...
- Create a [DISCUSS] thread on dev@daffodil.apache.org to make a decision as a community if the timing is correct for a release and what open issues should be resolved for a release.
- Upon agreement, someone should volunteer to be the "Release Manager" to take the responsibility to prepare the release candidate.
Signing Keys
Release files must be signed with an OpenPGP compatible key. If you do not already have a key for signing Apache releases, follow the developer instructions in the KEYS file in the Daffodil repository to generate a key and add it to the KEYS file. Follow the contributor workflow and create a review branch and pull request to commit your changes to the KEYS file. Once merged, the KEY file should also be copied to the release/inucbator/daffodil/KEYS
file in the apache-dist repo (see below). Your key fingerprint should also be added to https://id.apache.org.
For more information on creating a signing key, visit How to OpenPGP and Signing Releases.
SBT PGP
The sbt-pgp plugin is required to publish signed releases. Add the following to the file ~/.sbt/1.0/plugins/pgp.sbt
to enable usage of the plugin:
Code Block |
---|
addSbtPlugin("com.jsuereth" % "sbt-pgp" % "1.1.1") |
In most cases, no other configuration should be necessary.
...
Initial Setup
The following steps must only be performed once to setup signing keys and the file distribution SVN repository.
Apache Dist Repository
The Apache dist repository is where files are staged prior to release, and stored once the release has been approved. Follow these steps to create a local checkout of the Daffodil dist directories:
...
Staged files are created in the dev
directory directory and are moved to the release
directory directory once approved by the Apache Incubator Project Management Committee.
Signing Keys
Release files must be signed with an OpenPGP compatible key. If you do not already have a key for signing Apache releases, follow the developer instructions in the KEYS file in the Daffodil repository to generate a key and add it to the KEYS file. Follow the contributor workflow and create a review branch and pull request to commit your changes to the KEYS file. Once merged, perform the following steps:
- Copy the KEY file to
release/inucbator/daffodil/KEYS
in the Apache Dist repo and commit it - Add your key fingerprint to https://id.apache.org. To get your fingerprint, run the following:
Code Block language bash $ gpg --fingerprint KEYID
- Send your key to a keyserver via the command:
Code Block language bash $ gpg --send-keys KEYID
For more information on signing keys, visit How to OpenPGP and Signing Releases.
SBT PGP
The sbt-pgp plugin is required to publish signed releases. Add the following to the file ~/.sbt/1.0/plugins/pgp.sbt
to enable usage of the plugin:
Code Block |
---|
addSbtPlugin("com.jsuereth" % "sbt-pgp" % "1.1.1") |
In most cases, no other configuration should be necessary.
Creating a Release Candidate
Prior to creating the release candidate, the
version
setting inbuild.sbt
should contain the-SNAPSHOT
keyword. Create and merge a pull request to remove this keyword in preparation for a non-snapshot release.From within the root of the Daffodil directory, execute the
scripts/release-candidate.sh
script script, providing the release candidate label (e.g. rc1), the path to the root of apache-dist directory created above, your Apache login credentials (e.g. for https://id.apache.org), and your long format gpg key id (e.g.gpg --list-keys --keyid-format
LONGlong KEYID
), like so:Code Block language bash $ ./scripts/release-candidate.sh
The credentials are used to publish the jars to the Apache staging repo. You will also be asked to enter the password for your private gpg key created above to sign the published jars and the zip/tars . This script will perform the following actions:- Create a zip of the source
- Create a tgz, zip, and rpm of the helper binary
- Calculate sha1, sha256, sha512 checksums of the above files
- Create ASCII armored detached signatures of the above files
- Stages jars/poms to https://repository.apache.org
- Create a signed git tag
- Create a zip of the source
- Once the script completes, you should verify all the files. This includes:
- Verify the checksums and signatures created in the Apache dist directories are correct
- Verify the staged jars/poms at https://repository.apache.org/ are correct. To do so, visit that url, login in the top right using id.apache.org credentials, select "Staging Repositories" on the left, and find the
orgapachedaffodil-XXXX
repository. Inspect the "Content"
tab to make sure the appropriate jars are uploaded and appear valid. - Verify the git tag is correct
If any of the above do not look correct, delete the files in Apache dist, "Drop" the published jars/poms, and delete the git tag. , fix the issue and repeat from step 2. - Verify the checksums and signatures created in the Apache dist directories are correct
- After verifying all is correct, commit the changes:
Commit the files in Apache dist, for example:
Code Block language bash svn add dev/incubator/daffodil/* svn ci -m "Stage Apache Daffodil (incubating) 2.0.0-rc1"
- Close the published Nexus files by visiting https://repository.apache.org, log log in, find the release in "Staging Repositories" and select "Close".
Push the git tag
Code Block language bash git push asf v2.0.0-rc1
...
With the release files published for staging and a website created, you may now start a vote on these files. To do so, send an email to dev@daffodil.apache.org base based on the following example, making sure to update all links and version numbers:
...
You must now create a VOTE thread on general@incubator.apache.org to get approval from the Apache Incubator Project Management Committee for release. This email should be the same as the above, but with the following at the beginning of the email, again making sure to update the links to the vote and result thread.
...
After at least 72 hours, if the VOTE passes with at least 3 binding +1's, create a RESULT thread announcing the passage.
...
In the Apache dist directory, move the release candidate files to the release directory
Code Block language bash svn mv dev/incubator/daffodil/2.0.0-rc1/ release/incubator/daffodil/2.0.0/ svm ci -m "Release Apache Daffodil (incubating) 2.0.0"
In the Daffodil git repository, create a signed git tag based on the release candidate tag
Code Block language bash git tag -as -u KEYID -m "Release v2.0.0" rel/v2.0.0 v2.0.0-rc1 git push asf rel/v2.0.0
- Release the published Nexus files by visiting https://repository.apache.org, log in, find the release in "Staging Repositories" and selecting "Release".
Modify the website release page to have the following parameters:
Code Block released: true artifact-root: "http://www.apache.org/dyn/closer.lua/incubator/daffodil/2.0.0/" checksum-root: "http://www.apache.org/dist/incubator/daffodil/2.0.0/"
Give approximately 24 hours for the release files to sync to mirrors and maven central.
Send an announcement email to announce@apache.org, dev@daffodil.apache.org, and users@daffodil.apache.org, (note: send three separate emails instead of one email with multiple TO/CC's), with the following template:
Code Block language text Subject: [ANNOUNCE] Apache Daffodil (incubating) 2.0.0 The Apache Daffodil (incubating) community is pleased to announce the release of version 2.0.0. Release notes and downloads are available at: https://daffodil.apache.org/releases/2.0.0/ Daffodil is an open source implementation of the DFDL (Data Format Description Language) specification that uses DFDL schemas to parse fixed format data into an infoset, which is most commonly represented as either XML or JSON. This allows the use of well-established XML or JSON technologies and libraries to consume, inspect, and manipulate fixed format data in existing solutions. Daffodil is also capable of the reverse by serializing or "unparsing" an XML or JSON infoset back to the original data format. For more information about Daffodil visit: https://daffodil.apache.org/ Regards, The Apache Daffodil Team
...