dubbo.apache.org/dubbo-go/v3@v3.1.1/doc/apache/apache-release-procedure-20200306.md (about) 1 2 # Apache 软件发版流程 3 4 > author: wongoo@apache.org 5 > last updated: 2020-03-06 6 7 Apache开源软件是有社区驱动的,为了提高发布软件质量而指定了软件发布流程,本文主要介绍此流程,以给第一次发布打包的apacher参考。 8 9 如果你要准备打包一个apache软件了,想必你已经是一个项目的committer了,而且知道社区、PMC这些概念,而你现在还担任本次发布的 release manager 一职。 10 11 发版流程其实也很简单,无非如下: 12 1. 整理变更内容,打包并对打包文件签名; 13 2. 将签名文件上传apache svn仓库; 14 3. 发邮件请社区PMC大佬投票; 15 4. 投票通过后发一个投票结果通告邮件; 16 5. 发版 17 6. 发版邮件通告社区新版本发布; 18 19 下面详细整理发版的一些流程步骤,使用 dubbo 的子项目 dubbog-go-hessian2 发版为例! 20 21 22 ## 1. 发版准备 23 24 发版文件需要签名,需要安装pgp工具. 25 26 ```bash 27 $ brew install gpg 28 $ gpg --version 29 $ gpg --full-gen-key 30 (1) RSA and RSA (default) <-- RSA 类型 31 What keysize do you want? (2048) 4096 <-- key大小为4096 32 0 = key does not expire <-- 永不过期 33 Real name: Liu Yang 34 Email address: wongoo@apache.org 35 Comment: CODE SIGNING KEY 36 37 gpg: /Users/gelnyang/.gnupg/trustdb.gpg: trustdb created 38 gpg: key 7DB68550D366E4C0 marked as ultimately trusted 39 gpg: revocation certificate stored as '/Users/gelnyang/.gnupg/openpgp-revocs.d/1376A2FF67E4C477573909BD7DB68550D366E4C0.rev' 40 public and secret key created and signed. 41 42 pub rsa4096 2019-10-17 [SC] 43 1376A2FF67E4C477573909BD7DB68550D366E4C0 44 uid Liu Yang (CODE SIGNING KEY) <wongoo@apache.org> 45 sub rsa4096 2019-10-17 [E] 46 47 $ gpg --list-keys 48 gpg: checking the trustdb 49 gpg: marginals needed: 3 completes needed: 1 trust model: pgp 50 gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u 51 /Users/gelnyang/.gnupg/pubring.kbx 52 ---------------------------------- 53 pub rsa4096 2019-10-17 [SC] 54 1376A2FF67E4C477573909BD7DB68550D366E4C0 55 uid [ultimate] Liu Yang (CODE SIGNING KEY) <wongoo@apache.org> 56 sub rsa4096 2019-10-17 [E] 57 58 59 # 公钥服务器是网络上专门储存用户公钥的服务器 60 # 通过key id发送public key到keyserver 61 $ gpg --keyserver pgpkeys.mit.edu --send-key 1376A2FF67E4C477573909BD7DB68550D366E4C0 62 gpg: sending key 7DB68550D366E4C0 to hkp://pgpkeys.mit.edu 63 # 其中,pgpkeys.mit.edu为随意挑选的keyserver,keyserver列表为:https://sks-keyservers.net/status/,为相互之间是自动同步的,选任意一个都可以。 64 65 # 如果有多个public key,设置默认key。修改 ~/.gnupg/gpg.conf 66 $ vi ~/.gnupg/gpg.conf 67 default-key 7DB68550D366E4C0 68 69 # 如果有多个public key, 也可以删除无用的key: 70 ### 先删除私钥,再删除公钥 71 $ gpg --yes --delete-secret-keys shenglicao2@gmail.com ###老的私钥,指明邮箱即可 72 $ gpg --delete-keys 1808C6444C781C0AEA0AAD4C4D6A8007D20DB8A4 73 74 ## 由于公钥服务器没有检查机制,任何人都可以用你的名义上传公钥,所以没有办法保证服务器上的公钥的可靠性。 75 ## 通常,你可以在网站上公布一个公钥指纹,让其他人核对下载到的公钥是否为真。 76 # fingerprint参数生成公钥指纹: 77 $ gpg --fingerprint wongoo 78 79 pub rsa4096 2019-10-17 [SC] 80 1376 A2FF 67E4 C477 5739 09BD 7DB6 8550 D366 E4C0 81 uid [ultimate] Liu Yang (CODE SIGNING KEY) <wongoo@apache.org> 82 sub rsa4096 2019-10-17 [E] 83 # 将上面的 fingerprint (即 1376 A2FF 67E4 C477 5739 09BD 7DB6 8550 D366 E4C0)粘贴到自己的用户信息中: 84 # https://id.apache.org OpenPGP Public Key Primary Fingerprint: 85 ``` 86 87 > 详细参考: 88 > - 发布签名: http://www.apache.org/dev/release-signing.html 89 > - 发布策略: http://www.apache.org/dev/release-distribution 90 > - 将密钥上传到公共密钥服务器: https://www.apache.org/dev/openpgp.html#generate-key 91 92 ## 2. 