The release flow of Apache APISIX follows GitLab flow, instead of Git flow or Github flow. Furthermore, Release branches with GitLab flow is the preferred way. The chart below will take the release v2.3
of apache/apisix-dashboard as an example to illustrate the details.
The entire flow is comprised of the following four phases.
This phase will decide if a feature is ready to be released as well as the release time.
2.3
).This phase is for developing new features and fixing bugs.
This phase will be throughout the entire Release Time Window.
v2.3
) for release is created from the master
branch, which is also considered as the start of the Release Time Window.master
branch first. Afterward, it will be backported to the new release branch if the relevant pull request is with the need backport
label attached.CHANGELOG
for the new release will be added.Once a version is released, it will enter the maintenance mode and will only accept the security and critical bug patches backported from the master
branch. A new version will be released soon after significant bugs got fixed, with patch version increment (e.g. 2.3.1
). In this case, all users are recommended to upgrade to the latest release to avoid potential risk to the stability.
Download GnuPG from https://gnupg.org/download/index.html. There are differences between the 1.x and 2.x versions of the GnuPG commands, and the following descriptions are based on the GnuPG 2.x versions.
After the installation is complete, execute the following command to check the version.
$ gpg --version
Execute the following command to create the key:
$ gpg --full-gen-key
gpg --gen-key
Follow the instructions to generate key:
Note: Please use the Apache email address to generate the GPG Key.
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: ${Enter your username} Email address: ${Enter your email address} Comment: ${Enter comments} You selected this USER-ID: "${Entered username} (${Entered comments}) <${Entered email address}>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. # Enter passphrase
gpg --list-keys
The example result:
$ gpg --list-keys /home/resty/.gnupg/pubring.gpg ------------------------------ pub 4096R/30B5FD72 2020-01-02 uid Yuansheng Wang <membphis@apache.org> sub 4096R/3D2F913D 2020-01-02
And 30B5FD72
is the ID of pub key
The steps are as follows:
# The last parameter is the public key ID generated above $ gpg --keyserver hkp://pool.sks-keyservers.net --send-key 30B5FD72 gpg: sending key 30B5FD72 to hkp server pool.sks-keyservers.net
pool.sks-keyservers.net
is one of the pub key servers, the pub key will be automatically synchronized between each server, just choose anyone.
Key Fingerprint
to id.apache.orgget Key Fingerprint
# Note the `Key fingerprint` section below. $ gpg --list-keys --fingerprint /home/resty/.gnupg/pubring.gpg ------------------------------ pub 4096R/30B5FD72 2020-01-02 Key fingerprint = 0F91 BE0A 55A7 B22F DE1A CEEC 3352 48FD 30B5 FD72 uid Yuansheng Wang <membphis@apache.org> sub 4096R/3D2F913D 2020-01-02
download APISIX svn
$ svn --username=${Apache username} co https://dist.apache.org/repos/dist/dev/apisix
$ cd apisix
$ ls
KEYS
Export the public key and append it to the KEYS file.
$ gpg -a --export ${GPG username} >> KEYS
Commit the modified KEYS file, saving the public key to the svn server.
$ svn --username=${Apache username} commit -m "added \${Apache email} gpg pub key" Authentication realm: <https://dist.apache.org:443> ASF Committers Password for 'membphis': # input password Store password unencrypted (yes/no)? yes Sending KEYS Transmitting file data. Committed revision 37434.
Here's an example of preparing a 1.0 version. Before you make the package, make sure you have branch v1.0 ready on GitHub.
# Create a new version number directory and enter, for example: 1.0 $ export APISIX_VERSION=1.0 $ mkdir $APISIX_VERSION && cd $APISIX_VERSION # download repo git clone -b v$APISIX_VERSION git@github.com:apache/apisix.git apache-apisix-$APISIX_VERSION # check version $ cd apache-apisix-$APISIX_VERSION && ./utils/check-version.sh $APISIX_VERSION && cd .. # make tar package / asc / sha512 $ cd apache-apisix-$APISIX_VERSION && make release-src VERSION=$APISIX_VERSION $ mv ./release/* ../ && cd .. # remove apache-apisix-1.0 $ rm -rf apache-apisix-$APISIX_VERSION # check files $ cd .. && tree . ├── 1.0 │ ├── apache-apisix-1.0-src.tar.gz │ ├── apache-apisix-1.0-src.tar.gz.asc │ └── apache-apisix-1.0-src.tar.gz.sha512 └── KEYS 1 directory, 4 files # add files to SVN $ svn add * A 1.0 A (bin) 1.0/apache-apisix-1.0-src.tar.gz.asc A (bin) 1.0/apache-apisix-1.0-src.tar.gz A 1.0/apache-apisix-1.0-src.tar.gz.sha512 svn: warning: W150002: '/home/resty/git/apache_svn/apisix/KEYS' is already under version control svn: E200009: Could not add all targets because some targets are already versioned svn: E200009: Illegal target for the requested operation # commit to Apache SVN $ svn --username=${Apache username} commit -m "release 1.0" Adding 1.0 Adding (bin) 1.0/apache-apisix-1.0-src.tar.gz Adding (bin) 1.0/apache-apisix-1.0-src.tar.gz.asc Adding 1.0/apache-apisix-1.0-src.tar.gz.sha512 Transmitting file data ... Committed revision 37435.
There is a minimum wait of 72 hours before statistical voting results. If you get -1 vote, you need to solve the problem before you can continue. An email example is as shown below.
Hello, Community, This is a call for the vote to release Apache APISIX version 2.0. Release notes: https://github.com/apache/apisix/blob/2.4/CHANGELOG.md#240 The release candidates: https://dist.apache.org/repos/dist/dev/apisix/2.4/ Git tag for the release: https://github.com/apache/apisix/tree/2.4 Release Commit ID: https://github.com/apache/apisix/commit/b94d3fc3b298df593ba6fe5c7b285768b567991e Keys to verify the Release Candidate: https://dist.apache.org/repos/dist/dev/apisix/KEYS Steps to validating the release: 1. Download the release wget https://dist.apache.org/repos/dist/dev/apisix/2.4/apache-apisix-2.4-src.tgz 2. Checksums and signatures wget https://dist.apache.org/repos/dist/dev/apisix/KEYS wget https://dist.apache.org/repos/dist/dev/apisix/2.4/apache-apisix-2.4-src.tgz.asc wget https://dist.apache.org/repos/dist/dev/apisix/2.4/apache-apisix-2.4-src.tgz.sha512 gpg --import KEYS shasum -c apache-apisix-2.4-src.tgz.sha512 gpg --verify apache-apisix-2.4-src.tgz.asc apache-apisix-2.4-src.tgz 3. Unzip and Check files tar zxvf apache-apisix-2.4-src.tgz 4. Build Apache APISIX: https://github.com/apache/apisix/blob/release/2.4/docs/en/latest/how-to-build.md#installation-via-source-release The vote will be open for at least 72 hours or until necessary number of votes are reached. Please vote accordingly: [ ] +1 approve [ ] +0 no opinion [ ] -1 disapprove with the reason
Click here to view the reference email at least 3 +1
binding votes is required, then send the vote result to dev@apisix.apache.org.
Invite PMCs to move KEYS and package under the release
directory.
The Download page contains links for Apache APISIX, Apache APISIX Dashboard, and other sources, and we need to update its contents here.
Click here to view the reference email send announce email to dev@apisix.apache.org and announce@apache.org