sis-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From desruisse...@apache.org
Subject svn commit: r1504512 - /sis/branches/JDK7/src/site/apt/release-setup.apt
Date Thu, 18 Jul 2013 16:26:45 GMT
Author: desruisseaux
Date: Thu Jul 18 16:26:45 2013
New Revision: 1504512

URL: http://svn.apache.org/r1504512
Log:
Initial draft of the release setup page. The release process page will be commited later.

Added:
    sis/branches/JDK7/src/site/apt/release-setup.apt   (contents, props changed)
      - copied, changed from r1504167, sis/site/trunk/content/release-management.mdtext

Copied: sis/branches/JDK7/src/site/apt/release-setup.apt (from r1504167, sis/site/trunk/content/release-management.mdtext)
URL: http://svn.apache.org/viewvc/sis/branches/JDK7/src/site/apt/release-setup.apt?p2=sis/branches/JDK7/src/site/apt/release-setup.apt&p1=sis/site/trunk/content/release-management.mdtext&r1=1504167&r2=1504512&rev=1504512&view=diff
==============================================================================
--- sis/site/trunk/content/release-management.mdtext [iso-8859-1] (original)
+++ sis/branches/JDK7/src/site/apt/release-setup.apt [UTF-8] Thu Jul 18 16:26:45 2013
@@ -1,256 +1,152 @@
-Title: Release Process
-Notice:    Licensed to the Apache Software Foundation (ASF) under one
-           or more contributor license agreements.  See the NOTICE file
-           distributed with this work for additional information
-           regarding copyright ownership.  The ASF licenses this file
-           to you under the Apache License, Version 2.0 (the
-           "License"); you may not use this file except in compliance
-           with the License.  You may obtain a copy of the License at
-           .
-             http://www.apache.org/licenses/LICENSE-2.0
-           .
-           Unless required by applicable law or agreed to in writing,
-           software distributed under the License is distributed on an
-           "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-           KIND, either express or implied.  See the License for the
-           specific language governing permissions and limitations
-           under the License.
-
-Releases are crucial aspects for an apache project and following the guidelines is very important.
The [Release FAQ][release-faq] describes the foundation wide policies. The following instructions
walkthrough SIS specific release steps.
-
-<a name="release-setup"></a>
-###One time release management setup
-
-This section describes release management configuration steps, if you have previously configured
these steps, jump directly to [Release Process](#release-process).
-
-Performing a release will require:
-
-* Generate, sign and upload gpg key, you can follow these [gpg instructions](#gpg-key).
-* Configure Maven and get access to Nexus Repo, more [maven & nexus instructions](#maven-nexus-setup).
-
-<a name="gpg-key"></a>
-#### Generate GPG key
-The releases have to be signed by public key cryptography signatures. Detailed instructions
on why releases have to be signed are provided on [Release Signing][release-signing] page.
-The popular software used Open Pretty Good Privacy (OpenPGP) is the GPG. The [GPG instructions][gpg-keys]
list out detailed steps on managing your keys.
-
-The steps can be summarized as:
-
-* Generate 4096 bits RSA key pair using gpg: `gpg --gen-key`.
-* Export the public key: `gpg --list-sigs <Real Name> && gpg --armor -- export
<Real Name>`
-* Upload the public key to [SURFNET PGP][surfnet-pgp] or [MIT PGP][mit-pgp] servers.
-* Have your key signed by at least three apache commiters, [key signing][key-sign] and [Henk
Penning][henk-trust] websites provide instructions.
-* Add the signed public key to the KEYS file on [SIS Dist SVN][sis-dist-svn].
-
-For reference, the steps to sign a key:
-
-* The person whom you know in person provides you his key, usually this happens at key signing
party where you can verify each others ID's.
-* Fetch the key `gpg --keyserver <keyserver> --recv-keys <Key_ID>` an example
key server is pgp.mit.edu
-* Sign the key `gpg --sign-key <Key_ID>`
-* Upload the key back to the server `gpg --keyserver <keyserver> --send-key <Key_ID>`
-
-
-<a name="maven-nexus-setup"></a>
-#### Maven Configuration & Nexus Setup
-
-* SIS requires Maven 3 or later to build and release
-* It is encouraged to use maven's password encryption capabilities and set the gpg password
in
-~/.m2/settings.xml. Detailed instructions are at [Publishing Maven Artifacts][maven-artificats]
-	* Make sure both the apache.snapshots.https and apache.releases.https are configured correctly.