打包签名 93 94 准备打包前(尤其提第一次打包)需要注意以下内容: 95 - 每个文件的LICENSE头部是否正确, 包括 `*.java`, `*.go`, `*.xml`, `Makefile` 等 96 - LICENSE 文件是否存在 97 - NOTICE 文件是否存在 98 - CHANGE.md 是否存在 (变更内容格式符合规范) 99 100 以上可以参考其他已发布项目的配置。 101 102 103 ``` 104 105 # NOTICE: 这里切分支,分支名称不要和版本号(tag用)类似,不然会有冲突 106 $ git checkout -b 1.4 107 108 $ git tag -a v1.4.0-rc1 -m "v1.4.0 release candidate 1" 109 110 $ git push --tags 111 112 # 打包 113 $ git archive --format=tar 1.4 --prefix=dubbo-go-hessian2-v1.4.0/ | gzip > dubbo-go-hessian2-v1.4.0-src.tar.gz 114 115 # 签名 116 $ gpg -u wongoo@apache.org --armor --output dubbo-go-hessian2-v1.4.0-src.tar.gz.asc --detach-sign dubbo-go-hessian2-v1.4.0-src.tar.gz 117 118 # 验证签名 119 $ gpg --verify dubbo-go-hessian2-v1.4.0-src.tar.gz.asc dubbo-go-hessian2-v1.4.0-src.tar.gz 120 121 # hash 122 $ shasum -a 512 dubbo-go-hessian2-v1.4.0-src.tar.gz > dubbo-go-hessian2-v1.4.0-src.tar.gz.sha512 123 124 # 验证 hash 125 $ shasum --check dubbo-go-hessian2-v1.4.0-src.tar.gz.sha512 126 127 ``` 128 129 > 发布版本: http://www.apache.org/dev/release-publishing.html 130 131 ## 3. 上传打包文件到svn仓库 132 133 ``` 134 $ svn checkout https://dist.apache.org/repos/dist/dev/dubbo 135 136 $ cd dubbo 137 138 # 更新 139 $ svn update 140 141 # 添加 签名 和 public key 到KEYS文件并提交到SVN仓库 142 # 这里是将公钥KEYS放到根目录, 有的项目放到本次打包文件目录 143 $ (gpg --list-sigs wongoo && gpg --armor --export wongoo) >> KEYS 144 145 $ mkdir -p dubbo-go-hessian2/v1.4.0-rc1 146 147 # 拷贝相关文件到新建目录下 148 149 $ tree dubbo-go-hessian2 150 dubbo-go-hessian2 151 └── v1.4.0-rc1 152 ├── dubbo-go-hessian2-v1.4.0-src.tar.gz 153 ├── dubbo-go-hessian2-v1.4.0-src.tar.gz.asc 154 └── dubbo-go-hessian2-v1.4.0-src.tar.gz.sha512 155 156 $ svn add dubbo-go-hessian2 157 $ svn add dubbo-go-hessian2/* 158 $ svn status 159 $ svn commit --username wongoo -m "Release dubbo-go-hessian2 v1.4.0-rc1" 160 ``` 161 162 > 详细参考: svn版本管理 https://www.apache.org/dev/version-control.html 163 164 165 ## 4. 发投票 [VOTE] 邮件 166 167 发任何邮件都是有一定格式的,你加入社区邮件列表后,就会收到很多这样的邮件,多看看就知道了,具体邮件范本参考文章后面的邮件范本。 168 169 发完【VOTE】邮件,私下沟通群里面请大佬PMC投票。 170 PMC投票会对你上传打包文件进行相关检查, 171 详细可以了解孵化中的项目发布完整的检查项参考: https://cwiki.apache.org/confluence/display/INCUBATOR2/IncubatorReleaseChecklist 172 173 收到3个binding邮件且超过72小时后,就可以发 投票结果 [RESULT] [VOTE] 邮件了。 174 175 > 原则上只有PMC的投票才算binding邮件, 当然也可以由社区决定。 176 177 这一步骤最常见有以下问题: 178 - 文件签名有问题 179 - 引用项目LICENSE问题 180 - 单元测试不通过 181 182 > 另外需要注意: 一个apache项目可能包含很多子项目,项目的PMC可能只对主项目比较了解, 他们并不清楚如何将子项目跑起来,也不知道如何跑单元测试,最好在邮件中附带一个如何进行单元测试的连接。例如 PMC 最了解 java,但子项目是golang,python,js等,你需要告诉他们如何测试你的项目。 183 184 可以参考投票规则: https://www.apache.org/foundation/voting.html 185 186 ## 5. 