实操经验 | Apache 基金会顶级项目版本管理和发布流程
前言
前段时间,Apache SeaTunnel经过几个月的迭代和架构升级,终于迎来第一个正式2.3.0版本,我也有幸作为本次的Release Manager,体验了一把从0到1的Apache发版流程,不得不说Apache基金会在项目的版本管理这块有着完善的规范和严谨的流程,整个发版过程周期很长,其中也踩了不少的坑,俗话说好记性不如烂笔头,所以笔者写了一篇文章来记录整个过程(以Apache SeaTunnel为例),希望这篇文章能够让小白快速入门Apache项目版本管理和发布。
Tips: Release Manager需要有Apache LDAP账号,也就意味着你需要首先成为项目的Committer才有资格
环境准备
GIT
用于clone项目源代码到本地
GPG
用于生成数字签名,为你的每一次操作留下痕迹
SHASUM
用于为文件生成签名
SVN
用于拉取Apache Release SVN仓库
MAVEN
用于编译项目
物料准备
配置GPG KEY
新建key
gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: 已创建目录'/home/hadoop/.gnupg'
gpg: 新的配置文件'/home/hadoop/.gnupg/gpg.conf'已建立
gpg: 警告:在'/home/hadoop/.gnupg/gpg.conf'里的选项于此次运行期间未被使用
gpg: 钥匙环'/home/hadoop/.gnupg/secring.gpg'已建立
gpg: 钥匙环'/home/hadoop/.gnupg/pubring.gpg'已建立
请选择您要使用的密钥种类:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (仅用于签名)
(4) RSA (仅用于签名)
您的选择? 1
RSA 密钥长度应在 1024 位与 4096 位之间。
您想要用多大的密钥尺寸?(2048)4096
您所要求的密钥尺寸是 4096 位
请设定这把密钥的有效期限。
0 = 密钥永不过期
<n> = 密钥在 n 天后过期
<n>w = 密钥在 n 周后过期
<n>m = 密钥在 n 月后过期
<n>y = 密钥在 n 年后过期
密钥的有效期限是?(0) 0
密钥永远不会过期
以上正确吗?(y/n)y
如上所示,选择项分别为:
- 1
- 4096
- 0
- y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
真实姓名:tyrantlucifer
电子邮件地址:tyrantlucifer@apache.org
注释:The key of Apache SeaTunnel
您选定了这个用户标识:
"tyrantlucifer (The key of Apache SeaTunnel) <tyrantlucifer@apache.org>"
更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)?o
您需要一个密码来保护您的私钥。
如上所示,你需要为这个key指定个人信息以及加密密码,需要填写
- 姓名
- 邮箱(Apache邮箱)
- key注释
- 密码(很重要,不要忘记,要记住哟)
我们需要生成大量的随机字节。这个时候您可以多做些琐事(像是敲打键盘、移动
鼠标、读写硬盘之类的),这会让随机数字发生器有更好的机会获得足够的熵数。
我们需要生成大量的随机字节。这个时候您可以多做些琐事(像是敲打键盘、移动
鼠标、读写硬盘之类的),这会让随机数字发生器有更好的机会获得足够的熵数。
gpg: 密钥 0983DF85 被标记为绝对信任
公钥和私钥已经生成并经签名。
gpg: 正在检查信任度数据库
gpg: 需要 3 份勉强信任和 1 份完全信任,PGP 信任模型
gpg: 深度:0 有效性: 1 已签名: 0 信任度:0-,0q,0n,0m,0f,1u
pub 4096R/0983DF85 2022-12-28
密钥指纹 = AE63 FC40 ECCD 600D 724B 5625 05FD AE73 0983 DF85
uid tyrantlucifer (The key of Apache SeaTunnel) <tyrantlucifer@apache.org>
sub 4096R/B7023D46 2022-12-28
验证key
gpg --list-keys
/home/hadoop/.gnupg/pubring.gpg
-------------------------------
pub 4096R/0983DF85 2022-12-28
uid tyrantlucifer (The key of Apache SeaTunnel) <tyrantlucifer@apache.org>
sub 4096R/B7023D46 2022-12-28
Tips: 0983DF85就是你的公钥缩写
上传key到公共服务器
gpg --keyserver keyserver.ubuntu.com --send-key 0983DF85
验证key是否正常上传
- 命令行验证
gpg --keyserver keyserver.ubuntu.com --search-keys 0983DF85
Tips: 该截图是我之前已经上传好的key,和上一步骤生成的key不一致是正常的
配置maven
创建主密码
mvn --encrypt-master-password <apache password>
新建文件~/.m2/settings-security.xml
<settingsSecurity>
<master><!-- 这里填入上一步输出的密码 --></master>
</settingsSecurity>
加密Apache LDAP 密码
mvn --encrypt-password <apache password>
新增配置
编辑你本地maven环境的配置文件,一般路径为~/.m2/setting.xml,添加
<settings>
<servers>
<server>
<id>apache.snapshots.https</id>
<username> <!-- APACHE LDAP USERNAME --> </username>
<password> <!-- APACHE LDAP ENCRYPTED PASSWORD,上一步加密的密码 --> </password>
</server>
<server>
<id>apache.releases.https</id>
