实操经验 | Apache 基金会顶级项目版本管理和发布流程

前言

前段时间，Apache SeaTunnel经过几个月的迭代和架构升级，终于迎来第一个正式2.3.0版本，我也有幸作为本次的Release Manager，体验了一把从0到1的Apache发版流程，不得不说Apache基金会在项目的版本管理这块有着完善的规范和严谨的流程，整个发版过程周期很长，其中也踩了不少的坑，俗话说好记性不如烂笔头，所以笔者写了一篇文章来记录整个过程（以Apache SeaTunnel为例），希望这篇文章能够让小白快速入门Apache项目版本管理和发布。

Tips: Release Manager需要有Apache LDAP账号，也就意味着你需要首先成为项目的Committer才有资格

环境准备

GIT

用于clone项目源代码到本地

GPG

用于生成数字签名，为你的每一次操作留下痕迹

SHASUM

用于为文件生成签名

SVN

用于拉取Apache Release SVN仓库

MAVEN

用于编译项目

物料准备

配置GPG KEY

新建key

gpg --gen-key

gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: 已创建目录'/home/hadoop/.gnupg'
gpg: 新的配置文件'/home/hadoop/.gnupg/gpg.conf'已建立
gpg: 警告：在'/home/hadoop/.gnupg/gpg.conf'里的选项于此次运行期间未被使用
gpg: 钥匙环'/home/hadoop/.gnupg/secring.gpg'已建立
gpg: 钥匙环'/home/hadoop/.gnupg/pubring.gpg'已建立
请选择您要使用的密钥种类：
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (仅用于签名)
   (4) RSA (仅用于签名)
您的选择？ 1
RSA 密钥长度应在 1024 位与 4096 位之间。
您想要用多大的密钥尺寸？(2048)4096
您所要求的密钥尺寸是 4096 位
请设定这把密钥的有效期限。
         0 = 密钥永不过期
      <n>  = 密钥在 n 天后过期
      <n>w = 密钥在 n 周后过期
      <n>m = 密钥在 n 月后过期
      <n>y = 密钥在 n 年后过期
密钥的有效期限是？(0) 0
密钥永远不会过期
以上正确吗？(y/n)y

如上所示，选择项分别为：

• 1
• 4096
• 0
• y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

真实姓名：tyrantlucifer
电子邮件地址：tyrantlucifer@apache.org
注释：The key of Apache SeaTunnel
您选定了这个用户标识：
    "tyrantlucifer (The key of Apache SeaTunnel) <tyrantlucifer@apache.org>"

更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)？o
您需要一个密码来保护您的私钥。

如上所示，你需要为这个key指定个人信息以及加密密码，需要填写

• 姓名
• 邮箱（Apache邮箱）
• key注释
• 密码（很重要，不要忘记，要记住哟）

我们需要生成大量的随机字节。这个时候您可以多做些琐事(像是敲打键盘、移动
鼠标、读写硬盘之类的)，这会让随机数字发生器有更好的机会获得足够的熵数。
我们需要生成大量的随机字节。这个时候您可以多做些琐事(像是敲打键盘、移动
鼠标、读写硬盘之类的)，这会让随机数字发生器有更好的机会获得足够的熵数。
gpg: 密钥 0983DF85 被标记为绝对信任
公钥和私钥已经生成并经签名。

gpg: 正在检查信任度数据库
gpg: 需要 3 份勉强信任和 1 份完全信任，PGP 信任模型
gpg: 深度：0 有效性：  1 已签名：  0 信任度：0-，0q，0n，0m，0f，1u
pub   4096R/0983DF85 2022-12-28
密钥指纹 = AE63 FC40 ECCD 600D 724B  5625 05FD AE73 0983 DF85
uid                  tyrantlucifer (The key of Apache SeaTunnel) <tyrantlucifer@apache.org>
sub   4096R/B7023D46 2022-12-28

验证key

gpg --list-keys

/home/hadoop/.gnupg/pubring.gpg
-------------------------------
pub   4096R/0983DF85 2022-12-28
uid                  tyrantlucifer (The key of Apache SeaTunnel) <tyrantlucifer@apache.org>
sub   4096R/B7023D46 2022-12-28

Tips: 0983DF85就是你的公钥缩写

上传key到公共服务器

gpg --keyserver keyserver.ubuntu.com --send-key 0983DF85

验证key是否正常上传

1. 命令行验证

gpg --keyserver keyserver.ubuntu.com --search-keys 0983DF85

2. 网站验证

   OpenPGP Keyserver (ubuntu.com)