发布版本 187 188 当正式发布投票成功后,先发[Result]邮件,然后就准备 release package。 189 将之前在dev下发布的对应rc文件夹下的源码包、签名文件和hash文件拷贝到另一个目录 v1.4.0, 190 注意文件名字中不要rcxx (可以rename,但不要重新计算签名,hash可以重新计算,结果不会变)。 191 192 将release包移动到正式版目录。如果你的软件是需要客户从apache下载的,则这一步是必须的。如果不是,比如golang引用github打包地址的则可以忽略。 193 ``` 194 svn up 195 cd dubbo-go-hessian2 196 svn move v1.4.0-rc1 v1.4.0 197 svn status 198 svn commit --username wongoo -m "Release dubbo-go-hessian2 v1.4.0" 199 ``` 200 201 移到发版目录后,还需要进行相应的正式版本发布, 这里将具体发布方式整理到单独的章节 `7. 不同语言版本发布`,因为发布流程马上就要结束了 ^v^ 202 203 204 ## 6. 新版本通告 ANNOUNCE 邮件 205 206 恭喜你你已经到发版最后一步了,邮件格式参考以下邮件范本! 207 208 209 ## 7. 不同语言版本发布 210 211 ### 7.1 golang 212 213 在 github 基于投票分支发布了 release 版本。 214 215 ### 7.2 java 216 217 java项目发版需发布到java maven仓库。 218 219 TODO 220 221 ### 7.3 js 222 223 js项目发版需发布到npm仓库。 224 225 TODO 226 227 ### 7.4 python 228 229 TODO 230 231 ## 8. 邮件范本 232 233 ### 8.1. 提出发版投票 234 235 - TO: dev@dubbo.apache.org 236 - Title: [VOTE] Release Apache dubbo-go-hessian2 v1.4.0 RC1 237 238 ``` 239 Hello Dubbo/Dubbogo Community, 240 241 This is a call for vote to release Apache dubbo-go-hessian2 version v1.4.0 RC1. 242 243 The release candidates: https://dist.apache.org/repos/dist/dev/dubbo/dubbo-go-hessian2/v1.4.0-rc1/ 244 Git tag for the release: https://github.com/apache/dubbo-go-hessian2/tree/1.4 245 Hash for the release tag: 4c31e88c35afe84c0321d9f12f036e6d3c8962d0 246 Release Notes: https://github.com/apache/dubbo-go-hessian2/blob/1.4/CHANGE.md 247 The artifacts have been signed with Key :7DB68550D366E4C0, which can be found in the keys file: 248 https://dist.apache.org/repos/dist/dev/dubbo/KEYS 249 250 The vote will be open for at least 72 hours or until necessary number of votes are reached. 251 252 Please vote accordingly: 253 [ ] +1 approve 254 [ ] +0 no opinion 255 [ ] -1 disapprove with the reason 256 257 Thanks, 258 The Apache Dubbo-go Team 259 ``` 260 261 262 ### 8.2. PMC 投票邮件回复 263 264 265 范例1: 266 ``` 267 +1 approve <-- 首先表明同不同意 268 269 I have checked: <-- 其次要说明自己检查了哪些项 270 271 1.source code can build <-- 能否构建 272 2.tests can pass in my local <-- 单元测试能否通过 273 3. NOTICE LICENSE file exist <-- 协议文件是否存在 274 4.git tag is correct <-- git tag 是否正确 275 276 there is one minor thing that in change logs file, there is no space 277 between text And link. I suggest add one to make it looks better. <--- 一些其他改进建议 278 ``` 279 280 范例2: 281 ``` 282 +1 283 284 I checked the following items: 285 286 [v] Are release files in correct location? <-- 发布文件目录是否正确 287 [v] Do release files have the word incubating in their name? 288 [v] Are the digital signature and hashes correct? <-- 签名、hash是否正确 289 [v] Do LICENSE and NOTICE files exists? 