output/release-publishing.html - infrastructure-website - Git at Google

 <!doctype html>
 <html class="no-js" lang="en" dir="ltr">
   <head>
     <meta charset="utf-8">
     <meta http-equiv="x-ua-compatible" content="ie=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Release Creation Process - Apache Infrastructure Website</title>
 <link href="/css/bootstrap.min.css" rel="stylesheet">
 <link href="/css/fontawesome.all.min.css" rel="stylesheet">
 <link href="/css/headerlink.css" rel="stylesheet">
 <script src="/highlight/highlight.min.js"></script>  </head>
   <body class="d-flex flex-column h-100">
   <main class="flex-shrink-0">
       <div>

 <!-- nav bar -->
 <nav class="navbar navbar-expand-lg navbar-dark bg-dark" aria-label="Fifth navbar example">
     <div class="container-fluid">
         <a class="navbar-brand" href="/"><img src="/images/feather.png" style="height: 32px;"/> Apache Infrastructure</a>
         <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarADP" aria-controls="navbarADP" aria-expanded="false" aria-label="Toggle navigation">
             <span class="navbar-toggler-icon"></span>
         </button>

         <div class="collapse navbar-collapse" id="navbarADP">
             <ul class="navbar-nav me-auto mb-2 mb-lg-0">
                 <li class="nav-item dropdown">
                     <a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">About</a>
                     <ul class="dropdown-menu">
                         <li><a class="dropdown-item" href="/team.html">About the team</a></li>
                         <li><a class="dropdown-item" href="/roundtable.html">The Infrastructure Roundtable</a></li>
                         <li><a class="dropdown-item" href="/blog/">The Infrastructure Blog</a></li>
                     </ul>
                 </li>
                 <li class="nav-item">
                     <a class="nav-link" href="/policies.html">Policies</a>
                 </li>
                 <li class="nav-item dropdown">
                     <a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Services and Tools</a>
                     <ul class="dropdown-menu">
                         <li><a class="dropdown-item" href="/services.html">Services and Tools</a></li>
                         <li><a class="dropdown-item" href="/machines.html">Machines and Fingerprints</a></li>
                         <li><a class="dropdown-item" href="https://blocky.apache.org/">Blocky</a></li>
                         <li><a class="dropdown-item" href="https://app.datadoghq.com/account/login?next=%2Finfrastructure">DataDog</a></li>
                         <li><a class="dropdown-item" href="https://whimsy.apache.org/roster/committer/" target="_blank">Committer Search</a></li>
                     </ul>
                 </li>
                 <li class="nav-item dropdown">
                     <a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Documentation</a>
                     <ul class="dropdown-menu">
                         <li><a class="dropdown-item" href="/doc.html">Contribute</a></li>
                         <li><a class="dropdown-item" href="/infra-volunteer.html">Volunteer with Infra</a></li>
                         <li><a class="dropdown-item" href="/how-to-mirror.html">Become an ASF download mirror</a></li>
                         <li><a class="dropdown-item" href="/hosting-external-agent.html">Host a Jenkins or Buildbot agent</a></li>

                     </ul>
                 </li>
                 <li class="nav-item">
                     <a class="nav-link" href="/stats.html">Status</a>
                 </li>
                 <li class="nav-item">
                     <a class="nav-link" href="/contact.html">Contact Us</a>
                 </li>
             </ul>
         </div>
     </div>
 </nav>


