实操经验 | Apache 基金会顶级项目版本管理和发布流程

前言

前段时间，Apache SeaTunnel经过几个月的迭代和架构升级，终于迎来第一个正式2.3.0版本，我也有幸作为本次的Release Manager，体验了一把从0到1的Apache发版流程，不得不说Apache基金会在项目的版本管理这块有着完善的规范和严谨的流程，整个发版过程周期很长，其中也踩了不少的坑，俗话说好记性不如烂笔头，所以笔者写了一篇文章来记录整个过程（以Apache SeaTunnel为例），希望这篇文章能够让小白快速入门Apache项目版本管理和发布。

Tips: Release Manager需要有Apache LDAP账号，也就意味着你需要首先成为项目的Committer才有资格

环境准备

GIT

用于clone项目源代码到本地

GPG

用于生成数字签名，为你的每一次操作留下痕迹

SHASUM

用于为文件生成签名

SVN

用于拉取Apache Release SVN仓库

MAVEN

用于编译项目

物料准备

配置GPG KEY

新建key

gpg --gen-key 

gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: 已创建目录'/home/hadoop/.gnupg' gpg: 新的配置文件'/home/hadoop/.gnupg/gpg.conf'已建立 gpg: 警告：在'/home/hadoop/.gnupg/gpg.conf'里的选项于此次运行期间未被使用 gpg: 钥匙环'/home/hadoop/.gnupg/secring.gpg'已建立 gpg: 钥匙环'/home/hadoop/.gnupg/pubring.gpg'已建立 请选择您要使用的密钥种类： (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (仅用于签名) (4) RSA (仅用于签名) 您的选择？ 1 RSA 密钥长度应在 1024 位与 4096 位之间。 您想要用多大的密钥尺寸？(2048)4096 您所要求的密钥尺寸是 4096 位 请设定这把密钥的有效期限。 0 = 密钥永不过期 <n> = 密钥在 n 天后过期 <n>w = 密钥在 n 周后过期 <n>m = 密钥在 n 月后过期 <n>y = 密钥在 n 年后过期 密钥的有效期限是？(0) 0 密钥永远不会过期 以上正确吗？(y/n)y 

如上所示，选择项分别为：

• 1
• 4096
• 0
• y

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" 真实姓名：tyrantlucifer 电子邮件地址：tyrantlucifer@apache.org 注释：The key of Apache SeaTunnel 您选定了这个用户标识： "tyrantlucifer (The key of Apache SeaTunnel) <tyrantlucifer@apache.org>" 更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)？o 您需要一个密码来保护您的私钥。 

如上所示，你需要为这个key指定个人信息以及加密密码，需要填写

• 姓名
• 邮箱（Apache邮箱）
• key注释
• 密码（很重要，不要忘记，要记住哟）

我们需要生成大量的随机字节。这个时候您可以多做些琐事(像是敲打键盘、移动 鼠标、读写硬盘之类的)，这会让随机数字发生器有更好的机会获得足够的熵数。 我们需要生成大量的随机字节。这个时候您可以多做些琐事(像是敲打键盘、移动 鼠标、读写硬盘之类的)，这会让随机数字发生器有更好的机会获得足够的熵数。 gpg: 密钥 0983DF85 被标记为绝对信任 公钥和私钥已经生成并经签名。 gpg: 正在检查信任度数据库 gpg: 需要 3 份勉强信任和 1 份完全信任，PGP 信任模型 gpg: 深度：0 有效性： 1 已签名： 0 信任度：0-，0q，0n，0m，0f，1u pub 4096R/0983DF85 2022-12-28 密钥指纹 = AE63 FC40 ECCD 600D 724B 5625 05FD AE73 0983 DF85 uid tyrantlucifer (The key of Apache SeaTunnel) <tyrantlucifer@apache.org> sub 4096R/B7023D46 2022-12-28 

验证key

gpg --list-keys 

/home/hadoop/.gnupg/pubring.gpg ------------------------------- pub 4096R/0983DF85 2022-12-28 uid tyrantlucifer (The key of Apache SeaTunnel) <tyrantlucifer@apache.org> sub 4096R/B7023D46 2022-12-28 

