Preliminaries
Apache Release Documentation
- Apache Release Guide
- Apache Release Policy
- Apache Incubator Release Guidelines
- Apache Incubator Release Policy
Code Signing Key
Create a code signing gpg key for release signing; use <your Apache ID>@apache.org for your primary ID for the code signing key. See the Apache Release Signing documentation for further information.
- Add your code signing key to your Apache ID here
- Add it to the MADlib KEYS files in the dev and release subversion repositories:
Ensure JIRA Issues are Appropriately Tagged for the Release
Ensure that all HAWQ JIRA issues that are addressed in this release are marked with the release version in the ‘FixVersion’ field of the issue.
Creating and Validating the Release Candidate
- Build is successful (Refer to Build and Install for build instructions)
- DISCLAIMER is correct, filenames include “incubating”
- LICENSE and NOTICE files are correct and dependency licenses are acceptable
- LICENSE and NOTICE files at the root of the artifact directory must only reflect the contents of the artifact in which they are contained.
- See:
- LICENSE file requirements
- LICENSE requirements for distribution artifacts with multiple licenses
- NOTICE file requirements (Check Copyright year)
- Apache Legal
- Acceptable and Unacceptable Dependency Licenses
- All source files have license headers where appropriate, RAT checks pass
- Additional check:
- pom.xml
(For artifactId "hawq", verify version is consistent with the version specified in getversion file in the root directory).
- pom.xml
- Additional check:
- The provenance of all source files is clear (ASF or software grants)
- Create the Release Candidate
- Sign the Release Candidate
- Verify the Release Candidate signatures
- Commit artifacts to the Apache dist site
Create the Release Candidate
Prepare Tarballs
Send email to dev@madlib.incubator.apache.org for instructions on how to do this.
Prepare rpm and dmg binaries
Send email to dev@madlib.incubator.apache.org for instructions on how to do this.
Sign the Release Candidate
Check that md5, shasum, and gpg (or gpg2) are installed on your machine:
$ which gpg shasum md5
/usr/local/bin/gpg
/usr/bin/shasum
/sbin/md5
Install using Hombrew (on Mac OS) if needed e.g.:
$ brew install gnupg
==> Downloading ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.19.tar.bz2
######################################################################## 100.0%
==> ./configure --disable-silent-rules --prefix=/usr/local/Cellar/gnupg/1.4.19 --disable-asm
==> make
==> make check
==> make install
/usr/local/Cellar/gnupg/1.4.19: 53 files, 5.4M, built in 87 seconds
office-4-125:release_manager_stuff rraghu$ which gpg
/usr/local/bin/gpg
Prepare MD5, SHA256 and ASC files from the source tarball and binaries:
md5 <your release tarball or binary> > <your release tarball or binary>.md5
shasum -a 512 <your release tarball or binary> > <your release tarball or binary>.sha512
gpg --detach-sign -a <your release tarball or binary>
Example:
$ md5 apache-madlib-1.11-incubating-src.tar.gz > apache-madlib-1.11-incubating-src.tar.gz.md5
$ shasum -a 512 apache-madlib-1.11-incubating-src.tar.gz > apache-madlib-1.11-incubating-src.tar.gz.sha512
$ gpg --detach-sign -a apache-madlib-1.11-incubating-src.tar.gz
You need a passphrase to unlock the secret key for
user: "Rashmi Raghu (CODE SIGNING KEY) <rashmiraghu@apache.org>"
4096-bit RSA key, ID 28D2C789, created 2017-05-01
$ ls -la
-rw-r--r--@ 1 rraghu staff 9961787 May 1 13:55 apache-madlib-1.11-incubating-bin-Darwin.dmg
-rw-r--r-- 1 rraghu staff 819 May 1 14:29 apache-madlib-1.11-incubating-bin-Darwin.dmg.asc