-* Performing release will require maven to run series of commands, the heapsize has to be
increased to avoid out of memory exceptions.
-* 		Bash Shell: `export MAVEN_OPTS="-Xmx1024m -XX:MaxPermSize=256m"`.
-* 		C Shell: `setenv MAVEN_OPTS "-Xmx1024m -XX:MaxPermSize=256m"`.
-
-<a name="release-process"></a>
-#### Release Process
-
-1. Before performing the following release steps, ensure the [Release Setup](#release-setup)
steps have been performed.
-
-2. Ensure the source is ready for release. Verify:
-     * Cleanup JIRA so the Fix Version in issues resolved since the last release includes
this release version correctly.
-     * Ensure all open issues are resolved before proceeding further, close all resolved
issues.
-     * Test and make sure the release passes all regression tests.
-     * Update RELEASE_NOTES with all the features added.
-     	 * The release notes can be obtained from JIRA, by clicking the version, and then configuring
the release notes to display text format and copying it.
-     	 * A suggested approach would be to reorganize the release notes as New Features, then
Improvements then Tasks and Sub Tasks and finally Bug Fixes.
-     * Review and update README, INSTALL files.
-     * Commit any changes back to svn.
-     * Update website/wiki with Roadmap or Release landing pages.
-
-3. Checkout a clean copy of the trunk to release using command line svn.
-    *Do not use Eclipse to do the checkout. The extra dot (.) files created by Eclipse throws
off the rat:check processing.*
-
-    	`svn co https://svn.apache.org/repos/asf/sis/trunk sis-trunk`
-
-4. Verify the source has the required license headers before trying to release:
-
-		`mvn -P pedantic verify -DskipTests=true`
-
-5. Do a dry run of the release:prepare step:
-
-		`mvn -P apache-release release:prepare -DautoVersionSubmodules=true -DdryRun=true`
-
-    The dry run will not commit any changes back to SVN and gives you the opportunity to
verify that the release process will complete as expected. You will be prompted for the following
information :
-
-      * Release version
-      * SCM release tag
-      * New development version
-      * GPG Passprhase - On a Mac if the passphrase is stored in keychain, the passphrase
is not prompted.
-
-    *If you cancel a release:prepare before it updates the pom.xml versions, then use the
release:clean goal to just remove the extra files that were created.*
-
-    The Maven release plugin checks for SNAPSHOT dependencies in pom's. It will not complete
the prepare goal until all SNAPSHOT dependencies are resolved.
-
-6. Verify that the release process completed as expected
-    * The release plugin will create pom.xml.tag files which contain the changes that would
have been committed to SVN. The only differences between pom.xml.tag and it's corresponding
pom.xml file should be the version number.
-    * If other formatting changes have been made you should review the changes and then commit
them `svn commit -m "fixing formatting for release"`
-    * Check release.properties and make sure that the scm properties have the right version.
Sometimes the scm location can be the previous version not the next version.
-    * Verify signatures ([Verifying release signatures](#verify_signatures))
-
-7. Once any failures or required updates have been committed to svn, rollback the release
prepare files:
-
-		`mvn -P apache-release release:rollback`
-
-8. Prepare the release: Run the "release:prepare" step for real this time. You'll be prompted
for the same version information.
-
- 		`mvn -P apache-release release:prepare -DautoVersionSubmodules=true`
-    Backup (zip or tar) your local release candidate directory in case you need to rollback
the release after the next step is performed.
-
-9. Perform the release
-     * This step will create a maven staging repository and site for use in testing and voting.
-
-     		`mvn release:perform -Papache-release`
-
-     * If your local OS userid doesn't match your Apache userid, then you'll have to also
override the value provided by the OS to Maven for the site-deploy step to work: -Duser.name=[your_apache_uid]
--This is known to work for Linux, but not for Mac and unknown for Windows--.
-
-10. Verify the Nexus release artifacts
-
-    * Verify the HTML links in site are correct
-
-    * Verify the staged artifacts in the nexus repo
-        * https://repository.apache.org/index.html
-        * Staging repositories (under Build Promotion) --> Name column --> org.apache.sis
-        * Navigate through the artifact tree and make sure that all javadoc, sources, tests,
jars, ... have .asc (GPG signature) and .md5 files. See http://people.apache.org/~henkp/repo/faq.html
and http://www.apache.org/dev/release-signing.html#openpgp-ascii-detach-sig
-
-    * Close the nexus staging repo
-        * https://repository.apache.org/index.html
-        * Staging repositories (under Build Promotion) --> Name column --> org.apache.sis
-        * Click checkbox for the open staging repo (org.apache.sis-XXX) and press Close in
the menu bar.