Tips: 0983DF85就是你的公钥缩写

上传key到公共服务器

gpg --keyserver keyserver.ubuntu.com --send-key 0983DF85 

验证key是否正常上传

1. 命令行验证

gpg --keyserver keyserver.ubuntu.com --search-keys 0983DF85 

2. 网站验证

   OpenPGP Keyserver (ubuntu.com)

Tips: 该截图是我之前已经上传好的key，和上一步骤生成的key不一致是正常的

配置maven

创建主密码

mvn --encrypt-master-password <apache password> 

新建文件~/.m2/settings-security.xml

<settingsSecurity> <master><!-- 这里填入上一步输出的密码 --></master> </settingsSecurity> 

加密Apache LDAP 密码

mvn --encrypt-password <apache password> 

新增配置

编辑你本地maven环境的配置文件，一般路径为~/.m2/setting.xml，添加

<settings> <servers> <server> <id>apache.snapshots.https</id> <username> <!-- APACHE LDAP USERNAME --> </username> <password> <!-- APACHE LDAP ENCRYPTED PASSWORD，上一步加密的密码 --> </password> </server> <server> <id>apache.releases.https</id> <username> <!-- APACHE LDAP USERNAME --> </username> <password> <!-- APACHE LDAP ENCRYPTED PASSWORD，上一步加密的密码 --> </password> </server> <server> <id>gpg.passphrase</id> <passphrase><!-- GPG KEY PASSWORD --></passphrase> </server> </servers> </settings> 

项目版本准备

分支准备

mkdir -p ~/seatunnel-release-prepare cd ~/seatunnel-release-prepare git clone git@github.com:apache/seatunnel.git cd seatunnel git checkout -b ${RELEASE.VERSION}-release 

更新release-note

vim release-note.md git add release-note.md git commit -m "[Release][${RELEASE.VERSION}][release-note] Add release-note" git push 

预编译测试

mvn release:prepare -Prelease -Darguments="-DskipTests" -DdryRun=true -Dusername=${GITHUB USERNAME} 

编译

mvn release:clean mvn release:prepare -Prelease -Darguments="-DskipTests" -DpushChanges=false -Dusername=${GITHUB USERNAME} 

提交代码

git push git push origin --tags 

部署jar包

1. 上传jar包

mvn release:perform -Prelease -Darguments="-DskipTests" -Dusername=${GITHUB USERNAME} 

2. 关闭stage仓库

   https://repository.apache.org/#stagingRepositories

上传SVN

拉取release和dev仓库到本地

mkdir -p ~/seatunnel-release-prepare/dev mkdir -p ~/seatunnel-release-prepare/release cd ~/seatunnel-release-prepare/dev svn --username=${APACHE LDAP username} co https://dist.apache.org/repos/dist/dev/seatunnel cd ~/seatunnel-release-prepare/release svn --username=${APACHE LDAP username} co https://dist.apache.org/repos/dist/release/seatunnel 

上传key到dev和release仓库

Tips: 只有第一次发版的Release Manager才需要做这一步

cd ~/seatunnel-release-prepare/dev/seatunnel gpg -a --export ${GPG USERNAME} >> KEYS svn add KEYS svn --username=${APACHE LDAP USERNAME} commit -m "Add ${APACHE LDAP USERNAME} GPG key" 

cd ~/seatunnel-release-prepare/release/seatunnel gpg -a --export ${GPG USERNAME} >> KEYS svn add KEYS svn --username=${APACHE LDAP USERNAME} commit -m "Add ${APACHE LDAP USERNAME} GPG key" 

上传源码包和二进制包到dev仓库

1. 复制源码包和二进制包

   mkdir -p ~/seatunnel-release-prepare/dev/${RELEASE.VERSION} cp -f ~/seatunnel-release-prepare/seatunnel/seatunnel-dist/target/*.tar.gz ~/seatunnel-release-prepare/dev/${RELEASE.VERSION} cd ~/seatunnel-release-prepare/dev/${RELEASE.VERSION} 

2. 生成签名

   shasum -a 512 apache-seatunnel-${RELEASE.VERSION}-src.tar.gz >> apache-seatunnel-${RELEASE.VERSION}-src.tar.gz.sha512 shasum -b -a 512 apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz >> apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz.sha512 