Tips: 该截图是我之前已经上传好的key，和上一步骤生成的key不一致是正常的

配置maven

创建主密码

mvn --encrypt-master-password <apache password>

新建文件~/.m2/settings-security.xml

<settingsSecurity>
    <master><!-- 这里填入上一步输出的密码 --></master>
</settingsSecurity>

加密Apache LDAP 密码

mvn --encrypt-password <apache password>

新增配置

编辑你本地maven环境的配置文件，一般路径为~/.m2/setting.xml，添加

<settings>
  <servers>
    <server>
      <id>apache.snapshots.https</id>
      <username> <!-- APACHE LDAP USERNAME --> </username>
      <password> <!-- APACHE LDAP ENCRYPTED PASSWORD，上一步加密的密码 --> </password>
    </server>
    <server>
      <id>apache.releases.https</id>
      <username> <!-- APACHE LDAP USERNAME --> </username>
      <password> <!-- APACHE LDAP ENCRYPTED PASSWORD，上一步加密的密码 --> </password>
    </server>
    <server>
        <id>gpg.passphrase</id>
        <passphrase><!-- GPG KEY PASSWORD --></passphrase>
    </server>
  </servers>
</settings>

项目版本准备

分支准备

mkdir -p ~/seatunnel-release-prepare
cd ~/seatunnel-release-prepare
git clone git@github.com:apache/seatunnel.git
cd seatunnel
git checkout -b ${RELEASE.VERSION}-release

更新release-note

vim release-note.md
git add release-note.md
git commit -m "[Release][${RELEASE.VERSION}][release-note] Add release-note"
git push

预编译测试

mvn release:prepare -Prelease -Darguments="-DskipTests" -DdryRun=true -Dusername=${GITHUB USERNAME}

编译

mvn release:clean
mvn release:prepare -Prelease -Darguments="-DskipTests" -DpushChanges=false -Dusername=${GITHUB USERNAME}

提交代码

git push
git push origin --tags

部署jar包

1. 上传jar包

mvn release:perform -Prelease -Darguments="-DskipTests" -Dusername=${GITHUB USERNAME}

2. 关闭stage仓库

   https://repository.apache.org/#stagingRepositories

上传SVN

拉取release和dev仓库到本地

mkdir -p ~/seatunnel-release-prepare/dev
mkdir -p ~/seatunnel-release-prepare/release
cd ~/seatunnel-release-prepare/dev
svn --username=${APACHE LDAP username} co https://dist.apache.org/repos/dist/dev/seatunnel
cd ~/seatunnel-release-prepare/release
svn --username=${APACHE LDAP username} co https://dist.apache.org/repos/dist/release/seatunnel

上传key到dev和release仓库

Tips: 只有第一次发版的Release Manager才需要做这一步

cd ~/seatunnel-release-prepare/dev/seatunnel
gpg -a --export ${GPG USERNAME} >> KEYS
svn add KEYS
svn --username=${APACHE LDAP USERNAME} commit -m "Add ${APACHE LDAP USERNAME} GPG key"

cd ~/seatunnel-release-prepare/release/seatunnel
gpg -a --export ${GPG USERNAME} >> KEYS
svn add KEYS
svn --username=${APACHE LDAP USERNAME} commit -m "Add ${APACHE LDAP USERNAME} GPG key"

上传源码包和二进制包到dev仓库

1. 复制源码包和二进制包

    mkdir -p ~/seatunnel-release-prepare/dev/${RELEASE.VERSION}
    cp -f ~/seatunnel-release-prepare/seatunnel/seatunnel-dist/target/*.tar.gz ~/seatunnel-release-prepare/dev/${RELEASE.VERSION}
    cd ~/seatunnel-release-prepare/dev/${RELEASE.VERSION}

2. 生成签名

    shasum -a 512 apache-seatunnel-${RELEASE.VERSION}-src.tar.gz >> apache-seatunnel-${RELEASE.VERSION}-src.tar.gz.sha512
    shasum -b -a 512 apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz >> apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz.sha512

3. 生成GPG签名

    gpg --armor --detach-sig apache-seatunnel-${RELEASE.VERSION}-src.tar.gz
    gpg --armor --detach-sig apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz

4. 检查文件签名

    shasum -c apache-seatunnel-${RELEASE.VERSION}-src.tar.gz.sha512
    shasum -c apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz.sha512

5. 检查数字签名

   1. 导入(Release Manager不需要做这一步)

      curl https://dist.apache.org/repos/dist/dev/seatunnel/KEYS >> KEYS
      gpg --import KEYS
      gpg --edit-key "${GPG username of releaser}"
        > trust
      
      Please decide how far you trust this user to correctly verify other users' keys
      (by looking at passports, checking fingerprints from different sources, etc.)
      