 <!-- page contents -->
 <div id="contents">
     <div class="bg-white p-5 rounded">
         <div class="col-sm-8 mx-auto">
           <h1>
               Release Creation Process
           </h1>
               <p>These best practices help guide a PMC through the steps to create and publish an Apache software product release. It complements the formal <a href="https://www.apache.org/legal/release-policy.html" target="_blank">Apache Release Policy</a>, defining what must be in a software release, and <a href="release-distribution.html">Release Distribution Policy</a>.</p>
 <p>Every Apache Software Foundation project software release must meet requirements for content , process , and publication. These requirements ensure that Apache contributors and users benefit from appropriate legal protection the ASF provides, and reflect the Foundation's goals of open, collaborative software development.</p>
 <h2>Contents</h2>
 <ul>
 <li><a href="#definition">An Apache release</a></li>
 <li><a href="#releasemanager">The release manager</a></li>
 <li><a href="#valid">A valid release package</a></li>
 <li><a href="#signing">Signing release artifacts</a></li>
 <li><a href="#voting">Voting whether to approve the release</a></li>
 <li><a href="#distribution">Distribution</a><ul>
 <li><a href="#uploading">Uploading packages</a></li>
 <li><a href="#normal">Normal distribution on the Apache downloads site</a></li>
 <li><a href="#tomaven">Maven distribution</a></li>
 </ul>
 </li>
 <li><a href="#timeline">Release distribution availability schedule</a></li>
 <li><a href="#faqs">FAQs</a></li>
 </ul>
 <h2 id="definition">An Apache release<a class="headerlink" href="#definition" title="Permanent link">&para;</a></h2>

 <p>An Apache release is a set of <strong>valid</strong>, <strong>signed</strong>, artifacts, <strong>voted on</strong> by the appropriate PMC and <strong>distributed</strong> on the official ASF release infrastructure. See below for discussion of the words in bold, all of which are essential.</p>
 <p>To make a release, an Apache project:</p>
 <ol>
 <li>Has code that complies with the software licensing requirements</li>
 <li>Decides as a community to make a release, and designates a release manager</li>
 <li>The release manager prepares and signs the proposed release materials</li>
 <li>The PMC votes whether to approve the release</li>
 <li>If the vote passes, the release manager copies the artifacts to the distribution infrastructure.</li>
 </ol>
 <p>A release starts when the project community agrees to make a release. However, no release manager can make a valid release unless the community has taken the necessary steps. The source code and build process must comply with the ASF legal and intellectual property requirements for a valid release, and the project must have the infrastructure in place to correctly <strong>sign</strong> the release artifacts (see below).</p>
 <h2 id="releasemanager">The release manager<a class="headerlink" href="#releasemanager" title="Permanent link">&para;</a></h2>

 <p>Most projects designate a committer to be the <em>release manager</em> who takes responsibility for the mechanics of a release. It is a good idea to let several committers take this role on different releases so that more than one person is comfortable doing a release. Release managers shepherd a release from an initial community consensus to getting the compiled code package to final distribution, and may be involved in publicizing the release to the project's community and the ASF in general.</p>
 <p>Unless otherwise specified, only PMC members can act as release managers. If your project wishes to allow normal committers to release files, please <a href="contact.html">contact infrastructure</a> with your request.</p>
 <p>Release managers do the mechanical work; but the PMC in general, and the PMC chair in particular (as an officer of the Foundation), are responsible for compliance with ASF requirements.</p>
 <p>Any committer may serve as release manager.</p>
 <h2 id="valid">A valid release package<a class="headerlink" href="#valid" title="Permanent link">&para;</a></h2>

 <p>The Apache Software Foundation exists to create open source software, so the fundamental requirement for a release is that it has the necessary source code to build the project. A project may provide compiled binaries of each release for the convenience of users.</p>
 <p>All project source code must be covered by the <a href="https://www.apache.org/licenses/LICENSE-2.0" target="_blank">Apache License, version 2.0</a>. The license or appropriate boilerplate text must be included in each source file. For the license to be valid, the code must have been contributed by an individual covered by an appropriate <a href="https://www.apache.org/licenses/contributor-agreements.html" target="_blank">contributor license agreement</a>, or have otherwise been licensed to the Foundation and passed through IP clearance. See <a href="https://www.apache.org/legal/release-policy.html" target="_blank">this page</a> for details on release requirements. When in doubt, contact the Foundation's Legal resources by filing a Jira ticket under the 'LEGAL' project. The Apache <a href="https://creadur.apache.org/rat/" target="_blank">Release Audit Tool (RAT)</a> can help you verify that your proposed release complies with the requirements.</p>
 <p>Many projects have dependencies on non-Apache components. For an Apache release to be valid, it can only depend on non-Apache components that have compatible licenses. For more information on third party licenses allowed, see the <a href="https://www.apache.org/legal/resolved.html" target="_blank">ASF Third Party License Policy</a>.</p>
 <h2 id="signing">Signing release artifacts<a class="headerlink" href="#signing" title="Permanent link">&para;</a></h2>