-rw-r--r-- 1 rraghu staff 86 May 1 14:27 apache-madlib-1.11-incubating-bin-Darwin.dmg.md5
-rw-r--r-- 1 rraghu staff 175 May 1 14:28 apache-madlib-1.11-incubating-bin-Darwin.dmg.sha512
-rw-r--r--@ 1 rraghu staff 3868116 May 1 13:55 apache-madlib-1.11-incubating-bin-Linux-GPDB5alpha1.rpm
-rw-r--r-- 1 rraghu staff 819 May 1 14:48 apache-madlib-1.11-incubating-bin-Linux-GPDB5alpha1.rpm.asc
-rw-r--r-- 1 rraghu staff 97 May 1 14:46 apache-madlib-1.11-incubating-bin-Linux-GPDB5alpha1.rpm.md5
-rw-r--r-- 1 rraghu staff 186 May 1 14:47 apache-madlib-1.11-incubating-bin-Linux-GPDB5alpha1.rpm.sha512
-rw-r--r--@ 1 rraghu staff 18527053 May 1 13:55 apache-madlib-1.11-incubating-bin-Linux.rpm
-rw-r--r-- 1 rraghu staff 819 May 1 14:43 apache-madlib-1.11-incubating-bin-Linux.rpm.asc
-rw-r--r-- 1 rraghu staff 85 May 1 14:41 apache-madlib-1.11-incubating-bin-Linux.rpm.md5
-rw-r--r-- 1 rraghu staff 174 May 1 14:41 apache-madlib-1.11-incubating-bin-Linux.rpm.sha512
-rw-r--r--@ 1 rraghu staff 2474217 May 1 13:56 apache-madlib-1.11-incubating-src.tar.gz
-rw-r--r-- 1 rraghu staff 819 May 1 14:45 apache-madlib-1.11-incubating-src.tar.gz.asc
-rw-r--r-- 1 rraghu staff 82 May 1 14:44 apache-madlib-1.11-incubating-src.tar.gz.md5
-rw-r--r-- 1 rraghu staff 171 May 1 14:45 apache-madlib-1.11-incubating-src.tar.gz.sha512
Validate the Release Candidate
As per the Apache documentation, verify that the release candidate artifacts satisfy the following:
- PGP signatures and SHA256/MD4 checksum verification
Example (performed on Mac OS):
$ brew install gpg coreutils
$ which gpg gsha512sum gmd5sum
/usr/local/bin/gpg
/usr/local/bin/gsha512sum
/usr/local/bin/gmd5sum
$ gpg --verify apache-madlib-1.11-incubating-bin-Linux.rpm.asc
gpg: assuming signed data in `apache-madlib-1.11-incubating-bin-Linux.rpm'
gpg: Signature made Mon May 1 14:42:16 2017 PDT using RSA key ID 28D2C789
gpg: Good signature from "Rashmi Raghu (CODE SIGNING KEY) <rashmiraghu@apache.org>"
office-4-125:madlib-v1dot11-artifacts rraghu$
office-4-125:madlib-v1dot11-artifacts rraghu$ gsha512sum --check apache-madlib-1.11-incubating-bin-Linux.rpm.sha512
apache-madlib-1.11-incubating-bin-Linux.rpm: OK
office-4-125:madlib-v1dot11-artifacts rraghu$ gmd5sum --check apache-madlib-1.11-incubating-bin-Linux.rpm.md5
apache-madlib-1.11-incubating-bin-Linux.rpm: OK
- Build is successful (Refer to Build and Install for build instructions)
- DISCLAIMER is correct, filenames include “incubating”
- LICENSE and NOTICE files are correct and dependency licenses are acceptable
- LICENSE and NOTICE files at the root of the artifact directory must only reflect the contents of the artifact in which they are contained.
- See:
- LICENSE file requirements
- LICENSE requirements for distribution artifacts with multiple licenses
- NOTICE file requirements (Check Copyright year)
- Apache Legal
- Acceptable and Unacceptable Dependency Licenses
- All source files have license headers where appropriate, RAT checks pass
- Additional check:
- pom.xml
(For artifactId "hawq", verify version is consistent with the version specified in getversion file in the root directory).
- pom.xml
- Additional check:
- The provenance of all source files is clear (ASF or software grants)
Commit artifacts to Apache dist site:
Vote on the Release
General information regarding the Apache voting process can be found here.
Apache HAWQ Community Vote
Incubator PMC Vote
Publishing and Distributing Release
Announce the Release
General Apache information regarding announcing a release may be found here.
Miscellaneous
- Much of the content and organization of this page came from the Apache HAWQ project: https://cwiki.apache.org/confluence/display/HAWQ/Release+Process%3A+Step+by+step+guide