Obsolete

This page is obsolete. It has been replaced with: http://trafodion.apache.org/release.html

Redirection Notice

This page will redirect to http://trafodion.apache.org/release.html.

This document describes how to release the source version of Trafodion.

Prerequisites

Create keys needed to sign the release

If you do not have a key setup up for Apache, do it now

Create your key

Create your key that can be used to sign releases: http://www.apache.org/dev/openpgp.html#generate-key.
Remember to store your private key is a secure place.
For example:

   gpg --gen-key   (verify that sha1 is avoided (last on list – see above web site)
   gpg -k  (shows public key)
   gpg -K (shows private key)

Upload your public key to a public key server

Recommend using:  http://pgp.mit.edu/ keyserver
For example:

   gpg --send-keys <keyID> --keyserver pgp.mit.edu

Create a revocation certificate

It is recommended that you create a revocation certification: http://www.apache.org/dev/openpgp.html#revocation-certs
Remember to store it in a secure place separate from your key
For example:

   gpg --output revoke-<keyD>.asc --armor --gen-revoke <keyID>

 Add your key the the KEYS file

You need to be a committer to perform this step:

   svn co https://dist.apache.org/repos/dist/release/incubator/trafodion traf_release
   cd traf_release 
   gpg --list-sigs <keyID> >> KEYS
   gpg  -armor –export <keyID>
   svn commit –m “added new public key to KEYS file“

Preparing the artifacts

Prepare for a new release

Send a message out to the community indicating that a new release is being planned.  In this message, indicate what is planned for the release and when the release is scheduled.
Give contributors enough time to assimilate this information so they can make plans to deliver their changes.  Recommend giving the community several weeks notice.

Review open issues and planned features; determine which JIRA's should be included in the release.

Verify release requirements are met

Verify the following:

  • A DISCLAIMER file exists in the top level directory containing correct information, see http://incubator.apache.org/guides/branding.html#disclaimers
  • NOTICE and LICENSE files exist in the top level directory which includes all third party licenses used in the product, see http://www.apache.org/dev/licensing-howto.html for details
  • A README file exists and is up to date in the top level directory describing the release
  • The source release contains source code only, no binaries
  • The provenance of all source files is clear
  • All source files have Apache license headers where possible.  Where not possible, then the exceptions are written up in the RAT_README file located in the top level directory
  • RAT report is clean
  • Copyright dates are current
  • Build instructions are provided and can be run successfully
  • Test instructions are provided and can be run successfully

Create a release branch and notify community when branch is available

Prior to releasing, send a message to the community indicating that a new release is imminent and that a new branch will be created to build the artifacts.

After the new release branch is created, send another message to the community indicating that the branch is available and the deliveries will be monitored.  Allow deliveries on the main branch to continue.

Verify that all required changes have been delivered.

Create artifacts

Trafodion uses git as its repository.  When a new version is created, mark the repository with the tag to make sure it source tar can be recreated.

Create a tag

Here is an example based on release x.x.x and release candidate 1 (rc1)

  git checkout -b tagx.x.x <release branch name>
  git tag -a x.x.xrc1
  git show x.x.xrc1
  git push apache x.x.xrc1
  git tag 

At this time, a new tag for the current release has been created.  It may take a few days to get the tag updated to all the mirrored repositories.

Create source tar file

  start with a clean git clone and a fresh ssh session
  git checkout -b artifacts x.x.xrc1
  cd ../incubator-trafodion
  source ./env.sh
  make package-src
  cd distribution; ls 

At this time, a new source tar file exist in the distribution directory.

Create checksums and signatures for the artifacts

It is assumed that the signer has already created their signing key and registered their public key in the http://pgp.mit.edu/ pubic repository.

  gpg --armor --output apache-trafodion-x.x.x-incubating-src.tar.gz.asc --detach-sig apache-trafodion-x.x.x-incubating-src.tar.gz
  gpg --verify apache-trafodion-x.x.x-incubating-src.tar.gz.asc
  md5sum apache-trafodion-x.x.x-incubating-src.tar.gz > apache-trafodion-x.x.x-incubating-src.tar.gz.md5
  sha1sum apache-trafodion-x.x.x-incubating-src.tar.gz > apache-trafodion-x.x.x-incubating-src.tar.gz.sha 

Test artifacts

Build and test the source tar file

It is recommended that artifacts be tested following the Building the Software instructions 

