it's now time to update the Security Bulletins page and add a new announcement. For a template, just check former announcements

Update site (Struts

...

ssh people.apache.org
export VERSION=2.#.#

unzip /www/people.apache.org/builds/struts/$VERSION/struts-$VERSION-docs.zip -d ~/docs
#now the docs are under ~/docs/struts-$VERSION/docs
mkdir -p /www/struts.apache.org/$VERSION
mv ~/docs/struts-$VERSION/docs/* /www/struts.apache.org/$VERSION
chmod -R g+w /www/struts.apache.org/$VERSION
chown -R :struts /www/struts.apache.org/$VERSION

Edit /www/struts.apache.org/$VERSION/archetype-catalog.xml and update the version of artifacts

Update site (Struts top level site)

• Check out site src code

  Code Block
  svn co https://svn.apache.org/repos/asf/struts/site/ struts-site

• Update xml files
  • struts-site/src/site/xdoc/announce.xml (if applicable, refer also to corresponding security bulletin)
  • struts-site/src/site/xdoc/downloads.xml (remove previous version)
  • struts-site/src/site/xdoc/download.xml (remove previous version)
  • struts-site/src/site/xdoc/index.xml
  • struts-site/src/site/site.xml
• Commit the changes
• Generate the site Open
  Code Block

  
  mvn site:site
  

  • struts-site/
  target
  • src/site/resources/
  index.html and verify the urls and versions are right
• Deploy site

  Code Block
  mvn site-deploy

  It takes a few hours for the site changes to go live

Rollback site target

Revert back the site target to 2.x and commit the change

Permissions

After updating the site, be sure that the permissions are set to group writeable ($ chmod -R g+w .)

Post announcements

We leave this as the last step, once the artifacts have had time to sync up on the mirrors. Target it to: user@struts.a.o and announcements@struts.a.o, samples are available at Sample announcements page

Fast-Tracking an Important Security Release

• • In the vote message, specify voting terms like:

• • archetype-catalog.xml
• Commit the changes
• Got to Struts Staging and review the changes
• If everything is ok, push changes to Production via Apache CMS web interface

Update site (Struts 2 site)

Use below script to perform update

#!/bin/sh
# script used to update struts2-subsite after release

VERSION=2.3.15
BRANCH=2.3.x
TAG=STRUTS_2_3_15

svn co https://svn.apache.org/repos/infra/websites/production/struts/content/ struts-site
svn co https://svn.apache.org/repos/asf/struts/struts2/tags/$TAG/ $TAG

wget -erobots=off 

The Struts #.#.#.# test build is now available.

Release notes:
* [http://struts.apache.org/2.x/docs/release-notes-####.html]

Distribution:
* [http://people.apache.org/builds/struts/#.#.#.#/]

Maven 2 staging repository:
* [http://people.apache.org/builds/struts/#.#.#.#/m2-staging-repository/]

Once you have had a chance to review the test build, please respond with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC members are considered binding. A vote passes if there are at least three binding +1s and more +1s than -1s.

This is a "fast-track" release vote. If we have a positive vote after 24 hours (at least three binding +1s and more +1s than -1s),  the release may be submitted for mirroring and announced to the usual channels.

The website download link will include the mirroring timestamp parameter [1], which limits the selection of mirrors to those that have been refreshed since the indicated time and date. (After 24 hours, we \*must\* remove the timestamp parameter from the website link, to avoid unnecessary server load.) In the case of a fast-track release, the email announcement will not link directly to <download.cgi>, but to <downloads.html>, so that we can control use of the timestamp parameter.

[1] <[http://apache.org/dev/mirrors.html#use|http://apache.org/dev/mirrors.html#use]>
$VERSION/struts-$VERSION-docs.zip

unzip struts-$VERSION-docs.zip -d docs
rm -r struts-site/release/$BRANCH/docs
rm -r struts-site/release/$BRANCH/struts2-core
rm -r struts-site/release/$BRANCH/struts2-plugins
rm -r struts-site/release/$BRANCH/xwork-core

mv -f docs/struts-$VERSION/docs/* struts-site/release/$BRANCH

cd $TAG
mvn site:site site:stage -DstagingDirectory=../struts-site/release/$BRANCH

cd ../struts-site

svn add --force ./
# Delete removed files
svn st | grep '^!' | awk '{print $2}' | xargs svn delete --force
svn commit -m "Updates Struts2 subsite after release process"

cd ..
rm -r struts-site
rm -r $TAG
rm -r docs
rm struts-$VERSION-docs.zip

Post announcements

We leave this as the last step, once the artifacts have had time to sync up on the mirrors.
Announce the release and the vulnerability. Typically this will be sent to the reporter, the project's users list (user@struts.a.o), the project's dev list (dev@struts.a.o), the project's announce list (announcements@struts.a.o), security@apache.org, full-disclosure@lists.grok.org.uk and bugtraq@securityfocus.com.
Samples are available at Sample announcements pagePlease be sure to update Security Bulletins accordingly as described above.