Geronimo 3.0.x Release Process
Have 3.0.1 release as an example.
1. Better to use a non-Windows system to create the release candidate
- Dos line endings makes all unix shell scripts unexecutable
2. mvn verify
- Refer to the same section in Geronimo 2.1.x Release Process
3. Manually update some files:
- Updates all pom.xml files to search "SNAPSHOT" to ensure there is no snapshot dependencies
- Updates plugin-list url in $SRC\framework\configs\plugin\pom.xml
- Updates ##VERSION## in README.txt and RELEASE_NOTES.txt in source code root folder and $SRC\framework\configs\karaf-framework
- Updates JIRAs in RELEASE_NOTES.txt (bugs, improvement, new features, known issues, and limitations)
- Updates the copyright year number in NOTICE files
Updates some un-released modules' versions to 3.0.1. Refer to this ant scripts to update the versions in batch.
- Commit them
4. mvn release:prepare -DdryRun=true -Pall-subprojects
5. Release Prepare
- Before doing release prepare, clean up you local repository to avoid the bad staging release artifacts to be included in the geronimo release. see reference.
- This will update the versions in branch 3.0 and create the release tag
- Manually remove all *.log files in the source code root folder, otherwise those might be packed into the source code zip files.
- mvn release:clean -Pall-subprojects
- mvn release:prepare -Pall-subprojects
- you need "mvn clean install -Dstage=bootstrap" in midway
6. Release Perform
- This will stage the release artifacts,
- mvn release:perform -Pall-subprojects
- In Apache nexus repository, click "close" https://repository.apache.org/index.html#welcome
- Vote in mailing list, meanwhile wait TCK results. Sample release vote email as following:
- Post "VOTE PASSxxx" in the subject, and summarize the vote status in the body when vote close.
8. Release artifacts
- In Apache nexus, click "release"
- the artifacts will be synchronized to maven central repository in some time.
9. Update geronimo-plugins.xml
- delete your local ~/.m2/repository/geronimo-plugins.xml
- build tag 3.0.0, which will generate a new geronimo-plugins.xml in ~/.m2/repository/
- do the actions as described here – https://cwiki.apache.org/GMOxPMGT/geronimo-server-release-process.html – in step 12.
10. Check-in artifacts into dist svnpubsub
- Check-in the artifacts into https://dist.apache.org/repos/dist/release/geronimo/
- Update https://svn.apache.org/repos/asf/geronimo/KEYS and https://dist.apache.org/repos/dist/release/geronimo/KEYS with your public key (if it is not there).
- Check-in the artifacts and their checksums (*.tar.gz.md5, *.zip.md5, *.tar.gz.sha1, *.zip.sha1, *.asc) into https://dist.apache.org/repos/dist/release/geronimo/3.0.0
11. Announce in Mailing list and Post news in homepage
- Modify http://geronimo.apache.org/downloads.html.
- Add a new page list the artifacts that can be downloaded.
- Modify frontpage and add a news.
12. Update the security advisory page
- Add a section to the new release at https://cwiki.apache.org/confluence/display/GMOxSITE/3.0.x+Security+Report
- If there are outstanding advisories for vulnerabilities fixed by this release, move the vulnerability descriptions to the new release section.
13. Manaually update files in the 3.0 branch after release
- update 3.0.1-SNAPSHOT to ##VERSION## in README.txt and RELEASE_NOTES.txt
- remove the JIRA list in RELEASE_NOTES.txt (bugs, improvement, new features, limitations)
- search "3.0.0" and change them to "3.0.1-SNAPSHOT"
- Update artifact-alias, add version 3.0.0 in artifact-alias after 3.0.0 release
- commit them
1. Use Genesis 2.0 as a parent pom
2. Use Maven 3.0.3
- Enable Apache Servers (refer: http://maven.apache.org/developers/committer-settings.html)
It is highly recommended to use Maven's password encryption capabilities for your passwords.http://maven.apache.org/guides/mini/guide-encryption.html
3. Setup PGP Keys (for the ones who be the release manager the first time)
- Download gnupg2
- Generate your PGP Key (refer: http://www.apache.org/dev/openpgp.html) so that maven-release-plugin can sign your built artifacts when do release:perform
- How To Avoid SHA-1
- How To Generate a Strong Key
Update Maven's settings.xml with following:
- Meanwhile, append your public key to https://svn.apache.org/repos/asf/geronimo/KEYS and https://dist.apache.org/repos/dist/release/geronimo/KEYS so that user can verify the artifacts you released.
- gpg --gen-key
- RSA and RSA (default), 4096
- gpg --list-sigs "xxxxxx" && gpg --armor --export "xxxxxx" > xxxxxx.key
- "cat" your public key to above KEYS file
- gpg --gen-key