Author: buildbot Date: Mon Jul 22 15:00:15 2013 New Revision: 870595 Log: Staging update by buildbot for sis Added: websites/staging/sis/trunk/content/release/ websites/staging/sis/trunk/content/release/setup.html Modified: websites/staging/sis/trunk/content/ (props changed) Propchange: websites/staging/sis/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Mon Jul 22 15:00:15 2013 @@ -1 +1 @@ -1505687 +1505705 Added: websites/staging/sis/trunk/content/release/setup.html ============================================================================== --- websites/staging/sis/trunk/content/release/setup.html (added) +++ websites/staging/sis/trunk/content/release/setup.html Mon Jul 22 15:00:15 2013 @@ -0,0 +1,241 @@ + + + + Apache SIS + + + + + + + + + + + + +
+
+ +
+
+
+

One time release management setup

+

The following instructions need to be done only once by new release managers, +or when configuring a new machine for performing the releases. +If those steps have already been done, jump directly to the Release process page.

+

Directory layout (including Subversion checkout)

+

The steps described in the release process page assume the following directory layout. +Some directories are SVN checkout, other are ordinary directories. Any other layout can be used. +However in the later case, all relative paths in the release process page will need to be adjusted accordingly.

+
<any root directory for SIS>
+├─ trunk
+├─ branches
+├─ tags
+└─ distribution
+
+ + +

Create the above directory structure as below:

+
svn checkout https://svn.apache.org/repos/asf/sis/trunk
+svn checkout https://dist.apache.org/repos/dist/dev/sis distribution
+mkdir branches
+mkdir tags
+
+ + +

Shell configuration

+

It is better for Unix shells to contain the following line in their initialization file +(typically ~/.bashrc or ~/.profile, where ~ stands for the user's home directory):

+
export GPG_TTY=$(tty)
+
+ + +

Generate GPG key

+

The releases have to be signed by public key cryptography signatures. +Detailed instructions about why releases have to be signed are provided on the Release Signing page. +The standard used is OpenPGP (Open Pretty Good Privacy), and a popular software implementation of that standard is GPG (GNU Privacy Guard). +The {{{http://www.apache.org/dev/openpgp.html}OpenPGP instructions}} list out detailed steps on managing your keys. +The following steps provide a summary:

+

Edit the ~/.gnupg/gpg.conf configuration file and add the following configuration options, +or edit the existing values if any:

+
personal-digest-preferences SHA512
+cert-digest-algo SHA512
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+
+ + +

Generate 4096 bits RSA key pair using the following command-line. GPG will prompts for various informations. +The list below the command suggests some values, keeping in mind that the new key should be used only for +signing Apache softwares - not for daily emails.

+
gpg --gen-key
+
+ + +
    +
  • Kind of key: RSA and RSA (default). Do not create DSA key.
  • +
  • Key size: 4096 bits.
  • +
  • Validity time: 0 (key does not expire).
  • +
  • Real name: the developer's name.
  • +
  • Email address: developer's email address at <<@apache.org>>.
  • +
  • Comment: "CODE SIGNING KEY".
  • +
  • Passphrase: please choose a strong one.
  • +
+

Verify the key information (replace Real Name by the above-cited developer's name, keeping quotes in the command below). +Note the key identifier, which is a value like EB98E066. This key identifier will be needed for the next steps.

+
gpg --list-sigs "Real Name"
+
+ + +

Sends the public key to a keys server (replace <key_id> by the above-cited key identifier). +The default GPG configuration sends the key to hkp://keys.gnupg.net. +Note that while there is many key servers, most of them synchronize changes with each other, +so a key uploaded to one should be disseminated to the rest.

+
gpg --send-key <key_id>
+
+ + +

Generate a revocation certificate. This is not for immediate use, but generating the certificate now +is a safety in case the passphrase is lost. Keep the revocation certificate in a safe place.

+

:::bash + gpg --output revocation_certificate.asc --gen-revoke

+

Have the key signed by at least three Apache commiters. This can be done by executing the following commands on +the machine of the other Apache commiter, where <key_to_use> is the identifier of the other commiter's key. +Those operation should preferably be done in some event where the commiters can meet face-to-face. +The other commiter should verify that the gpg --fingerprint command output matches the fingerprint of the key to sign.

+
gpg --recv-keys <key_id>
+gpg --fingerprint <key_id>
+gpg --default-key <key_to_use> --sign-key <key_id>
+gpg --send-key <key_id>
+
+ + +

The above-cited Release Signing page provides more instructions. +Then, the signed public key shall be appended to the KEYS file on SIS distribution directory.

+

Maven Configuration & Nexus Setup

+

Detailed instructions are at Publishing Maven Artifacts. +In summary, the developer needs to specify username, and optionally password, in his local ~/.m2 directory. +If not already done, create a Maven master password:

+
mvn --encrypt-master-password <password>
+
+ + +

The command will produce an encrypted version of the given password, something like \{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=\}. +Store this password in the ~/.m2/settings-security.xml file like below:

+
<settingsSecurity>
+  <master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
+</settingsSecurity>
+
+ + +

Then encrypt the passphrase of the GPG key created in above steps, like below:

+
mvn --encrypt-password <passphrase>
+
+ + +

The command will produce an encrypted version of the passphrase, something like \{COQLCE6DU6GtcS5P=\}. +Cut-and-paste it in a section of the ~/.m2/settings.xml file like below:

+
<settings>
+...
+  <servers>
+    <server>
+      <id>apache.releases.https</id>
+      <username> <!-- YOUR APACHE USERNAME --> </username>
+      <password>{COQLCE6DU6GtcS5P=}</password>
+    </server>
+   ...
+  </servers>
+</settings>
+
+
+
+
+
+
+ + + + + + + +