-
-11.  Sign the binary artifacts
-
-        * $ `cd modules/distribution/target`
-        * $ `gpg -ab apache-sis-*${project.version}*-bin.tar.gz`
-        * $ `gpg -ab apache-sis-*${project.version}*-bin.zip`
-        * $ `gpg --print-md SHA512 apache-sis-*${project.version}*-bin.tar.gz > apache-sis-*${project.version}*-bin.tar.gz.sha`
-        * $ `gpg --print-md SHA512 apache-sis-*${project.version}*-bin.zip > apache-sis-*${project.version}*-bin.zip.sha`
-        * $ `gpg --print-md MD5 apache-sis-*${project.version}*-bin.tar.gz > apache-sis-*${project.version}*-bin.tar.gz.md5`
-        * $ `gpg --print-md MD5 apache-sis-*${project.version}*-bin.zip > apache-sis-*${project.version}*-bin.zip.md5`
-
-12. Stage the source and binary artifacts to the dist development repository
-
-	* Checkout SIS development dist area:
-
-			`svn co https://dist.apache.org/repos/dist/dev/sis sis-dev-dist`
-
-	* Create the directory for ${project.version} and RC{number} within it. The RC number corresponds
to the current release attempt.
-	* Copy the source and binaries into dist area.
-		* Copy the source and binaries into the development dist RC area created above.
-		* Sources and signed artificats can be downloaded from staging repo https://repository.apache.org/content/groups/staging/org/apache/sis/sis/${project.version}.
-		* Source artifacts should include sis-{project.version}-source-release.zip, sis-{project.version}-source-release.zip.asc,
sis-{project.version}-source-release.zip.sha, sis-{project.version}-source-release.zip.md5
-		* Binaries and gpg signed artificats from step 11.
-        * Verify they are downloadable from https://dist.apache.org/repos/dist/dev/sis/${project.version}/RC{number}.
-
-13. Put the release candidate up for a vote
-     1. Create a VOTE email thread on dev@ to record votes as replies, like [this](release-vote.txt)
-     2. Create a DISCUSS email thread on dev@ for any vote questions, [this](release-discuss.txt)
-     3. Perform a review of the release and cast your vote. For elaborate instructions, please
consult [Apache Release FAQ][release-faq].
-
-     4. A -1 vote does not necessarily mean that the vote must be redone, however it is usually
a good idea to rollback the release if a -1 vote is received. See - Recovering from a vetoed
release
-     5. After the vote has been open for at least 72 hours, has at least three +1 PMC votes
and no -1 votes, then post the results to the vote thread by -
-         * reply to the initial email and prepend to the original subject "[RESULT]"
-         * Include a list of everyone who voted +1, 0 or -1.
-
-14. Finalizing a release
-
-    1. The artificats in the repository are not yet mirrored and available for maven to download.
Promote the staged nexus artifacts, but releasing them.
-
-        * https://repository.apache.org/index.html
-        * Staging repositories (under Build Promotion) --> Name column --> org.apache.sis
-        * Click checkbox of the closed staging repo (org.apache.sis-XXX) and select Release.
-
-    2. Checkin the source and binary artifcats into distribution svn which will be pulled
by all mirrors within 24 hours. The dist/dev svn is not mirrored, but the dist/release is.
-        * `svn copy https://dist.apache.org/repos/dist/dev/sis/${project.version}/RC{number}
https://dist.apache.org/repos/dist/release/sis/${project.version}  -m "Committing SIS Source
and Binary Release for ${project.name}-${project.version}`
-
-    3. Update the staged website
-
-        *  Update the downloads page to add new version using the mirrored URLs
-        *  Modify the URL for the prior release to the archived URL for the release
-
-    4.  Publish the website
-
-        *  WAIT 24hrs after committing releases for mirrors to replicate
-        *  Publish updates to the download page
-
-    5.  Delete the prior versions
-
-        *  Navigate to the release directories checked out in the prior steps
-        *  Delete the prior release artifacts using the svn delete command
-        *  Commit the deletion
-
-15. Update the JIRA versions page to close all issues, mark the version as "released", and
set the date to the date that the release was approved. You may also need to make a new release
entry for the next release.