 <p>The files that make up an Apache release always are accompanied by cryptographic signatures. This allows users to ensure that the files have not been tampered with since they were created. The mechanics of signing depend on the project's build technology. Infra strongly recommends that projects set up automated infrastructure to sign the files to simplify the work. Generally, projects set up their build system so that the same process that creates the files for a release also signs them.</p>
 <p>The process of setting up to sign the code is somewhat complicated, and is described on the <a href="release-signing.html">release signing</a> page. If you plan to serve as a release manager, you should generate a key and publish it well in advance of creating a release.</p>
 <p><strong>Note</strong> while your project can create and review as many release candidates as it wishes, and can use any automated build process that makes it easier and more reliable to create them, the project cannot publish any release candidate as an official release until it is approved by the voting process described below, and signed by a legal person. The ASF has <strong>not</strong> authorized a completely-automated process for both building and releasing artifacts that does not involve review and approval by the project's PMC and the signature of a human in the release artifact bundle.</p>
 <h2 id="voting">Voting whether to approve the release<a class="headerlink" href="#voting" title="Permanent link">&para;</a></h2>

 <p>A binding release vote of the PMC is the critical gating step in the release process. Without such a vote, the release is just a set of files prepared by an individual. After such a vote, it is a formal offering of the ASF, backed by the "full faith and credit" of the Foundation.</p>
 <h2 id="distribution">Distribution<a class="headerlink" href="#distribution" title="Permanent link">&para;</a></h2>

 <p>The Apache infrastructure <em>must</em> be the primary source for all artifacts officially released by the ASF.</p>
 <p>Infra maintains the Apache release distribution infrastructure, which has three parts:</p>
 <ul>
 <li>the directories of current releases on <code>downloads.apache.org</code></li>
 <li>previous releases on <code>archive.apache.org</code></li>
 <li>Maven repository on <code>repository.apache.org</code></li>
 </ul>
 <h3 id="uploading">Uploading packages<a class="headerlink" href="#uploading" title="Permanent link">&para;</a></h3>

 <ul>
 <li>Upload development packages and snapshots to <code>https://dist.apache.org/repos/dist/dev/$project/</code></li>
 <li>Upload release packages to <code>https://dist.apache.org/repos/dist/release/$project/</code>. If your project uses a Subersion repository, you can use <code>svn mv</code> from the <code>dev</code> folder.</li>
 <li>Incubator projects can find their dev/release folder inside their incubator directory.</li>
 </ul>
 <h3 id="normal">Normal distribution on the Apache downloads site<a class="headerlink" href="#normal" title="Permanent link">&para;</a></h3>