3. 生成GPG签名

   gpg --armor --detach-sig apache-seatunnel-${RELEASE.VERSION}-src.tar.gz gpg --armor --detach-sig apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz 

4. 检查文件签名

   shasum -c apache-seatunnel-${RELEASE.VERSION}-src.tar.gz.sha512 shasum -c apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz.sha512 

5. 检查数字签名

   1. 导入(Release Manager不需要做这一步)

      curl https://dist.apache.org/repos/dist/dev/seatunnel/KEYS >> KEYS gpg --import KEYS gpg --edit-key "${GPG username of releaser}" > trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 > save 

   2. 检查gpg数字签名

      gpg --verify apache-seatunnel-${RELEASE.VERSION}-src.tar.gz.asc apache-seatunnel-${RELEASE.VERSION}-src.tar.gz gpg --verify apache-seatunnel-${RELEASE.VERSION}-seatunnel-bin.tar.gz.asc apache-seatunnel-${RELEASE.VERSION}-seatunnel-bin.tar.gz 

6. 提交所有文件至dev仓库

   svn add * svn --username=${APACHE LDAP USERNAME} commit -m "release ${RELEASE.VERSION}" 

邮件发起投票

dev@seatunnel.apache.org投票

发起投票

[VOTE] Release Apache SeaTunnel 2.3.0 Hello SeaTunnel Community, This is a call for vote to release Apache SeaTunnel () version 2.3.0 Release notes: https://github.com/apache/seatunnel/blob/2.3.0/release-note.md The release candidates: https://dist.apache.org/repos/dist/dev/seatunnel/2.3.0 Git tag for the release: https://github.com/apache/seatunnel/tree/2.3.0 Maven 2 staging repository: https://repository.apache.org/content/repositories/orgapacheseatunnel-1015/org/apache/seatunnel/ Release Commit ID: https://github.com/apache/seatunnel/commit/d7280abbe9e72262640836182a7f090a5706988a Keys to verify the Release Candidate: https://downloads.apache.org/seatunnel/KEYS The vote will be open for at least 72 hours or until necessary numbers of votes are reached. Please vote accordingly: [ ] +1 approve [ ] +0 no opinion [ ] -1 disapprove with the reason Checklist for reference: [ ] Download links are valid. [ ] Checksums and PGP signatures are valid. [ ] Source code artifacts have correct names matching the current release. [ ] LICENSE and NOTICE files are correct for each SeaTunnel repo. [ ] All files have license headers if necessary. [ ] No compiled archives bundled in source archive. More detail checklist please refer: https://cwiki.apache.org/confluence/display/Release+Checklist -- Best Regards Chao Tian 

关闭投票

[VOTE] Release Apache SeaTunnel() 2.3.0 Hi SeaTunnel Community, Thanks, everyone, I will close this vote thread and the results will be tallied. Best wishes! Chao Tian 

归票

[RESULT] [VOTE] Release Apache SeaTunnel() 2.3.0 Hi SeaTunnel community, This vote now closes since 72 hours have passed. The vote PASSES with 3 (+1 binding) votes from the IPMC, David, Guo Wei, Calvin Kirs 6 (+1 non-binding) votes from the developer from the community Jun Gao, TaoZex, hailin0, Peng Yuan, Zongwen Li, Guangdong Liu and no further 0 or -1 votes. The vote thread: https://lists.apache.org/thread/98oc6q6vghlg8qpfyf5yttzy925tfp9g Thanks for your participation, I will now bring the vote to [general@apache.org](mailto:general@apache.org) <mailto: [general@apache.org](mailto:general@apache.org)> to get approval by the IPMC. If this vote passes also, the release is accepted and will be published. Best wishes, Chao Tian 