        1 = I don't know or won't say
        2 = I do NOT trust
        3 = I trust marginally
        4 = I trust fully
        5 = I trust ultimately
        m = back to the main menu
      
      Your decision? 5
      
        > save

   2. 检查gpg数字签名

      gpg --verify apache-seatunnel-${RELEASE.VERSION}-src.tar.gz.asc apache-seatunnel-${RELEASE.VERSION}-src.tar.gz
      gpg --verify apache-seatunnel-${RELEASE.VERSION}-seatunnel-bin.tar.gz.asc apache-seatunnel-${RELEASE.VERSION}-seatunnel-bin.tar.gz

6. 提交所有文件至dev仓库

    svn add *
    svn --username=${APACHE LDAP USERNAME} commit -m "release ${RELEASE.VERSION}"

邮件发起投票

dev@seatunnel.apache.org投票

发起投票

[VOTE] Release Apache SeaTunnel 2.3.0

Hello SeaTunnel Community,

This is a call for vote to release Apache SeaTunnel () version 2.3.0

Release notes:
https://github.com/apache/seatunnel/blob/2.3.0/release-note.md

The release candidates:
https://dist.apache.org/repos/dist/dev/seatunnel/2.3.0 

Git tag for the release:
https://github.com/apache/seatunnel/tree/2.3.0

Maven 2 staging repository:
https://repository.apache.org/content/repositories/orgapacheseatunnel-1015/org/apache/seatunnel/

Release Commit ID:
https://github.com/apache/seatunnel/commit/d7280abbe9e72262640836182a7f090a5706988a

Keys to verify the Release Candidate: 
https://downloads.apache.org/seatunnel/KEYS

The vote will be open for at least 72 hours or until necessary numbers of votes are reached.

Please vote accordingly:

[ ] +1 approve

[ ] +0 no opinion

[ ] -1 disapprove with the reason

Checklist for reference:

[ ] Download links are valid.

[ ] Checksums and PGP signatures are valid.

[ ] Source code artifacts have correct names matching the current release.

[ ] LICENSE and NOTICE files are correct for each SeaTunnel repo.

[ ] All files have license headers if necessary.

[ ] No compiled archives bundled in source archive.

More detail checklist please refer:
https://cwiki.apache.org/confluence/display/Release+Checklist


--

Best Regards
Chao Tian

关闭投票

[VOTE] Release Apache SeaTunnel() 2.3.0

Hi SeaTunnel Community,

Thanks, everyone, I will close this vote thread and the results will be tallied.

Best wishes!
Chao Tian

归票

[RESULT] [VOTE] Release Apache SeaTunnel() 2.3.0

Hi SeaTunnel community,

This vote now closes since 72 hours have passed.

The vote PASSES with

3 (+1 binding) votes from the IPMC,
David,
Guo Wei,
Calvin Kirs  

6 (+1 non-binding) votes from the developer from the community

Jun Gao, 
TaoZex, 
hailin0,
Peng Yuan,
Zongwen Li,
Guangdong Liu
and no further 0 or -1 votes.


The vote thread: 

https://lists.apache.org/thread/98oc6q6vghlg8qpfyf5yttzy925tfp9g 


Thanks for your participation, I will now bring the vote to
[general@apache.org](mailto:general@apache.org) <mailto:
[general@apache.org](mailto:general@apache.org)> to get
approval by the IPMC.
If this vote passes also, the release is accepted and will be published.

Best wishes,
Chao Tian

general@apache.org投票

发起投票

[VOTE] Release Apache SeaTunnel() 2.3.0

Hello IPMC, This is an official vote for the Apache
SeaTunnel() 2.3.0  that we have been working toward.

To learn more about Apache SeaTunnel(), please see:

https://seatunnel.apache.org

The Apache SeaTunnel () community has voted and approved the release.