 <p>See the <a href="release-distribution.html">Release Distribution Policy</a> for specific technical requirements.</p>
 <p>Each Apache TLP has a <code>release/TLP-name</code> directory in the distribution Subversion repository at <code>https://dist.apache.org/repos/dist/</code>. Once a release vote passes, the release manager adds the release artifacts (plus signature and hash files) to this location. Each project is responsible for the structure of its directory. <a href="pypubsub.html">PyPubSub</a> pushes the contents of these directories to <code>http://downloads.apache.org/</code>. <strong>Note</strong> only store the most recent version of each supported release here.</p>
 <ul>
 <li>
 <p><strong>Do not</strong> use the SVN directories under <code>https://dist.apache.org/repos/dist/</code> to link to product releases. Projects must use the ASF release system. See <a href="release-download-pages.html">Release Download Pages</a> for further details.</p>
 </li>
 <li>
 <p>A signature (<code>.asc</code>) can become invalid because the signing key is revoked or has expired. Make sure all current signatures for your project in <code>downloads.apache.org/</code> are valid.</p>
 </li>
 <li>
 <p>Hash, signature and KEYS files are excluded from the public release:</p>
 </li>
 </ul>
 <p><code>*.md5 *.sha *.sha1 *.sha256 *.sha512 *.asc *.sig KEYS *.mds MD5SUM SHA*SUM</code></p>
 <ul>
 <li><strong>Do not</strong> publish <code>.md5</code> files because MD5 is broken.</li>
 <li><strong>Do not</strong> publish <code>.sig</code> files. Make sure your <code>.asc</code>s are plain-text files.</li>
 <li>
 <p>The download page should use <code>HTTPS:</code> rather than plain <code>HTTP:</code> for linking to KEYS, sigs and hashes (for example: <code>https://downloads.apache.org/httpd/KEYS</code>).</p>
 </li>
 <li>
 <p>In addition to the checksum files required in the <a href="release-distribution.html">Release Distribution Policy</a>, the project can provide an <code>MD5SUM</code> or <code>SHA*SUM</code>. <code>MD5SUM</code> and <code>SHA*SUM</code> must look like the output of <code>md5sum(1)</code>: lines containing a checksum, followed by a filename ; use only plain file names (no slashes). Do not use any other file names for such files.</p>
 </li>
 </ul>
 <p>If the release directory does not yet exist, please create a Jira ticket for INFRA with the required information (see the <a href="contact.html">contact</a> page).</p>
 <p><strong>Note</strong>: By default, only PMC/PPMC members have write access to the <code>dist/release</code> directories. The <code>dist/dev</code> directories by default allow write access by committers.</p>
 <h3 id="tomaven">Maven distribution<a class="headerlink" href="#tomaven" title="Permanent link">&para;</a></h3>

 <p>See <a href="publishing-maven-artifacts.html">Publishing Maven releases</a>.</p>
 <h2 id="timeline">Release distribution availability schedule<a class="headerlink" href="#timeline" title="Permanent link">&para;</a></h2>

 <p>Releases pushed to the <code>dist/release</code> subversion directory will be available for download almost immediately after the push/move operation has completed,
 though the exact speed depends on the size of the artifact(s) that have been uploaded. Generally speaking, releases should be available on
 <a href="https://downloads.apache.org/">downloads.apache.org</a> within 15 minutes of publishing them to <code>dist/release</code>.</p>
 <p>Our global content delivery network (CDN) at <a href="https://dlcdn.apache.org/">dlcdn.apache.org</a> will have files available for download within
 seconds of them appearing on downloads.apache.org. However, due to our current caching algorithms, they may not appear in the raw directory listings
 for up to two hours even though the files are present on the service. We are currently working on ways to improve this experience, and will
 update this page when/if the process has changed.</p>
 <p>Our <a href="release-download-pages.html#download-scripts">download helper script</a> also employ caching to help speed up processing, and its findings
 (whether or not a release is present on the CDN) may be delayed by up to an hour in some circumstances. We therefore advise projects to wait
 for one hour after publishing a release before announcing it to the wider public.</p>
 <p>As a rule of thumb, projects should currently:</p>
 <ol>
 <li>upload or move the release to the <code>dist/release</code> space in subversion</li>
 <li>after a few minutes, check <a href="https://downloads.apache.org/">downloads.apache.org</a> for whether their release has been published on our download server</li>
 <li>when the download is present, wait one hour for any caching to reset, then announce the general availability of the release</li>
 </ol>
 <h2 id="faqs">FAQs<a class="headerlink" href="#faqs" title="Permanent link">&para;</a></h2>

 <ul>
 <li><strong>How do I archive an old release?</strong> <code>downloads.apache.org</code> is automatically archived every four hours. Therefore, a copy of every official release exists in the archives. Just delete the copy of the release that is in your project's dist directory. Remember to update any links from the download page related to that release.</li>
 </ul>
         </div>
       </div>
     </div>
     <!-- footer -->
     <div class="row">
       <div class="large-12 medium-12 columns">
         <p style="font-style: italic; font-size: 0.8rem; text-align: center;">
           Copyright 2024, <a href="https://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
           Apache&reg; and the Apache feather logo are trademarks of The Apache Software Foundation...
         </p>
       </div>
     </div>
     <script type="application/ecmascript" src="/js/bootstrap.bundle.min.js" integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3"></script>      </div>
   </main>
     <script>hljs.initHighlightingOnLoad();</script>
   </body>
 </html>
	<!doctype html>
	<html class="no-js" lang="en" dir="ltr">
	<head>
	<meta charset="utf-8">
	<meta http-equiv="x-ua-compatible" content="ie=edge">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>Release Creation Process - Apache Infrastructure Website</title>
	<link href="/css/bootstrap.min.css" rel="stylesheet">
	<link href="/css/fontawesome.all.min.css" rel="stylesheet">
	<link href="/css/headerlink.css" rel="stylesheet">
	<script src="/highlight/highlight.min.js"></script> </head>
	<body class="d-flex flex-column h-100">
	<main class="flex-shrink-0">
	<div>