<username> <!-- APACHE LDAP USERNAME --> </username>
<password> <!-- APACHE LDAP ENCRYPTED PASSWORD,上一步加密的密码 --> </password>
</server>
<server>
<id>gpg.passphrase</id>
<passphrase><!-- GPG KEY PASSWORD --></passphrase>
</server>
</servers>
</settings>
项目版本准备
分支准备
mkdir -p ~/seatunnel-release-prepare
cd ~/seatunnel-release-prepare
git clone git@github.com:apache/seatunnel.git
cd seatunnel
git checkout -b ${RELEASE.VERSION}-release
更新release-note
vim release-note.md
git add release-note.md
git commit -m "[Release][${RELEASE.VERSION}][release-note] Add release-note"
git push
预编译测试
mvn release:prepare -Prelease -Darguments="-DskipTests" -DdryRun=true -Dusername=${GITHUB USERNAME}
编译
mvn release:clean
mvn release:prepare -Prelease -Darguments="-DskipTests" -DpushChanges=false -Dusername=${GITHUB USERNAME}
提交代码
git push
git push origin --tags
部署jar包
- 上传jar包
mvn release:perform -Prelease -Darguments="-DskipTests" -Dusername=${GITHUB USERNAME}
上传SVN
拉取release和dev仓库到本地
mkdir -p ~/seatunnel-release-prepare/dev
mkdir -p ~/seatunnel-release-prepare/release
cd ~/seatunnel-release-prepare/dev
svn --username=${APACHE LDAP username} co https://dist.apache.org/repos/dist/dev/seatunnel
cd ~/seatunnel-release-prepare/release
svn --username=${APACHE LDAP username} co https://dist.apache.org/repos/dist/release/seatunnel
上传key到dev和release仓库
Tips: 只有第一次发版的Release Manager才需要做这一步
cd ~/seatunnel-release-prepare/dev/seatunnel
gpg -a --export ${GPG USERNAME} >> KEYS
svn add KEYS
svn --username=${APACHE LDAP USERNAME} commit -m "Add ${APACHE LDAP USERNAME} GPG key"
cd ~/seatunnel-release-prepare/release/seatunnel
gpg -a --export ${GPG USERNAME} >> KEYS
svn add KEYS
svn --username=${APACHE LDAP USERNAME} commit -m "Add ${APACHE LDAP USERNAME} GPG key"
上传源码包和二进制包到dev仓库
-
复制源码包和二进制包
mkdir -p ~/seatunnel-release-prepare/dev/${RELEASE.VERSION} cp -f ~/seatunnel-release-prepare/seatunnel/seatunnel-dist/target/*.tar.gz ~/seatunnel-release-prepare/dev/${RELEASE.VERSION} cd ~/seatunnel-release-prepare/dev/${RELEASE.VERSION} -
生成签名
shasum -a 512 apache-seatunnel-${RELEASE.VERSION}-src.tar.gz >> apache-seatunnel-${RELEASE.VERSION}-src.tar.gz.sha512 shasum -b -a 512 apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz >> apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz.sha512 -
生成GPG签名
gpg --armor --detach-sig apache-seatunnel-${RELEASE.VERSION}-src.tar.gz gpg --armor --detach-sig apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz -
检查文件签名
shasum -c apache-seatunnel-${RELEASE.VERSION}-src.tar.gz.sha512 shasum -c apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz.sha512 -
检查数字签名
-
导入(Release Manager不需要做这一步)
curl https://dist.apache.org/repos/dist/dev/seatunnel/KEYS >> KEYS gpg --import KEYS gpg --edit-key "${GPG username of releaser}" > trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 > save -
检查gpg数字签名
