In general, Source Release is the key and the required content of Apache. But Binary Release is optional, Dubbo can choose whether to release binary packages to the Apache repository or to the Maven central repository.
Please refer to the following links for more information on ASF’s release guide:
Mainly including the related preparation of signature utilities and Maven repository certification
Install GPG,refer to https://www.gnupg.org/download/index.html
Generate the key with GPG
~/.gnupg/gpg.conf
Save the fingerprint, as above 1376 A2FF 67E4 C477 5739 09BD 7DB6 8550 D366 E4C0
,
to the field OpenPGP Public Key Primary Fingerprint
in you profile page at https://id.apache.org.
Set up Apache central repository.
Add the following contents to .m2/settings.xml
Enter the passwords after encrypting by maven-encryption-plugin
Pull the new branch from the master branch as the release branch. If you want to release the ${release_version} version now, pull the new branch ${release_version}-release from 2.6.x. Then the modifications and taggings related to ${release_version} Release Candidates are applied to ${release_version}-release branch, and is merged into the master branch after the final release.
First of all, verify that the maven component packing, source packing, signature, etc are working properly on the ${release_version}-release branch.
This push the snapshot package to the maven central repository.
Release with maven-release-plugin (Deprecated
,Skip this step and refer to next step)
If you are promted to input password for pushing to GitHub (basically including adding new commits and tags), do not input your login password of GitHub. Use
Personal access tokens
instead. You can go to https://github.com/settings/profile, clickDeveloper settings
->Personal access tokens
, and generate a new token if not. Please refer to this guide for more infomation. you need to choose the release artifactId, next artifactId and the release tag, the default tag is dubbo-parent-xxxx, you need to change it to dubbo-xxxx
After executing the above commands, you will find that:
-DpushChanges=false
tells maven not to push the commits and tags to the remote repostiroy. If not specified, the version tag will be pushed to github repository, you will see a commit called [maven-release-plugin] prepare release dubbo-x.x.x
added.-DpushChanges=true
is specified, the modifications will be pushed to the remote repository, you will see a commit called [maven-release-plugin] prepare for next development iteration
added.If -DpushChanges=false
is specified, you will have to manually push the commit to remote repository before go to next step.
Maven will download the source code from the tag you just pushed, compile it, and deploy to remote maven repsoitry in staging state.
mvn deploy
to deployRequirement:maven 3.5+
modify pom version from 2.7.x-SNAPSHOT to 2.7.x . You can search the full-text in the dubbo project.
After this, maven will deploy jar to remote maven repsoitry in staging state.
When you deploy the package into repository, it will be interrupted for network. So you must restart to desploy.
The problem is that missing package occurred many times at deploying. So you should check the quantity of package, especially parent package.
Prepare the svn local environment (Apache hosting the release content of project by svn)
Checkout dubbo to local directory
Assume that the local directory is ~/apache/dubbo
The current release version is ${release_version}, new directory
Add public key to KEYS file if you are the first time to be a release manager. KEYS is mainly used to allow people who participate in the voting to be imported locally to verify the correctness of the sign.
For more information on how to get your key id, please refer to this guide
Copy the source.zip package from the Dubbo root directory to the svn local repository dubbo/${release_version}
Generate sha512 sign
For source-release.zip
For bin-release.zip
Please add -b
paramter when generating sha512 for bin-release.zip, which indicates it is a binary file.
You should generate something like this:
Note there is a *
sign before the file name.
If the binary release is accompanied with the source release. Run the following command in the dubbo-distribution module:
Go to target directory, copy bin-release.zip and bin-release.zip.asc to svn local repository dubbo/${release_version}, and refer to step 6 to generate sha512 sign.
Commit to Apache svn
Close the maven staging repository
This step is required when prepare for a 2.7.0+ release, where package name has been changed to org.apache. Before that, please make sure all the maven artifacts look good. Login to http://repository.apache.org, click the Staging repositories
on the left bar, search with keyword Dubbo, and you will see a list of repositories. Find the one you just uploaded, and then click the close button in the top area. This will do some sannity check, such as gpg signature check, and checksum check. After that, a link will be shown in the summary tab in the bottom. Please copy that link, it will be used for release vote. The link should look like this: https://repository.apache.org/content/repositories/orgapachedubbo-1015
.
Please be aware that it may fail when you close the repository, this is normally due to network issues, please try again if it failed. You can confirm it by clicking the
Activiey
tab next toSummary
.
A full check list can be found here
The verification link includes but is not limited to the following contents and forms:
If it’s your first time verify a release candidte, you should import public keys first.
Now, you can verify signature with command
Unzip apache-dubbo-${release_version}-source-release.zip to the default directory and check the following:
diff -r rc_dir tag_dir
According to ASF policy, any Category X dependency can not be included in ASF product, this includes common LGPL/GPL licensed dependencies. Even transitive dependencies are not allowed. Therefore we need to run the following command to ensure no such dependencies are included.
If one dependency is dual/multiple licensed, just choose the most permissive one.
You can refer to this article : ASF 3RD PARTY LICENSE POLICY
Unzip apache-dubbo-${release_version}-bin-release.zip and check:
Note that if the binary distribution contains third party files, you may need to update LICENSE file by adding the 3rd party license files. If these dependency is Apache License 2.0, and it contains NOTICE file, you may also need to update NOTICE file as well.
The voting just only one round:
Dubbo community votes and sends the voting email to dev@dubbo.apache.org. After reviewing by community developers and winning 3 binding tickets that agree to release, you can go to the next stage of voting.
The mail template for Apache Dubbo vote:
The mail template to announce the vote result:
When the release vote has passed,
https://archive.apache.org/dist/dubbo/$VERSION/apache-dubbo-$VERSION-bin-release.zip
. Please refer to the download page for more details.git push origin --delete 2.7.0-release
repository.apache.org The permissions of the nexus repository have been applied, see jira。
To release the maven artifacts, go to repository.apache.org, and choose the staging repository, click the release button. Wait for a moment and verify it at here, make sure your artifacts are there and correct. It will take some time to sync to maven central repository. You can verify it at here
If you’ve encountered this error, try the following commands: