Versions Compared

Old Version 6

changes.mady.by.user Scott Wilson

Saved on

compared with

New Version Current

changes.mady.by.user Ross Gardler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

NOTE: This file is now managed in the wookie site svn. Please make edits there.

Introduction

This document is an overview of the release process for the first release of Apache Wookie. It is a live document at the moment in that it will be updated as the release process takes place. The intention is that it will become a record which can be referred to for future releases.

Release Phases

  • Analyze Open Issues
  • Issue Fixing - ongoing - all issues should be resolved or moved
  • Developers create signatures - who should be included in this list?
  • Licence Audit and Legal Audit - including headers, dependencies, LICENCE and NOTICE files
  • Documentation – Check installation and build documentation for accuracy, create status document, create release notes
  • Create Release branch on SVN – sign binaries, permissions 22nd Oct
  • Test, test, test!
  • Vote on release
  • Request approval from Incubator PCM
  • Upload to incubator dist
  • Check permissions
  • When mirroring has taken place update website and announce the release.

...

The committers for the project need to provide public keys for the release, each person who submits a key needs to keep the private key safe.  These will be included with the release in a KEYS file. The process of creating a key pair should be consistent across the committers.  Apache recommend using GNU Privacy Guard to generate keys and sign the artifacts.

Committers without a code signing key should generate one - RSA 4096 bits

If committers have a DSA or RSA key of less than 2048 bits then a new one should be generated for signing releases, again using RSA 4096 bit.

For committers who already have an RSA key of 2048 bits or more some configuration of their client to avoid weaknesses are required.  Instructions on how to do this can be found here.

Web of Trust (Post Release and ongoing)

Once individuals have generated keys, opportunities should be taken (where possible) to join the Apache Web of Trust. First the keys should be uploaded to a public key server (is there a recommended one we should use?). Next key signing: if conferences are attended or events where there are other Apache developers and there are key signing parties.

License Audit and Legal Audit

There is a need to check all licenses manually, including headers in source files etc... The licenses for all libraries should be in place.  LICENSE and NOTICE files need to be created. The Release Audit Tool (RAT) report is helpful in this regard.

In licenses/all_licenses.txt record the details of all dependencies; this should include not only any libraries referenced directly in ivy.xml, but also any dependencies of features, connectors and widgets. It is not, however, necessary to document licenses of secondary dependencies.

...