general@apache.org投票

发起投票

[VOTE] Release Apache SeaTunnel() 2.3.0 Hello IPMC, This is an official vote for the Apache SeaTunnel() 2.3.0 that we have been working toward. To learn more about Apache SeaTunnel(), please see: https://seatunnel.apache.org The Apache SeaTunnel () community has voted and approved the release. Vote thread: https://lists.apache.org/thread/98oc6q6vghlg8qpfyf5yttzy925tfp9g Result thread: https://lists.apache.org/thread/6c0463dsoh8r0gmvqo67lttgy4o40xst Release changes: https://github.com/apache/seatunnel/blob/2.3.0/release-note.md The release candidates: https://dist.apache.org/repos/dist/dev/seatunnel/2.3.0 Maven 2 staging repository: https://repository.apache.org/content/repositories/orgapacheseatunnel-1015/org/apache/seatunnel/ Git tag for the release: https://github.com/apache/seatunnel/tree/2.3.0 Release Commit ID: https://github.com/apache/seatunnel/commit/d7280abbe9e72262640836182a7f090a5706988a Keys to verify the Release Candidate: https://downloads.apache.org/seatunnel/KEYS GPG user ID: tyrantlucifer The vote will be open for at least 72 hours or until necessary numbers of votes are reached. Please vote accordingly: [ ] +1 approve [ ] +0 no opinion [ ] -1 disapprove with the reason Checklist for reference: [ ] Download links are valid. [ ] Checksums and PGP signatures are valid. [ ] DISCLAIMER is included. [ ] Source code artifacts have correct names matching the current release. [ ] LICENSE and NOTICE files are correct for each SeaTunnel repo. [ ] All files have license headers if necessary. [ ] No compiled archives bundled in source archive. More detail checklist please refer: https://cwiki.apache.org/confluence/display/Release+Checklist The following votes are carried over from the SeaTunnel dev mailing list: +1(binding) David, William-Guowei, Calvin Kirs Best Regards, Chao Tian 

关闭投票

[VOTE] Release Apache SeaTunnel() 2.3.0 Hi IPMC, Thanks, everyone, I will close this vote thread and the results will be tallied. Best wishes! Chao Tian 

归票

[RESULT] [VOTE] Release Apache SeaTunnel() 2.3.0 Hi SeaTunnel community, This vote now closes since 72 hours have passed. The vote PASSES with 3 (+1 binding) votes from the IPMC, David, Guo Wei, Calvin Kirs 6 (+1 non-binding) votes from the developer from the community Jun Gao, TaoZex, hailin0, Peng Yuan, Zongwen Li, Guangdong Liu and no further 0 or -1 votes. The vote thread: https://lists.apache.org/thread/98oc6q6vghlg8qpfyf5yttzy925tfp9g Thanks for your participation, I will now bring the vote to [general@apache.org](mailto:general@apache.org) <mailto: approval by the IPMC. If this vote passes also, the release is accepted and will be published. Best wishes, Chao Tian 

正式发版

从dev仓库移动文件至release仓库

svn mv https://dist.apache.org/repos/dist/dev/seatunnel/${RELEASE.VERSION} https://dist.apache.org/repos/dist/release/seatunnel/ 

发布maven仓库

发送通知邮件

dev@seatunnel.apache.org

Hi all, We are glad to announce the release of Apache SeaTunnel() ${RELEASE.VERSION}. Once again I would like to express my thanks to your help. SeaTunnel: SeaTunnel() is a distributed, high-performance data integration platform for the synchronization and transformation of massive data (offline & real-time). Apache SeaTunnel() website: http://seatunnel.apache.org/ Downloads: https://seatunnel.apache.org/download/ Release Notes: https://github.com/apache/seatunnel/blob/${RELEASE.VERSION}/release-note.md Documents: https://seatunnel.apache.org/docs/${RELEASE.VERSION}/intro/about Twitter: https://twitter.com/ASFSeaTunnel SeaTunnel() Resources: - GitHub: https://github.com/apache/seatunnel - Issue: https://github.com/apache/seatunnel/issues - Mailing list: dev@seatunnel.apache.org - Apache SeaTunnel() Team 

总结

作为一名Apache Release Manager需要做的前期准备工作有很多且很繁琐，需要更多的耐心和细心，由于所有的仓库都在国外，任何一个步骤都会可能因为网络延迟而失败，但不要因此气馁，唯有不断的尝试才能走向最终的胜利，希望本篇文章能够帮助到初次发版的Release Manager，让大家少走弯路。

本文由 白鲸开源科技 提供发布支持！