Warning |
---|
This version is outdated! Work-in-progress! |
Content
Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Building Steps (Struts)
Getting ready
- Prepare new Security Bulletin - use just brief description about the security vulnerability, no examples, no proof-of-concept, anything that could be used against users, secure the page to allow access only member of struts-committers group in Confluence
- Create a new Version Notes page in Confluence, link from Migration Guide, and link to prior release page and JIRA DONE filters of the version to release, secure the page to allow access only member of struts-committers group in Confluence
When a serious security issue arises, we should try to create a
).STRUTS_#_#_#_X
branch from the last GA release (from tag
Read the maven release:branch docs for further details or alternativelyNo Format mvn release:branch -DbranchName=STRUTS_#_#_#_X
- check it out and use
mvn release:branch
as below).No Format svn co
No Format svn copy https://svn.apache.org/repos/asf/struts/struts2/tags/STRUTS_#_#_# https://svn.apache.org/repos/asf/struts/struts2/branches/ cd STRUTS_#_#_# mvn release:branch -DbranchName=STRUTS_#_#_#_X -m "Creating new branch"
The svn copy command just copies the struts branch from the struts tags, no info about the version will be changed, you have to update in the next steps.Note DupdateBranchVersions=true -DupdateWorkingCopyVersions=false -DautoVersionSubmodules=true
Read the maven release:branch docs for further details or alternatively
- Apply to that branch only the security patch
- Commit the fix. No reference should be make to the commit being related to a security vulnerability.
- If the patch first applies to some other dependency, implore the other group to do the same, to avoid side-effects from other changes.
- Release the upcoming version in JIRA (under Administration/Manage Releases) and tag the release date
- Create DONE and TODO filters for the new version, share with all, and remove obsolete TODO filter
- Create a new Version Notes page in Confluence, link from Migration Guide, and link to prior release page and JIRA DONE filters of the version to release, secure the page to allow access only member of struts-committers group in Confluence
Obtain a fresh checkout.
Code Block |
---|
svn co https://svn.apache.org/repos/asf/struts/struts2/branches/STRUTS_#_#_#_X STRUTS_#_#_#_X
|
Change site target
Edit the top pom.xml file and replace 2.x the url below with version number that's going to be released
...
<distributionManagement>
<site>
<id>apache-site</id>
<url>scp://people.apache.org/www/struts.apache.org/2.x/</url>
</site>
</distributionManagement>
Change scm info
Edit every pom.xml files and replace the url inside the scm info such that points to the branch version previously created:
...
<scm>
<connection>scm:svn:http://svn.apache.org/repos/asf/struts/struts2/branches/STRUTS_#_#_#_X</connection>
<developerConnection>scm:svn:https://svn.apache.org/repos/asf/struts/struts2/branches/STRUTS_#_#_#_X</developerConnection>
<url>http://svn.apache.org/viewcvs.cgi/struts/struts2/branches/STRUTS_#_#_#_X</url>
</scm>
Info | ||
---|---|---|
| ||
If needed, you can use Versions Maven Plugin to set -SNAPSHOT version in all poms, like below:
|
commit the change
Revert to -SNAPSHOT
Maven the release plugin can create a release only from -SNAPSHOT version, replace the current version in all poms with the planned release version plus -SNASPHOT suffix, eg.
2.3.1 -> 2.3.1.1-SNAPSHOT
...
Update version of archetypes
Edit src/site/resources/archetype-catalog.xml
and change version of archetypes to current $VERSION, save and commit.
Apply security patch
Apply and commit security patch.
Prepare release
Tag the release by using the "{{release:prepare" goal }} goal of Maven:
Code Block |
---|
mvn release:prepare -Dusername=yourSvnUsername -Dpassword=yourSvnPassword -DautoVersionSubmodules=true |
For a dry run, add '-DdryRun=true'. If you do a dry run, use 'mvn release:clean' to clean up after you have looked at the output.
When prompted for the SCM tag name, follow this pattern: STRUTS_2_3_\[PATCH_VERSION\] Wiki Markup
Note |
---|
For some reason, when using svn client 1.5, the release plugin might fail to tag the release, if it fails, run: |
...
]
...
Note |
---|
If you get the error message above, try to re-run mvn release:prepare -Dusername=yourSvnUsername -Dpassword=yourSvnPassword -DautoVersionSubmodules=true command again, -Dresume flag is set to true by default and the plugin will resume the release process from where it failed before. |
...
Perform the release
Code Block |
---|
mvn release:perform -Dusername=yourSvnUsername
|
...
If you need to run perform again, (or in a different box), do:
Code Block |
---|
svngit coclone httphttps://svngit-wip-us.apache.org/repos/asf/struts/struts2/tags/.git git checkout $VERSION cd $VERSION mvn deploy site-deploy --no-plugin-updates -DperformRelease=true |
...
After closing repository in Nexus, check if the version is available from staging repository as below:
Code Block |
---|
https://repository.apache.org/content/groups/staging/org/apache/struts/struts2-assembly/$VERSION/
|
In order to move the assemblies login to people.apache.org and execute the following code:
Code Block | ||||
---|---|---|---|---|
| ||||
#!/bin/sh # create the destination directory mkdir $VERSION cd $VERSION # get the distro wget -erobots=off -nv -l 1 --accept=zip,md5,sha1,asc -r --no-check-certificate -nd -nH https://repository.apache.org/content/groups/staging/org/apache/struts/struts2-assembly/$VERSION # rename files for f in *2-assembly*.zip* do mv $f `echo $f | sed s/2-assembly//g` done # remove unneeded files for f in struts2-assembly-*.pom* do rm $f done # remove unneeded hashes rm *.asc.md5 rm *.asc.sha1 |
After that move the assemblies directory to the builds destination with
Code Block |
---|
mv $VERSION /www/people.apache.org/builds/struts/
|
...