290 [v] Is the LICENSE and NOTICE text correct? <-- 协议文本是否正确 291 [v] Is the NOTICE year correct? <-- 注意年份是否正确 292 [v] Un-included software dependencies are not mentioned in LICENSE or NOTICE? <-- 没有包含协议或注意没有提到的软件依赖 293 [v] License information is not mentioned in NOTICE? <-- 协议信息没有在注意中提及 294 [x] Is there any 3rd party code contained inside the release? If so: <-- 是否包含第三方代码 295 [ ] Does the software have a compatible license? 296 [ ] Are all software licenses mentioned in LICENSE? 297 [ ] Is the full text of the licenses (or pointers to it) in LICENSE? 298 Is any of this code Apache licensed? Do they have NOTICE files? If so: 299 [ ] Have relevant parts of those NOTICE files been added to this NOTICE file? 300 [v] Do all source files have ASF headers? <-- 是否所有源码都有ASF头部 301 [v] Do the contents of the release match with what's tagged in version control? <-- 发布的文件是否和github中tag标记的版本一致 302 [x] Are there any unexpected binary files in the release? <-- 是否包含不应该存在的二进制文件 303 [v] Can you compile from source? Are the instruction clear? <-- 能否编译?指令是否明确? 304 305 On my mac laptop, I could compile successfully but there's one failed unit 306 test against net.go. I believe this issue [1] can be fixed with [2] in the 307 next release. <-- 编译问题及建议 308 309 Is the issue minor? <-- 编译存在的问题是否都是较小的? 310 [v] Yes [ ] No [ ] Unsure 311 312 Could it possibly be fixed in the next release? <-- 能否在下一版本修复? 313 [v] Yes [ ] No [ ] Unsure 314 315 I vote with: <-- 我的投票 316 [v] +1 release the software 317 [ ] +0 not sure if it should be released 318 [ ] -1 don’t release the software because... 319 320 Regards, 321 -Ian. 322 323 1. https://github.com/apache/dubbo-go/issues/207 324 2. https://github.com/apache/dubbo-go/pull/209 325 ``` 326 327 范例3: 328 ``` 329 +1 330 331 I checked the following items: 332 333 [√] Do LICENSE and NOTICE files exists? 334 [√] Is the LICENSE and NOTICE text correct? 335 [√] Is the NOTICE year correct? 336 [√] Do all source files have ASF headers? 337 [√] Do the contents of the release match with what's tagged in version control? 338 [√] Can you compile from source? 339 I could compile successfully but there's failed units test. I run the unit 340 test refer to :https://github.com/apache/dubbo-go#running-unit-tests . 341 But I think it is not matter, the test can be fixed in next release. 342 343 344 I vote with: 345 [√] +1 release the software 346 ``` 347 348 范例4: 349 ``` 350 Great improvement over the previous release but there are still issues from the last vote that have not been resolved. e.g. [6][7][8] 351 352 Can someone tell me if these files [1][2][3][4][5] are just missing ASF headers or have a different license? 353 354 If they are just missing headers and [6][7][8] explained then it +1 form me, otherwise it’s probably a -1. 355 356 Can people please carefully check the contents, and write down what you checked, rather than just saying +1. 