Vote thread:

https://lists.apache.org/thread/98oc6q6vghlg8qpfyf5yttzy925tfp9g

Result thread:

https://lists.apache.org/thread/6c0463dsoh8r0gmvqo67lttgy4o40xst

Release changes:

https://github.com/apache/seatunnel/blob/2.3.0/release-note.md

The release candidates:

https://dist.apache.org/repos/dist/dev/seatunnel/2.3.0

Maven 2 staging repository:

https://repository.apache.org/content/repositories/orgapacheseatunnel-1015/org/apache/seatunnel/

Git tag for the release:

https://github.com/apache/seatunnel/tree/2.3.0

Release Commit ID:

https://github.com/apache/seatunnel/commit/d7280abbe9e72262640836182a7f090a5706988a

Keys to verify the Release Candidate:

https://downloads.apache.org/seatunnel/KEYS

GPG user ID:

tyrantlucifer

The vote will be open for at least 72 hours or until necessary numbers
of votes are reached.

Please vote accordingly:

[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove with the reason

Checklist for reference:

[ ] Download links are valid.
[ ] Checksums and PGP signatures are valid.
[ ] DISCLAIMER is included.
[ ] Source code artifacts have correct names matching the current release.
[ ] LICENSE and NOTICE files are correct for each SeaTunnel repo.
[ ] All files have license headers if necessary.
[ ] No compiled archives bundled in source archive.

More detail checklist please refer:
https://cwiki.apache.org/confluence/display/Release+Checklist

The following votes are carried over from the SeaTunnel dev mailing list:

+1(binding)
David,
William-Guowei,
Calvin Kirs

Best Regards,
Chao Tian

关闭投票

[VOTE] Release Apache SeaTunnel() 2.3.0

Hi IPMC,

Thanks, everyone, I will close this vote thread and the results will be tallied.

Best wishes!
Chao Tian

归票

[RESULT] [VOTE] Release Apache SeaTunnel() 2.3.0

Hi SeaTunnel community,

This vote now closes since 72 hours have passed.

The vote PASSES with

3 (+1 binding) votes from the IPMC,
David,
Guo Wei,
Calvin Kirs  

6 (+1 non-binding) votes from the developer from the community

Jun Gao, 
TaoZex, 
hailin0,
Peng Yuan,
Zongwen Li,
Guangdong Liu
and no further 0 or -1 votes.


The vote thread: 

https://lists.apache.org/thread/98oc6q6vghlg8qpfyf5yttzy925tfp9g 


Thanks for your participation, I will now bring the vote to
[general@apache.org](mailto:general@apache.org) <mailto:
approval by the IPMC.
If this vote passes also, the release is accepted and will be published.

Best wishes,
Chao Tian

正式发版

从dev仓库移动文件至release仓库

svn mv https://dist.apache.org/repos/dist/dev/seatunnel/${RELEASE.VERSION} https://dist.apache.org/repos/dist/release/seatunnel/

发布maven仓库

发送通知邮件

dev@seatunnel.apache.org

Hi all,

We are glad to announce the release of Apache SeaTunnel() ${RELEASE.VERSION}.

Once again I would like to express my thanks to your help.

SeaTunnel: SeaTunnel() is a distributed, high-performance data integration platform for the synchronization and transformation of massive
data (offline & real-time).

Apache SeaTunnel() website: 

http://seatunnel.apache.org/

Downloads: 

https://seatunnel.apache.org/download/

Release Notes:

https://github.com/apache/seatunnel/blob/${RELEASE.VERSION}/release-note.md

Documents: 

https://seatunnel.apache.org/docs/${RELEASE.VERSION}/intro/about

Twitter: 

https://twitter.com/ASFSeaTunnel

SeaTunnel() Resources:
- GitHub: https://github.com/apache/seatunnel
- Issue: https://github.com/apache/seatunnel/issues
- Mailing list: dev@seatunnel.apache.org

- Apache SeaTunnel() Team

总结

作为一名Apache Release Manager需要做的前期准备工作有很多且很繁琐，需要更多的耐心和细心，由于所有的仓库都在国外，任何一个步骤都会可能因为网络延迟而失败，但不要因此气馁，唯有不断的尝试才能走向最终的胜利，希望本篇文章能够帮助到初次发版的Release Manager，让大家少走弯路。

本文由 白鲸开源科技 提供发布支持！