gpg --verify apache-seatunnel-${RELEASE.VERSION}-src.tar.gz.asc apache-seatunnel-${RELEASE.VERSION}-src.tar.gz gpg --verify apache-seatunnel-${RELEASE.VERSION}-seatunnel-bin.tar.gz.asc apache-seatunnel-${RELEASE.VERSION}-seatunnel-bin.tar.gz
-
-
提交所有文件至dev仓库
svn add * svn --username=${APACHE LDAP USERNAME} commit -m "release ${RELEASE.VERSION}"
邮件发起投票
dev@seatunnel.apache.org投票
发起投票
[VOTE] Release Apache SeaTunnel 2.3.0
Hello SeaTunnel Community,
This is a call for vote to release Apache SeaTunnel () version 2.3.0
Release notes:
https://github.com/apache/seatunnel/blob/2.3.0/release-note.md
The release candidates:
https://dist.apache.org/repos/dist/dev/seatunnel/2.3.0
Git tag for the release:
https://github.com/apache/seatunnel/tree/2.3.0
Maven 2 staging repository:
https://repository.apache.org/content/repositories/orgapacheseatunnel-1015/org/apache/seatunnel/
Release Commit ID:
https://github.com/apache/seatunnel/commit/d7280abbe9e72262640836182a7f090a5706988a
Keys to verify the Release Candidate:
https://downloads.apache.org/seatunnel/KEYS
The vote will be open for at least 72 hours or until necessary numbers of votes are reached.
Please vote accordingly:
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove with the reason
Checklist for reference:
[ ] Download links are valid.
[ ] Checksums and PGP signatures are valid.
[ ] Source code artifacts have correct names matching the current release.
[ ] LICENSE and NOTICE files are correct for each SeaTunnel repo.
[ ] All files have license headers if necessary.
[ ] No compiled archives bundled in source archive.
More detail checklist please refer:
https://cwiki.apache.org/confluence/display/Release+Checklist
--
Best Regards
Chao Tian
关闭投票
[VOTE] Release Apache SeaTunnel() 2.3.0
Hi SeaTunnel Community,
Thanks, everyone, I will close this vote thread and the results will be tallied.
Best wishes!
Chao Tian
归票
[RESULT] [VOTE] Release Apache SeaTunnel() 2.3.0
Hi SeaTunnel community,
This vote now closes since 72 hours have passed.
The vote PASSES with
3 (+1 binding) votes from the IPMC,
David,
Guo Wei,
Calvin Kirs
6 (+1 non-binding) votes from the developer from the community
Jun Gao,
TaoZex,
hailin0,
Peng Yuan,
Zongwen Li,
Guangdong Liu
and no further 0 or -1 votes.
The vote thread:
https://lists.apache.org/thread/98oc6q6vghlg8qpfyf5yttzy925tfp9g
Thanks for your participation, I will now bring the vote to
[general@apache.org](mailto:general@apache.org) <mailto:
[general@apache.org](mailto:general@apache.org)> to get
approval by the IPMC.
If this vote passes also, the release is accepted and will be published.
Best wishes,
Chao Tian
general@apache.org投票
发起投票
[VOTE] Release Apache SeaTunnel() 2.3.0
Hello IPMC, This is an official vote for the Apache
SeaTunnel() 2.3.0 that we have been working toward.
To learn more about Apache SeaTunnel(), please see:
https://seatunnel.apache.org
The Apache SeaTunnel () community has voted and approved the release.