  • Test build using a fresh VM
  • Test build using the tagged version from git

Compare the tagged version with the source tar file

In addition, you should compare the code from the source tar file with the tagged version to make sure they match.
This assumes that  branch artifacts contains the release candidates.

  mkdir traf_test
  cd traf_test
  cp <git dir>/incubator-trafodion/distribution/* .
  tar zxf apache-trafodion-x.x.x-incubating-src.tar.gz
  compare the two versions, for example using BCompare and the "Folder Compare Report" feature:
    old: traf_test/incubator-trafodion 
    new: <git dir>/incubator-trafodion

Note: the git version will have some additional git folders and the distribution directory 

Verify Apache requirements

Follow the instructions verifysignature to verify checksums and signatures

Make sure the high level directory contains valid versions of:

  • DISCLAIMER.txt
  • LICENSE.txt
  • NOTICE.txt
  • RAT_README.txt
  • README.txt

Stage the artifacts

Once all the artifacts have been created and tested, it is time to stage them.  Upload the artifacts to the https://dist.apache.org/repos/dist/dev/incubator/trafodion directory.

  1. Make sure svn exists – can be downloaded from yum
    1. which svn
    2. svn --version (version 1.6.11 works)
  2. Create a directory to store the svn repositoy
  3. Checkout source code, this creates a directory called incubator
           svn co https://dist.apache.org/repos/dist/dev/incubator
  4. cd trafodion
  5. Create a new directory for the release: mkdir apache-trafodion-x.x.x-incubating
  6. cd <apache-trafodion-x.x.x-incubating>
  7. Copy the four files to the incubating directory.
  8. Make sure you do an svn add for the new directory and all four files
  9. Ask for a review of the changes
  10. Commit your changes
    1. svn status
    2. svn commit –m "message…"
    3. go to https://dist.apache.org/repos/dist/dev/incubator to see if your changes were committed

Verification

At this time, all the artifacts have been uploaded to the staging area.

Verify signatures

Download all the artifacts from the staging area including:

  apache-trafodion-x.x.x-incubating-src.tar.gz
  apache-trafodion-x.x.x-incubating-src.tar.gz.asc
  apache-trafodion-x.x.x-incubating-src.tar.gz.md5
  apache-trafodion-x.x.x-incubating-src.tar.gz.sha 

Check signatures and checksums

  For apache-trafodion-x.x.x-incubating-src.tar.gz.asc, do:

  • gpg apache-trafodion-x.x.x-incubating-src.tar.gz.asc
  • expect:
      gpg: Signature made Tue 03 Nov 2015 12:59:10 AM UTC using RSA key ID A44C5A05
      gpg: Can't check signature: No public key
  • extract public key from key ID returned above
  • gpg --keyserver pgpkeys.mit.edu --recv-key A44C5A05
  • expect:
      gpg: requesting key A44C5A05 from hkp server pgpkeys.mit.edu
      gpg: /home/centos/.gnupg/trustdb.gpg: trustdb created
      gpg: key A44C5A05: public key "Roberta Marton (CODE SIGNING KEY) <rmarton@apache.org>" imported
  • gpg --verify apache-trafodion-x.x.x-incubating-src.tar.gz.asc
  • expect:
      gpg: Signature made <date> using RSA key ID A44C5A05
      gpg: Good signature from "Roberta Marton (CODE SIGNING KEY) <rmarton@apache.org>"
      gpg: WARNING: This key is not certified with a trusted signature!
      gpg: There is no indication that the signature belongs to the owner.

  For apache-trafodion-x.x.x-incugating-src.tar.gz.md5, do:

  • md5sum -c apache-trafodion-x.x.x-incubating-src.tar.gz.md5
  • expect: apache-trafodion-x.x.x-incubating-src.tar.gz: OK 

  For apache-trafodion-x.x.x-incubating-x.x.x-incubating-src.tar.gz.sha, do:

  • sha1sum -c apache-trafodion-x.x.x-incubating-src.tar.gz.sha
  • expect:  apache-trafodion-x.x.x-incubating-src.tar.gz: OK

Verify Apache requirements

  • Make sure that the high level directory contains: DISCLAIMER, NOTICE, LICENSE, README
  • Run rat to make sure all files have Apache copyrights

Complete the release

Under construction

 

 

 

  • No labels

1 Comment

  1. Gunnar Tapper

    This page is being moved to the Trafodion website.