	<!-- nav bar -->
	<nav class="navbar navbar-expand-lg navbar-dark bg-dark" aria-label="Fifth navbar example">
	<div class="container-fluid">
	<a class="navbar-brand" href="/"><img src="/images/feather.png" style="height: 32px;"/> Apache Infrastructure</a>
	<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarADP" aria-controls="navbarADP" aria-expanded="false" aria-label="Toggle navigation">
	<span class="navbar-toggler-icon"></span>
	</button>

	<div class="collapse navbar-collapse" id="navbarADP">
	<ul class="navbar-nav me-auto mb-2 mb-lg-0">
	<li class="nav-item dropdown">
	<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">About</a>
	<ul class="dropdown-menu">
	<li><a class="dropdown-item" href="/team.html">About the team</a></li>
	<li><a class="dropdown-item" href="/roundtable.html">The Infrastructure Roundtable</a></li>
	<li><a class="dropdown-item" href="/blog/">The Infrastructure Blog</a></li>
	</ul>
	</li>
	<li class="nav-item">
	<a class="nav-link" href="/policies.html">Policies</a>
	</li>
	<li class="nav-item dropdown">
	<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Services and Tools</a>
	<ul class="dropdown-menu">
	<li><a class="dropdown-item" href="/services.html">Services and Tools</a></li>
	<li><a class="dropdown-item" href="/machines.html">Machines and Fingerprints</a></li>
	<li><a class="dropdown-item" href="https://blocky.apache.org/">Blocky</a></li>
	<li><a class="dropdown-item" href="https://app.datadoghq.com/account/login?next=%2Finfrastructure">DataDog</a></li>
	<li><a class="dropdown-item" href="https://whimsy.apache.org/roster/committer/" target="_blank">Committer Search</a></li>
	</ul>
	</li>
	<li class="nav-item dropdown">
	<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Documentation</a>
	<ul class="dropdown-menu">
	<li><a class="dropdown-item" href="/doc.html">Contribute</a></li>
	<li><a class="dropdown-item" href="/infra-volunteer.html">Volunteer with Infra</a></li>
	<li><a class="dropdown-item" href="/how-to-mirror.html">Become an ASF download mirror</a></li>
	<li><a class="dropdown-item" href="/hosting-external-agent.html">Host a Jenkins or Buildbot agent</a></li>

	</ul>
	</li>
	<li class="nav-item">
	<a class="nav-link" href="/stats.html">Status</a>
	</li>
	<li class="nav-item">
	<a class="nav-link" href="/contact.html">Contact Us</a>
	</li>
	</ul>
	</div>
	</div>
	</nav>