357 358 I checked: 359 - signatures and hashes good 360 - LICENSE is missing the appendix (not a major issue) 361 - LICENSE may be is missing some information[1][2][3][4][5] 362 - NOTICE is fine 363 - No binaries in source release 364 - Some files are missing ASF headers or other license headers [1][2][3][4][5] - please fix 365 366 Thanks, 367 Justin 368 369 1. dubbo-go-1.1.0/cluster/loadbalance/round_robin_test.go 370 2. dubbo-go-1.1.0/common/extension/router_factory.go 371 3. dubbo-go-1.1.0/config_center/configuration_parser.go 372 4. dubbo-go-1.1.0/config_center/configuration_parser_test.go 373 5. dubbo-go-1.1.0/registry/zookeeper/listener_test.go 374 6. dubbo-go-1.1.0/cluster/loadbalance/least_active.go 375 7. dubbo-go-1.1.0/protocol/RpcStatus.go 376 8. dubbo-go-1.1.0/filter/impl/active_filter.go 377 ``` 378 379 380 ### 8.3. 发 [RESULT] [VOTE] 投票结果通知邮件 381 382 - TO: dev@dubbo.apache.org 383 - Title: [RESULT] [VOTE]: Release Apache dubbo-go-hessian2 v1.4.0 RC1 384 385 386 ``` 387 Hello Dubbo/Dubbogo Community, 388 389 The release dubbo-go-hessian2 v1.4.0 RC1 vote finished, We’ve received 3 +1 (binding) votes. 390 391 +1 binding, Stocks Alex 392 +1 binding, Ian Luo 393 +1 binding, Jun Liu 394 395 The vote and result thread: 396 https://lists.apache.org/thread.html/r8070f3b00984888069dd4ddad1bbc424cde51ea68b6ff0520e609e18%40%3Cdev.dubbo.apache.org%3E 397 398 399 The vote passed. Thanks all. 400 I will proceed with the formal release later. 401 402 403 Best regards, 404 405 The Apache Dubbogo Team 406 ``` 407 408 409 ### 8.4. 发 Announce 发版邮件 410 411 - TO: dev@dubbo.apache.org 412 - [ANNOUNCE] Apache Dubbo version 2.7.4 Released 413 414 ``` 415 Hello Community, 416 417 The Apache Dubbo team is pleased to announce that the 2.7.4 has been 418 released. 419 420 Apache Dubbo™ is a high-performance, java based, open source 421 RPC framework. Dubbo offers three key functionalities, which include 422 interface based remote call, fault tolerance & load balancing, and 423 automatic service registration & discovery. 424 425 Both the source release[1] and the maven binary release[2] are available 426 now, you can also find the detailed release notes in here[3]. 427 428 429 If you have any usage questions, or have problems when upgrading or find 430 any problems about enhancements included in this release, please don’t 431 hesitate to let us know by sending feedback to this mailing list or filing 432 an issue on GitHub[4]. 433 434 435 436 [1] http://dubbo.apache.org/en-us/blog/download.html 437 [2] http://central.maven.org/maven2/org/apache/dubbo 438 [3] https://github.com/apache/dubbo/releases 439 [4] https://github.com/apache/dubbo/issues 440 ``` 441 442 ## 9. 参考 443 444 - dubbo发布流程: http://dubbo.apache.org/zh-cn/docs/developers/committer-guide/release-guide_dev.html 445 - doris发布流程: https://github.com/apache/incubator-doris/blob/master/docs/documentation/cn/community/release-process.md 446 - spark发布流程: http://spark0apache0org.icopy.site/release-process.html 447 448