- Update JIRA roadmap with tag/release date - release the version in JIRA
- Add next milestone to the JIRA roadmap
- Create DONE and TODO filters, share with all, and remove obsolete TODO filter
- Create new release page, link from Migration Guide, and link to prior release page and JIRA filters
Vote on it
Post a release/quality vote to the dev list (and *only* the dev list). The example mail is on [Sample Announcements] Sample announcements page. Include the term "fast-track" in the subject, as: \ [VOTE\] Struts 2.0.9.1 quality (fast track). Wiki Markup
Copy files
After the vote, if the distribution is being mirrored (there was a favourable release vote) copy the Sources and Binaries:
Code Block |
---|
ssh people.apache.org
cd /www/people.apache.org/builds/struts/$VERSION
cp struts-$VERSION-src.* /www/www.apache.org/dist/struts/source
cp struts-$VERSION-docs.* /www/www.apache.org/dist/struts/documentation
cp struts-$VERSION-lib.* /www/www.apache.org/dist/struts/library
cp struts-$VERSION-apps.* /www/www.apache.org/dist/struts/examples
cp struts-$VERSION-all.* /www/www.apache.org/dist/struts/binaries
|
...
Remove the old files from under /www/www.apache.org/dist/struts/ to synchronize only the latest version with peers. All the files from /www/www.apache.org/dist/ are always mirrored to http://archive.apache.org/dist/struts/
Wait for rsync
...
If the release will fix a - hopefully yet undisclosed - security issue, it's now time to update the Security Bulletins page and add a new announcement. For a template, just check former announcements
Update site (Struts 2 site)
Code Block |
---|
ssh people.apache.org
export VERSION=2.#.#
unzip /www/people.apache.org/builds/struts/$VERSION/struts-$VERSION-docs.zip -d ~/docs
#now the docs are under ~/docs/struts-$VERSION/docs
mkdir -p /www/struts.apache.org/$VERSION
mv ~/docs/struts-$VERSION/docs/* /www/struts.apache.org/$VERSION
chmod -R g+w /www/struts.apache.org/$VERSION
chown -R :struts /www/struts.apache.org/$VERSION
|
Edit /www/struts.apache.org/$VERSION/archetype-catalog.xml and update the version of artifacts
Update site (Struts top level site)
Check out site src code
Code Block svn co https://svn.apache.org/repos/asf/struts/site/ struts-site
- Update xml files
- struts-site/src/site/xdoc/announce.xml (if applicable, refer also to corresponding security bulletin)
- struts-site/src/site/xdoc/downloads.xml (remove previous version)
- struts-site/src/site/xdoc/download.xml (remove previous version)
- struts-site/src/site/xdoc/index.xml
- struts-site/src/site/site.xml
- struts-site/src/site/resources/archetype-catalog.xml
- Commit the changes
- Generate the site
Code Block mvn site:site
- Open
struts-site/target/site/index.html
and verify the urls and versions are right - Deploy site
It takes a few hours for the site changes to go liveCode Block mvn site-deploy
Redeploy the draft docs
Make public available all the pages that could leak confidential information about the vulnerability. Wait or manually export the space in Confluence. Build snapshot locally and copy assembly/target/assembly/out/struts2-#.#.#-SNAPSHOT-docs.zip to people.apache.org and update /www/struts.apache.org/2.x/docs
Permissions
...
- Got to Struts Staging and review the changes
- If everything is ok, push changes to Production via Apache CMS web interface
Update site (Struts 2 site)
Use below script to perform update
Code Block |
---|
#!/bin/sh
# script used to update struts2-subsite after release
VERSION=2.3.15
BRANCH=2.3.x
TAG=STRUTS_2_3_15
svn co https://svn.apache.org/repos/infra/websites/production/struts/content/ struts-site
svn co https://svn.apache.org/repos/asf/struts/struts2/tags/$TAG/ $TAG
wget -erobots=off http://people.apache.org/builds/struts/$VERSION/struts-$VERSION-docs.zip
unzip struts-$VERSION-docs.zip -d docs
rm -r struts-site/release/$BRANCH/docs
rm -r struts-site/release/$BRANCH/struts2-core
rm -r struts-site/release/$BRANCH/struts2-plugins
rm -r struts-site/release/$BRANCH/xwork-core
mv -f docs/struts-$VERSION/docs/* struts-site/release/$BRANCH
cd $TAG
mvn site:site site:stage -DstagingDirectory=../struts-site/release/$BRANCH
cd ../struts-site
svn add --force ./
# Delete removed files
svn st | grep '^!' | awk '{print $2}' | xargs svn delete --force
svn commit -m "Updates Struts2 subsite after release process"
cd ..
rm -r struts-site
rm -r $TAG
rm -r docs
rm struts-$VERSION-docs.zip
|
Post announcements
We leave this as the last step, once the artifacts have had time to sync up on the mirrors.
Announce the release and the vulnerability. Typically this will be sent to the reporter, the project's users list (user@struts.a.o), the project's dev list (dev@struts.a.o), the project's announce list (announcements@struts.a.o), security@apache.org, full-disclosure@lists.grok.org.uk and bugtraq@securityfocus.com.
Samples are available at Sample announcements page.