A. Infrastructure Setup (one time)
A.1 Get Familiar with Maven
Reading the Maven documentation is a good start - Releasing A Maven Project.
A.2 Signature Keys
You need to sign the released artifact using your PGP key which implies
- you generated one
- it is uploaded to a key server
- it is signed on a key signing party
it is found in the KEY file (see http://svn.apache.org/repos/asf/incubator/log4php/meta)
B. Create the tag
- Before starting this process shout a Code Freeze message at the developers list
make a clean checkout of the trunks sourcecode: svn checkout https://svn.apache.org/repos/asf/incubator/log4php/trunk log4php-release-trunk
run: mvn -Dusername=<your user> release:prepare -DdryRun to test the preparation
- If something went wrong, you can clean up with: mvn release:clean
run: mvn -Dusername=<your user> -Dpassword=<your password> release:prepare to prepare the release. This should create a tag in SVN
- Note: if the build fails with the message revision xyz not found, just rerun the prepare goal.
- End code freeze with a short message to the developers list
Note: it's not good to provide a password directly but at the moment I didn't found another way. Any comments to improve this, please let us know on the mailinglist.
C. Create the binaries
make a clean checkout of the tags sourcecode: svn checkout https://svn.apache.org/repos/asf/incubator/log4php/tags/apache-log4php-2.0.0 log4php-release-tag
- Create the site: mvn site
- Create the assemblies (assembly is dependent to site): mvn assembly:assembly
- cd target
- ls should show at least:
D. Create checksums
You need to sign your binaries. On a Mac, you can do this with:
md5 -r Apache_log4php-2.0.0-incubating-pear.tgz > Apache_log4php-2.0.0-incubating-pear.tgz.md5
md5 -r apache-log4php-2.0.0-incubating-src.tar.gz > apache-log4php-2.0.0-incubating-src.tar.gz.md5
md5 -r apache-log4php-2.0.0-incubating-src.zip > apache-log4php-2.0.0-incubating-src.zip.md5
On Linux you can use md5sum:
md5sum -b Apache_log4php-2.0.0-incubating-pear.tgz > Apache_log4php-2.0.0-incubating-pear.tgz.md5
md5sum -b apache-log4php-2.0.0-incubating-src.tar.gz > apache-log4php-2.0.0-incubating-src.tar.gz.md5
md5sum -b apache-log4php-2.0.0-incubating-src.zip > apache-log4php-2.0.0-incubating-src.zip.md5
E. Sign your binaries
Sign your binaries. You can do this with gpg, which is available for both systems, mac and linux. The key for signing needs to be placed in: https://svn.apache.org/repos/asf/incubator/log4php/meta/KEYS
- gpg --armor --output apache-log4php-2.0.0-incubating-src.tar.gz.asc --detach-sig apache-log4php-2.0.0-incubating-src.tar.gz
- gpg --armor --output apache-log4php-2.0.0-incubating-src.zip.asc --detach-sig apache-log4php-2.0.0-incubating-src.zip
- gpg --armor --output Apache_log4php-2.0.0-incubating-pear.tgz.asc --detach-sig Apache_log4php-2.0.0-incubating-pear.tgz
F. Upload to staging server
Upload the following to the appropriate directories on people.apache.org. Make sure, the folder has the correct release candidate number. If a vote fails and the package needs to be recreated, the RC number increases
- all the release distributions
- the detached signature files (.asc) for these releases
- the md5 sums (.md5) for these releases
The files should be accessible like:
Please follow these steps:
- Tar all necessary artifacts: tar cf release.tar Apache_log4php-2.0.0-incubating-pear.tgz* apache-log4php-2.0.0*
- Gunzip the release.tar: gzip release.tar
Copy the release to the log4php folder: scp release.tar.gz <you>@people.apache.org:/builds/logging/log4php
- Login to the people server
Change to <you>@minotaur:/builds/logging/log4php
- mkdir 2.0.0
- mkdir 2.0.0/RC1
- mv release.tar.gz 2.0.0/RC1/
- cd 2.0.0/RC1
- gunzip release.tar.gz
- tar -xf release.tar
- rm release.tar
- Vote on the packages on the staging server at the develops list
- If vote passes, vote on the packages on the staging server at the incubator list
- after successful voting, archive older releases, if any.
- copy the staged artifacts to the download server. The key file must be available there too.
Locations (according to: http://incubator.apache.org/guides/releasemanagement.html )
Send announcement to user, dev and incubator list and to the blog. Party on!
Use another user to verify the signatures. (The user must have your code-signing public key loaded into their key ring.) Here's an example using GnuPG:
% gpg --verify log4php-2.0.0-incubating.tar.gz.asc log4php-2.0.0-incubating.tar.gz gpg: Signature made 03/01/03 19:34:31 GMT using DSA key ID B1313DE2 gpg: Good signature from "Robert Burrell Donkin (CODE SIGNING KEY) <firstname.lastname@example.org>"
Verify md5 check sums. If you can, use another application to double check the sums. Here verifications are performed using openssl.
% openssl md5 < log4php-2.0.0-incubating.tar.gz a76169177e7a9b58118bcd993aff4a5e % cat log4php-2.0.0-incubating.tar.gz.md5 a76169177e7a9b58118bcd993aff4a5e
Checklist for binaries
- the release archive MUST contain an Incubation disclaimer (as described in the previous section), clearly visible in the main documentation or README file.