Vote thread:
https://lists.apache.org/thread/98oc6q6vghlg8qpfyf5yttzy925tfp9g
Result thread:
https://lists.apache.org/thread/6c0463dsoh8r0gmvqo67lttgy4o40xst
Release changes:
https://github.com/apache/seatunnel/blob/2.3.0/release-note.md
The release candidates:
https://dist.apache.org/repos/dist/dev/seatunnel/2.3.0
Maven 2 staging repository:
https://repository.apache.org/content/repositories/orgapacheseatunnel-1015/org/apache/seatunnel/
Git tag for the release:
https://github.com/apache/seatunnel/tree/2.3.0
Release Commit ID:
https://github.com/apache/seatunnel/commit/d7280abbe9e72262640836182a7f090a5706988a
Keys to verify the Release Candidate:
https://downloads.apache.org/seatunnel/KEYS
GPG user ID:
tyrantlucifer
The vote will be open for at least 72 hours or until necessary numbers
of votes are reached.
Please vote accordingly:
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove with the reason
Checklist for reference:
[ ] Download links are valid.
[ ] Checksums and PGP signatures are valid.
[ ] DISCLAIMER is included.
[ ] Source code artifacts have correct names matching the current release.
[ ] LICENSE and NOTICE files are correct for each SeaTunnel repo.
[ ] All files have license headers if necessary.
[ ] No compiled archives bundled in source archive.
More detail checklist please refer:
https://cwiki.apache.org/confluence/display/Release+Checklist
The following votes are carried over from the SeaTunnel dev mailing list:
+1(binding)
David,
William-Guowei,
Calvin Kirs
Best Regards,
Chao Tian
关闭投票
[VOTE] Release Apache SeaTunnel() 2.3.0
Hi IPMC,
Thanks, everyone, I will close this vote thread and the results will be tallied.
Best wishes!
Chao Tian
归票
[RESULT] [VOTE] Release Apache SeaTunnel() 2.3.0
Hi SeaTunnel community,
This vote now closes since 72 hours have passed.
The vote PASSES with
3 (+1 binding) votes from the IPMC,
David,
Guo Wei,
Calvin Kirs
6 (+1 non-binding) votes from the developer from the community
Jun Gao,
TaoZex,
hailin0,
Peng Yuan,
Zongwen Li,
Guangdong Liu
and no further 0 or -1 votes.
The vote thread:
https://lists.apache.org/thread/98oc6q6vghlg8qpfyf5yttzy925tfp9g
Thanks for your participation, I will now bring the vote to
[general@apache.org](mailto:general@apache.org) <mailto:
approval by the IPMC.
If this vote passes also, the release is accepted and will be published.
Best wishes,
Chao Tian
正式发版
从dev仓库移动文件至release仓库
svn mv https://dist.apache.org/repos/dist/dev/seatunnel/${RELEASE.VERSION} https://dist.apache.org/repos/dist/release/seatunnel/
发布maven仓库
发送通知邮件
Hi all,
We are glad to announce the release of Apache SeaTunnel() ${RELEASE.VERSION}.
Once again I would like to express my thanks to your help.
SeaTunnel: SeaTunnel() is a distributed, high-performance data integration platform for the synchronization and transformation of massive
data (offline & real-time).
Apache SeaTunnel() website:
http://seatunnel.apache.org/
Downloads:
https://seatunnel.apache.org/download/
Release Notes:
https://github.com/apache/seatunnel/blob/${RELEASE.VERSION}/release-note.md
Documents:
https://seatunnel.apache.org/docs/${RELEASE.VERSION}/intro/about
Twitter:
https://twitter.com/ASFSeaTunnel
SeaTunnel() Resources:
- GitHub: https://github.com/apache/seatunnel
- Issue: https://github.com/apache/seatunnel/issues
- Mailing list: dev@seatunnel.apache.org
- Apache SeaTunnel() Team
总结
作为一名Apache Release Manager需要做的前期准备工作有很多且很繁琐,需要更多的耐心和细心,由于所有的仓库都在国外,任何一个步骤都会可能因为网络延迟而失败,但不要因此气馁,唯有不断的尝试才能走向最终的胜利,希望本篇文章能够帮助到初次发版的Release Manager,让大家少走弯路。
本文由 白鲸开源科技 提供发布支持!
