One time

Create and install a SSH key

If you get hung up during release:perform because Maven can't verify the authenticity of a host, then there could be one of two
different problems. The first problem, which is an easy fix, is to go to the command line and use SSH to log in to that host. You
should receive a prompt to add the host to your known_hosts file. If you add the host to your known_hosts file from the command line
SSH, then you should be able to try release:perform again and have more success. There is a chance though that this won't fix maven.

Maven doesn't appear to understand hashed known_hosts files. There is some information here - known_hosts file Hashing.
If your known_hosts file is hashed, you can solve this one of a few different ways. If you perform a deploy:deploy instead of
release:perform, then maven will leave a prompt open for you to type 'yes' and have maven add the host (in a way that Jsch, the library
which provides Maven Wagon with the SSH/SCP functionality, understands) to your known_hosts file. Another option is to remove your
known_hosts file, update your SSH configuration so that it does not hash the hostname in known_hosts and try to log in from the command

mkdir ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -q -f ~/.ssh/id_rsa -t rsa
#Enter a passphrase
chmod go-rwx ~/.ssh/*

#copy the public key to
scp ~/.ssh/$USERNAME

# next, setup the public key on server
mkdir ~/.ssh
chmod 700 ~/.ssh
cat ~/ >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
rm ~/

Create a PGP key

svn co struts-maven-build
cd struts-maven-build
(gpg --fingerprint --list-sigs <your name> && gpg --armor --export <your name>) >> KEYS
scp KEYS
svn commit KEYS -m "Add public key"

Update Maven settings for our servers

Create a settings.xml under ~/.m2 and follow below instructions:

<settings xmlns=""
    <!-- To publish a snapshot of some part of Maven -->
      <username> <!-- YOUR APACHE LDAP USERNAME --> </username>
      <password> <!-- YOUR APACHE LDAP PASSWORD --> </password>
    <!-- To publish a website of some part of Maven -->
      <username> <!-- YOUR APACHE LDAP USERNAME --> </username>
    <!-- To stage a release of some part of Maven -->
      <username> <!-- YOUR APACHE LDAP USERNAME --> </username>
      <password> <!-- YOUR APACHE LDAP PASSWORD --> </password>
    <!-- To stage a website of some part of Maven -->
      <id>stagingSite</id> <!-- must match hard-coded repository identifier in site:stage-deploy -->
      <username> <!-- YOUR APACHE LDAP USERNAME --> </username>
        <gpg.passphrase> <!-- YOUR KEY PASSPHRASE --> </gpg.passphrase>

Increase Memory Settings for Maven

To complete a full build and all the tests, it may be neccesary to increase the amount of memory available to Maven. The simplest thing is to set an environment variable.

  • MAVEN_OPTS=-Xmx512m or even MAVEN_OPTS=-Xmx1024m



If a tagged build needs to be retagged, be sure to delete the old tag first.

svn delete -m "WW-### Removing first try at 2.#.#."

Amending a log entry

If the commit was fine, but the log was wrong, updating the log entry is easy. For example,

> svn propset --revprop -r 504523 svn:log "WW-1715 Branch for 2.0.x at Struts 2.0.6-SNAPSHOT r504196"
> property 'svn:log' set on repository revision 504523

See svn help propset for more.

Sample Struts Annotations Release/Quality Vote

Subject: [VOTE] Struts Annotations 1.0.x Vote
The Struts Annotations 1.0.x test build is now available as a Maven
artifact. It is a dependency of Struts 2.x.y.

If you have had a chance to review the test build, please respond with
a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.

The vote will remain open for at least 72 hours, longer upon request.

Sample Test Build Announcement

(tick) Test builds are only announced to the dev list. Announcements to the user list can only be made pursuant to a release vote with the consent of the PMC.

The test build of Struts 2.0.3 is available.

No determination as to the quality ('alpha,' 'beta,' or 'GA') of Struts 2.0.3 has been made, and at this time it is simply a "test build".  We welcome any comments you may have, and will take all feedback into account if a quality vote is called for this build.

Release notes:
* [LINK]

* []

Maven 2 staging repository:
* []

We appreciate the time and effort everyone has put toward contributing code and documentation, posting to the mailing lists, and logging issues.

Sample Release/Quality Vote

Subject: [VOTE] Struts #.#.# Vote
The Struts #.#.# test build is now available.

Release notes:
* []

* []

Maven 2 staging repository:
* []

Once you have had a chance to review the test build, please respond with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC members are considered binding. A vote passes if there are at least three binding +1s and more +1s than -1s.

The vote will remain open for at least 72 hours, longer upon request. A vote can be amended at any time to upgrade or downgrade the quality of the release based on future experience. If an initial vote designates the build as "Beta", the release will be submitted for mirroring and announced to the user list. Once released as a public beta, subsequent quality votes on a build may be held on the user list.

As always, the act of voting carries certain obligations. A binding vote not only states an opinion, but means that the voter is agreeing to help do the work

Sample Release Announcement

The Apache Struts group is pleased to announce that Struts 2.0.6 is available as a "#####" release. \[\[The Beta designation indicates that we believe the distribution needs wider testing before being upgraded to a "General Availability" release. Your input is essential.\] The GA designation is our highest quality grade. \]


The release is also available from the central Maven repository under Group ID "org.apache.struts".

The #.#.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
* Java Servlet #.# and JavaServer Pages (JSP) #.#
* Java 2 Standard Platform Edition (J2SE) #.#

The release notes are available online at:
* []

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a ticket with JIRA.

- The Apache Struts group.

Fast-Tracking an Important Security Release

  • When a serious security issue arises, we should try to create a #.#.#.X branch from the last GA release, and apply to that branch only
    the security patch.
  • If the patch first applies to some other dependency, implore the other group to do the same, to avoid side-effects from other changes.
  • If the release manager would like to "fast track" a vote, so as to make a security fix available quickly, the preferred procedure is to
    • Include the term "fast-track" in the subject, as in [VOTE] Struts quality (fast track)

    • In the vote message, specify voting terms like:
The Struts #.#.#.# test build is now available.

Release notes:
* []

* []

Maven 2 staging repository:
* []

Once you have had a chance to review the test build, please respond with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC members are considered binding. A vote passes if there are at least three binding +1s and more +1s than -1s.

This is a "fast-track" release vote. If we have a positive vote after 24 hours (at least three binding +1s and more +1s than -1s),  the release may be submitted for mirroring and announced to the usual channels.

The website download link will include the mirroring timestamp parameter [1], which limits the selection of mirrors to those that have been refreshed since the indicated time and date. (After 24 hours, we \*must\* remove the timestamp parameter from the website link, to avoid unnecessary server load.) In the case of a fast-track release, the email announcement will not link directly to <download.cgi>, but to <downloads.html>, so that we can control use of the timestamp parameter.

[1] <[|]>

Please be sure to update Security Bulletins accordingly as described above.