	<!-- page contents -->
	<div id="contents">
	<div class="bg-white p-5 rounded">
	<div class="col-sm-8 mx-auto">
	<h1>
	Release Creation Process
	</h1>
	<p>These best practices help guide a PMC through the steps to create and publish an Apache software product release. It complements the formal <a href="https://www.apache.org/legal/release-policy.html" target="_blank">Apache Release Policy</a>, defining what must be in a software release, and <a href="release-distribution.html">Release Distribution Policy</a>.</p>
	<p>Every Apache Software Foundation project software release must meet requirements for content , process , and publication. These requirements ensure that Apache contributors and users benefit from appropriate legal protection the ASF provides, and reflect the Foundation's goals of open, collaborative software development.</p>
	<h2>Contents</h2>
	<ul>
	<li><a href="#definition">An Apache release</a></li>
	<li><a href="#releasemanager">The release manager</a></li>
	<li><a href="#valid">A valid release package</a></li>
	<li><a href="#signing">Signing release artifacts</a></li>
	<li><a href="#voting">Voting whether to approve the release</a></li>
	<li><a href="#distribution">Distribution</a><ul>
	<li><a href="#uploading">Uploading packages</a></li>
	<li><a href="#normal">Normal distribution on the Apache downloads site</a></li>
	<li><a href="#tomaven">Maven distribution</a></li>
	</ul>
	</li>
	<li><a href="#timeline">Release distribution availability schedule</a></li>
	<li><a href="#faqs">FAQs</a></li>
	</ul>
	<h2 id="definition">An Apache release<a class="headerlink" href="#definition" title="Permanent link">¶</a></h2>

	<p>An Apache release is a set of <strong>valid</strong>, <strong>signed</strong>, artifacts, <strong>voted on</strong> by the appropriate PMC and <strong>distributed</strong> on the official ASF release infrastructure. See below for discussion of the words in bold, all of which are essential.</p>
	<p>To make a release, an Apache project:</p>
	<ol>
	<li>Has code that complies with the software licensing requirements</li>
	<li>Decides as a community to make a release, and designates a release manager</li>
	<li>The release manager prepares and signs the proposed release materials</li>
	<li>The PMC votes whether to approve the release</li>
	<li>If the vote passes, the release manager copies the artifacts to the distribution infrastructure.</li>
	</ol>
	<p>A release starts when the project community agrees to make a release. However, no release manager can make a valid release unless the community has taken the necessary steps. The source code and build process must comply with the ASF legal and intellectual property requirements for a valid release, and the project must have the infrastructure in place to correctly <strong>sign</strong> the release artifacts (see below).</p>
	<h2 id="releasemanager">The release manager<a class="headerlink" href="#releasemanager" title="Permanent link">¶</a></h2>

	<p>Most projects designate a committer to be the <em>release manager</em> who takes responsibility for the mechanics of a release. It is a good idea to let several committers take this role on different releases so that more than one person is comfortable doing a release. Release managers shepherd a release from an initial community consensus to getting the compiled code package to final distribution, and may be involved in publicizing the release to the project's community and the ASF in general.</p>
	<p>Unless otherwise specified, only PMC members can act as release managers. If your project wishes to allow normal committers to release files, please <a href="contact.html">contact infrastructure</a> with your request.</p>
	<p>Release managers do the mechanical work; but the PMC in general, and the PMC chair in particular (as an officer of the Foundation), are responsible for compliance with ASF requirements.</p>
	<p>Any committer may serve as release manager.</p>
	<h2 id="valid">A valid release package<a class="headerlink" href="#valid" title="Permanent link">¶</a></h2>

	<p>The Apache Software Foundation exists to create open source software, so the fundamental requirement for a release is that it has the necessary source code to build the project. A project may provide compiled binaries of each release for the convenience of users.</p>
	<p>All project source code must be covered by the <a href="https://www.apache.org/licenses/LICENSE-2.0" target="_blank">Apache License, version 2.0</a>. The license or appropriate boilerplate text must be included in each source file. For the license to be valid, the code must have been contributed by an individual covered by an appropriate <a href="https://www.apache.org/licenses/contributor-agreements.html" target="_blank">contributor license agreement</a>, or have otherwise been licensed to the Foundation and passed through IP clearance. See <a href="https://www.apache.org/legal/release-policy.html" target="_blank">this page</a> for details on release requirements. When in doubt, contact the Foundation's Legal resources by filing a Jira ticket under the 'LEGAL' project. The Apache <a href="https://creadur.apache.org/rat/" target="_blank">Release Audit Tool (RAT)</a> can help you verify that your proposed release complies with the requirements.</p>
	<p>Many projects have dependencies on non-Apache components. For an Apache release to be valid, it can only depend on non-Apache components that have compatible licenses. For more information on third party licenses allowed, see the <a href="https://www.apache.org/legal/resolved.html" target="_blank">ASF Third Party License Policy</a>.</p>
	<h2 id="signing">Signing release artifacts<a class="headerlink" href="#signing" title="Permanent link">¶</a></h2>