-
-16. Announcing the release
-
-       * Make a news announcement on the SIS homepage.
-       * Make an announcement about the release on the dev@sis.apache.org, users@sis.apache.org,
and announce@apache.org.
-       * Sample announce [email](release-announce.txt).
-
-
-####Recovering from a vetoed release
-
-1. Reply to the initial vote email and prepend to the original subject -
-
-     [CANCELED]
-
-3. Delete the svn tag created by the release:perform step -
-
-       $ svn del https://svn.apache.org/repos/asf/sis/tags/${project.version} -m "deleting
tag from rolled back release"
-
-4. Revert the svn to old version `mvn -P apache-release release:rollback`
-5.
-5.  Delete the build artifacts on people & www
-     *  $ rm -rfv /www/people.apache.org/builds/sis/${project.version}
-
-6. Drop the nexus staging repo
-    1. https://repository.apache.org/index.html
-    2. Enterprise --> Staging
-    3. Staging tab --> Name column --> org.apache.sis
-    4. Right click on the closed staging repo (org.apache.sis-XXX) and select Drop.
-
-7. Remove the staged site
-
-8. Make the required updates that caused the vote to be canceled during the next release
cycle
-
-<a name="verify_signatures"></a>
-####Verifying release signatures
-On unix platforms and mac's download all source and binary artifacts into a new directory
and cd to the download directory.
-
-      for file in `find . -type f -iname '*.asc'`
-      do
-          gpg --verify ${file}
-      done
-
-The output will indicate the You'll need to look at the output to ensure it contains only
good signatures -
-
-gpg: Good signature from ...
-gpg: Signature made ...
-
-[release-faq]: http://www.apache.org/dev/release.html
-[gpg-keys]: http://www.apache.org/dev/openpgp.html
-[release-signing]: http://www.apache.org/dev/release-signing.html
-[surfnet-pgp]: http://pgp.surfnet.nl:11371/
-[mit-pgp]: http://pgp.mit.edu/
-[key-sign]: http://www.apache.org/dev/release-signing.html#key-signing-party
-[henk-trust]: http://people.apache.org/~henkp/trust/
-[maven-artificats]: http://www.apache.org/dev/publishing-maven-artifacts.html#dev-env
-[sis-dist-svn]: https://dist.apache.org/repos/dist/release/sis/
+~~
+~~ Licensed to the Apache Software Foundation (ASF) under one
+~~ or more contributor license agreements.  See the NOTICE file
+~~ distributed with this work for additional information
+~~ regarding copyright ownership.  The ASF licenses this file
+~~ to you under the Apache License, Version 2.0 (the
+~~ "License"); you may not use this file except in compliance
+~~ with the License.  You may obtain a copy of the License at
+~~
+~~   http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing,
+~~ software distributed under the License is distributed on an
+~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+~~ KIND, either express or implied.  See the License for the
+~~ specific language governing permissions and limitations
+~~ under the License.
+~~
+
+                            ---------------------------------
+                            One time release management setup
+                            ---------------------------------
+
+One time release management setup
+
+  The following instructions need to be done only once by new release managers,
+  or when configuring a new machine for performing the releases.
+  If those steps have already been done, jump directly to the {{{./release-process.html}Release
process}} page.
+
+%{toc|fromDepth=2|toDepth=3}
+
+
+* Generate GPG key
+
+  The releases have to be signed by public key cryptography signatures.
+  Detailed instructions about why releases have to be signed are provided on the {{{http://www.apache.org/dev/release-signing.html}Release
Signing}} page.
+  The standard used is OpenPGP (<Open Pretty Good Privacy>), and a popular software
implementation of that standard is GPG (<GNU Privacy Guard>).
+  The {{{http://www.apache.org/dev/openpgp.html}OpenPGP instructions}} list out detailed
steps on managing your keys.
+  The following steps provide a summary:
+
+  Edit the <<<~/.gnupg/gpg.conf>>> configuration file (where <<<~>>>
is the home directory) and add the following
+  configuration options, or edit the existing values if any:
+
+-------------------------------------------------------------------------------------------------------
+personal-digest-preferences SHA512
+cert-digest-algo SHA512
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP
Uncompressed
+-------------------------------------------------------------------------------------------------------
+
+  Generate 4096 bits RSA key pair using the following command-line. GPG will prompts for
various informations.