	<p>The files that make up an Apache release always are accompanied by cryptographic signatures. This allows users to ensure that the files have not been tampered with since they were created. The mechanics of signing depend on the project's build technology. Infra strongly recommends that projects set up automated infrastructure to sign the files to simplify the work. Generally, projects set up their build system so that the same process that creates the files for a release also signs them.</p>
	<p>The process of setting up to sign the code is somewhat complicated, and is described on the <a href="release-signing.html">release signing</a> page. If you plan to serve as a release manager, you should generate a key and publish it well in advance of creating a release.</p>
	<p><strong>Note</strong> while your project can create and review as many release candidates as it wishes, and can use any automated build process that makes it easier and more reliable to create them, the project cannot publish any release candidate as an official release until it is approved by the voting process described below, and signed by a legal person. The ASF has <strong>not</strong> authorized a completely-automated process for both building and releasing artifacts that does not involve review and approval by the project's PMC and the signature of a human in the release artifact bundle.</p>
	<h2 id="voting">Voting whether to approve the release<a class="headerlink" href="#voting" title="Permanent link">¶</a></h2>

	<p>A binding release vote of the PMC is the critical gating step in the release process. Without such a vote, the release is just a set of files prepared by an individual. After such a vote, it is a formal offering of the ASF, backed by the "full faith and credit" of the Foundation.</p>
	<h2 id="distribution">Distribution<a class="headerlink" href="#distribution" title="Permanent link">¶</a></h2>

	<p>The Apache infrastructure <em>must</em> be the primary source for all artifacts officially released by the ASF.</p>
	<p>Infra maintains the Apache release distribution infrastructure, which has three parts:</p>
	<ul>
	<li>the directories of current releases on <code>downloads.apache.org</code></li>
	<li>previous releases on <code>archive.apache.org</code></li>
	<li>Maven repository on <code>repository.apache.org</code></li>
	</ul>
	<h3 id="uploading">Uploading packages<a class="headerlink" href="#uploading" title="Permanent link">¶</a></h3>

	<ul>
	<li>Upload development packages and snapshots to <code>https://dist.apache.org/repos/dist/dev/$project/</code></li>
	<li>Upload release packages to <code>https://dist.apache.org/repos/dist/release/$project/</code>. If your project uses a Subersion repository, you can use <code>svn mv</code> from the <code>dev</code> folder.</li>
	<li>Incubator projects can find their dev/release folder inside their incubator directory.</li>
	</ul>
	<h3 id="normal">Normal distribution on the Apache downloads site<a class="headerlink" href="#normal" title="Permanent link">¶</a></h3>