+  The list below the command suggests some values, keeping in mind that the new key should
be used only for
+  signing Apache softwares - not for daily emails.
+
+-------------
+gpg --gen-key
+-------------
+
+   * Kind of key: RSA and RSA (default). Do not create DSA key.
+
+   * Key size: 4096 bits.
+
+   * Validity time: 0 (key does not expire).
+
+   * Real name: the developer's name.
+
+   * Email address: developer's email address at <<<@apache.org>>>.
+
+   * Comment: "CODE SIGNING KEY".
+
+   * Passphrase: please choose a strong one.
+
+  Verify the key information (replace _Real Name_ by the above-cited developer's name, keeping
quotes in the command below).
+  Note the key identifier, which is a value like <<<EB98E066>>>. This key
identifier will be needed for the next steps.
+
+---------------------------
+gpg --list-sigs "Real Name"
+---------------------------
+
+  Sends the public key to a keys server (replace <<<<key_id>>>> by
the above-cited key identifier).
+  The default GPG configuration sends the key to <<<hkp://keys.gnupg.net>>>.
+  Note that while there is many key servers, most of them synchronize changes with each other,
+  so a key uploaded to one should be disseminated to the rest.
+
+-----------------------
+gpg --send-key <key_id>
+-----------------------
+
+  Generate a revocation certificate. This is not for immediate use, but generating the certificate
now
+  is a safety in case the passphrase is lost. Keep the revocation certificate in a safe place.
+
+----------------------------------------------
+gpg --output revcert.asc --gen-revoke <key_id>
+----------------------------------------------
+
+  Have the key signed by at least three Apache commiters. This can be done by executing the
following commands on
+  the machine of the other Apache commiter, where <<<key_to_use>>> is the
identifier of the other commiter's key.
+  Those operation should preferably be done in some event where the commiters can meet face-to-face.
+  The other commiter should verify that the <<<gpg --fingerprint>>> command
output matches the fingerprint of the key to sign.
+
+--------------------------------------------------
+gpg --recv-keys <key_id>
+gpg --fingerprint <key_id>
+gpg --default-key <key_to_use> --sign-key <key_id>
+gpg --send-key <key_id>
+--------------------------------------------------
+
+  The above-cited <Release Signing> page provides more instructions.
+  Then, the signed public key shall be appended to the <<<KEYS>>> file
on
+  {{{http://dist.apache.org/repos/dist/release/sis/}}}.
+
+
+* Maven Configuration & Nexus Setup
+
+  Detailed instructions are at {{{http://www.apache.org/dev/publishing-maven-artifacts.html}Publishing
Maven Artifacts}}.
+  In summary, the developer needs to specify username, and optionally password, in his local
<<<~/.m2>>> directory.
+  If not already done, create a Maven master password:
+
+----------------------------------------
+mvn --encrypt-master-password <password>
+----------------------------------------
+
+  The command will produce an encrypted version of the given password, something like <<<{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}>>>.
+  Store this password in the <<<~/.m2/settings-security.xml>>> file like
below:
+
++---------------------------------------------------------------+
+<settingsSecurity>
+  <master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
+</settingsSecurity>
++---------------------------------------------------------------+
+
+  Then encrypt the passphrase of the GPG key created in above steps, like below:
+
+-----------------------------------
+mvn --encrypt-password <passphrase>
+-----------------------------------
+
+  The command will produce an encrypted version of the passphrase, something like <<<{COQLCE6DU6GtcS5P=}>>>.
+  Cut-and-paste it in a section of the <<<~/.m2/settings.xml>>> file like
below:
+
++--------------------------------------------------------------------+
+<settings>
+...
+  <servers>
+    <server>
+      <id>apache.releases.https</id>
+      <username> <!-- YOUR APACHE USERNAME --> </username>
+      <password>{COQLCE6DU6GtcS5P=}</password>
+    </server>
+   ...
+  </servers>
+</settings>
++--------------------------------------------------------------------+

Propchange: sis/branches/JDK7/src/site/apt/release-setup.apt
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: sis/branches/JDK7/src/site/apt/release-setup.apt
------------------------------------------------------------------------------
    svn:mime-type = text/plain;charset=UTF-8



Mime
View raw message