	<p>See the <a href="release-distribution.html">Release Distribution Policy</a> for specific technical requirements.</p>
	<p>Each Apache TLP has a <code>release/TLP-name</code> directory in the distribution Subversion repository at <code>https://dist.apache.org/repos/dist/</code>. Once a release vote passes, the release manager adds the release artifacts (plus signature and hash files) to this location. Each project is responsible for the structure of its directory. <a href="pypubsub.html">PyPubSub</a> pushes the contents of these directories to <code>http://downloads.apache.org/</code>. <strong>Note</strong> only store the most recent version of each supported release here.</p>
	<ul>
	<li>
	<p><strong>Do not</strong> use the SVN directories under <code>https://dist.apache.org/repos/dist/</code> to link to product releases. Projects must use the ASF release system. See <a href="release-download-pages.html">Release Download Pages</a> for further details.</p>
	</li>
	<li>
	<p>A signature (<code>.asc</code>) can become invalid because the signing key is revoked or has expired. Make sure all current signatures for your project in <code>downloads.apache.org/</code> are valid.</p>
	</li>
	<li>
	<p>Hash, signature and KEYS files are excluded from the public release:</p>
	</li>
	</ul>
	<p><code>.md5 .sha .sha1 .sha256 .sha512 .asc .sig KEYS .mds MD5SUM SHA*SUM</code></p>
	<ul>
	<li><strong>Do not</strong> publish <code>.md5</code> files because MD5 is broken.</li>
	<li><strong>Do not</strong> publish <code>.sig</code> files. Make sure your <code>.asc</code>s are plain-text files.</li>
	<li>
	<p>The download page should use <code>HTTPS:</code> rather than plain <code>HTTP:</code> for linking to KEYS, sigs and hashes (for example: <code>https://downloads.apache.org/httpd/KEYS</code>).</p>
	</li>
	<li>
	<p>In addition to the checksum files required in the <a href="release-distribution.html">Release Distribution Policy</a>, the project can provide an <code>MD5SUM</code> or <code>SHASUM</code>. <code>MD5SUM</code> and <code>SHASUM</code> must look like the output of <code>md5sum(1)</code>: lines containing a checksum, followed by a filename ; use only plain file names (no slashes). Do not use any other file names for such files.</p>
	</li>
	</ul>
	<p>If the release directory does not yet exist, please create a Jira ticket for INFRA with the required information (see the <a href="contact.html">contact</a> page).</p>
	<p><strong>Note</strong>: By default, only PMC/PPMC members have write access to the <code>dist/release</code> directories. The <code>dist/dev</code> directories by default allow write access by committers.</p>
	<h3 id="tomaven">Maven distribution<a class="headerlink" href="#tomaven" title="Permanent link">¶</a></h3>

	<p>See <a href="publishing-maven-artifacts.html">Publishing Maven releases</a>.</p>
	<h2 id="timeline">Release distribution availability schedule<a class="headerlink" href="#timeline" title="Permanent link">¶</a></h2>

	<p>Releases pushed to the <code>dist/release</code> subversion directory will be available for download almost immediately after the push/move operation has completed,
	though the exact speed depends on the size of the artifact(s) that have been uploaded. Generally speaking, releases should be available on
	<a href="https://downloads.apache.org/">downloads.apache.org</a> within 15 minutes of publishing them to <code>dist/release</code>.</p>
	<p>Our global content delivery network (CDN) at <a href="https://dlcdn.apache.org/">dlcdn.apache.org</a> will have files available for download within
	seconds of them appearing on downloads.apache.org. However, due to our current caching algorithms, they may not appear in the raw directory listings
	for up to two hours even though the files are present on the service. We are currently working on ways to improve this experience, and will
	update this page when/if the process has changed.</p>
	<p>Our <a href="release-download-pages.html#download-scripts">download helper script</a> also employ caching to help speed up processing, and its findings
	(whether or not a release is present on the CDN) may be delayed by up to an hour in some circumstances. We therefore advise projects to wait
	for one hour after publishing a release before announcing it to the wider public.</p>
	<p>As a rule of thumb, projects should currently:</p>
	<ol>
	<li>upload or move the release to the <code>dist/release</code> space in subversion</li>
	<li>after a few minutes, check <a href="https://downloads.apache.org/">downloads.apache.org</a> for whether their release has been published on our download server</li>
	<li>when the download is present, wait one hour for any caching to reset, then announce the general availability of the release</li>
	</ol>
	<h2 id="faqs">FAQs<a class="headerlink" href="#faqs" title="Permanent link">¶</a></h2>

	<ul>
	<li><strong>How do I archive an old release?</strong> <code>downloads.apache.org</code> is automatically archived every four hours. Therefore, a copy of every official release exists in the archives. Just delete the copy of the release that is in your project's dist directory. Remember to update any links from the download page related to that release.</li>
	</ul>
	</div>
	</div>
	</div>
	<!-- footer -->
	<div class="row">
	<div class="large-12 medium-12 columns">
	<p style="font-style: italic; font-size: 0.8rem; text-align: center;">
	Copyright 2024, <a href="https://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
	Apache® and the Apache feather logo are trademarks of The Apache Software Foundation...
	</p>
	</div>
	</div>
	<script type="application/ecmascript" src="/js/bootstrap.bundle.min.js" integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3"></script> </div>
	</main>
	<script>hljs.initHighlightingOnLoad();</script>
	</body>
	</html>