Apache Seata™ (incubating) 发布手册
1. 前言
1.1 Apache 版本发布文档
参考以下链接,了解 ASF 版本发布流程:
1.2 PGP 签名
遵循 Apache 版本发布指南,对发布版本签名,用户也可据此判断下载的版本是否被篡改。
创建 pgp 密钥用于版本签名,使用 <your Apache ID>@apache.org 作为密钥 USER-ID
详情可参考 Apache Releases Signing documentation,Cryptography with OpenPGP
生成密钥的简要流程:
-
通过
gpg --full-gen-key生成一个新的gpg密钥, 设置密钥长度为 4096注:可设置永不过期,也可根据自己需求设置一定的过期时间,但需要在过期后更新的公钥到DEV KEYS file 和 RELEASE KEYS file
-
通过
gpg --keyserver keys.openpgp.org --send-key <your key id>上传密钥到公钥服务器注:如若访问不通,可通过OpenPGP Keyserver (ubuntu.com) 在线上传公钥
使用该命令可查到keyid如:gpg --list-signatures --keyid-format LONG
pub rsa4096/XXXXXXXX 2024-09-19 [SC] [有效至:2027-09-19]
F2D3A28A392129B927C7FB42XXXXXXXX
uid [ 绝对 ] xxxx <xxxx@apache.org>
sig 3 XXXXXXXX 2024-09-19 [自签名]
sub rsa4096/XXXXX 2024-09-19 [E] [有效至:2027-09-19]
sig XXXXXXXX 2024-09-19 [自签名]
那么keyid为XXXXXXXX -
通过
gpg --armor --output ./public-key.txt --export XXXXXXXX导出公钥到文本文件 -
将生成的密钥追加到DEV KEYS file 和 RELEASE KEYS file
注意:
DEV SVN 仓库可以由 Release Manager 自行添加,Release SVN 仓库需要 PMC 权限,可以由 PMC 协助将 KEY 进行上传。
Tips: 需要设置默认公钥, 若有多个公钥,请修改 ~/.gnupg/gpg.conf
参考示例:
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: (设置用户名)(使用apache id)
Email address: (设置邮件地址)(使用apache邮箱)
Comment: (填写注释)
You selected this USER-ID:
"用户名 (注释) <邮件地址>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key. (设置密码)
将生成的公钥和私钥转化为 ASCII 形式:
gpg --armor --output ./public-key.txt --export XXXXXXXX
gpg --armor --output ./private-key.txt --export-secret-keys XXXXXXXX
查看密钥列表:
[root@localhost ~]# gpg --list-signatures --keyid-format LONG
[keyboxd]
---------
pub rsa4096/XXXXXXXX 2024-09-19 [SC] [有效至:2027-09-19]
F2D3A28A392129B927C7FB42XXXXXXXX
uid [ 绝对 ] xxxx <xxxx@apache.org>
sig 3 XXXXXXXX 2024-09-19 [自签名]
sub rsa4096/XXXXX 2024-09-19 [E] [有效至:2027-09-19]
sig XXXXXXXX 2024-09-19 [自签名]
上传公钥到公钥服务器
[root@localhost gpgtest]# gpg --keyserver keys.openpgp.org --send-key XXXXXXXX
gpg: sending key XXXXXXXX to hkp server keys.openpgp.org
1.3 POM 配置
配置 POM 文件,以便将版本部署到 ASF Nexus 仓库。
① 添加 Apache POM 继承默认设置
<parent>
<groupId>org.apache</groupId>
<artifactId>apache</artifactId>
<version>XX</version>
</parent>
② Maven 配置文件 settings.xml 中添加密钥信息
<settings>
<profiles>
<profile>
<id>signed_release</id>
<properties>
<mavenExecutorId>forked-path</mavenExecutorId>
<gpg.keyname>yourKeyName</gpg.keyname>
<deploy.url>https://dist.apache.org/repos/dist/dev/incubator/seata/</deploy.url>
</properties>
</profile>
</profiles>
<servers>
<!-- To publish a snapshot of some part of Maven -->
<server>
<id>apache.snapshots.https</id>
<username>yourApacheID</username>
<!-- Use the password encryption by maven -->
<password>yourApachePassword</password>
</server>
<!-- To stage a release of some part of Maven -->
<server>
<id>apache.releases.https</id>
<username>yourApacheID</username>
<password>yourApachePassword</password>
</server>
<server>
<id>gpg.passphrase</id>
<passphrase>yourKeyPassword</passphrase>
</server>
</servers>
</settings>
Tips: 推荐使用 Maven's password encryption capabilities 加密 gpg.passphrase
1.4 发布 Release Notes
通过changelog构建出对应版本的Release Notes
2.发布流程
2.1 准备分支
从主干分支拉取新分支作为发布分支,如现在要发布 ${release_version} 版本,则从开发分支拉出新分支 ${release_version},此后${release_version} Release Candidates 涉及的修改及打标签等都在${release_version}分支进行,并保证该分支的github actions ci全部通过,最终发布完成后合入主干分支。
例:如 Java SDK 需要发布 2.2.0 版本,从 2.x 分支拉出新分支 2.2.0,并在此分支提交从 Snapshot版本号 替换为 2.2.0 版本号的 commit。
2.2 预发布二进制包
1) SDK根据 publishing maven artifacts [4] 的说明准备发布。
mvn clean deploy -Prelease -DskipTests -e -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn
此时,seata sdk被发布到 预发仓库 (需要apache账号密码登录),找到发布的版本,即 ${STAGING.RELEASE}, 并点击 Close。
注:如果close失败很可能是因为签名的秘钥对应的公钥在keys.openpgp.org中无法获取到,请自行通过OpenPGP Keyserver (ubuntu.com) 检查
2) Source&Binary提交至svn仓库
a. 安装svn
下载并安装Download Apache Subversion Sources
或通过 brew install subversion 一键安装
b. 编译seata-server及seata-namingserver
mvn -Prelease-seata -Dmaven.test.skip=true -T4C -Dpmd.skip=true clean install -U
c. 将Source及Binary进行签名
Source 建议直接通过github 对应版本分支如2.2.0 进行下载zip包,避免本地环境污染Source包内容,然后重命名为apache-seata-x.x.x-incubating-src.zip
shasum -b -a 512 apache-seata-x.x.x-incubating-src.zip >> apache-seata-x.x.x-incubating-src.zip.sha512
gpg --armor --output apache-seata-x.x.x-incubating-bin.zip.asc apache-seata-x.x.x-incubating-bin.zip
Binary进行签名
shasum -b -a 512 apache-seata-x.x.x-incubating-bin.tar.gz >> apache-seata-x.x.x-incubating-bin.tar.gz.sha512
gpg --armor --output apache-seata-x.x.x-incubating-bin.tar.gz.asc apache-seata-x.x.x-incubating-bin.tar.gz
sha512验证
shasum -c apache-seata-x.x.x-incubating-bin.tar.gz.sha512
asc验证
gpg --verify apache-seata-x.x.x-incubating-src.zip.asc apache-seata-x.x.x-incubating-src.zip
d. 拉取svn至本地,并构建发布版本路径,并将签名文件及Source和Binary移入��其中
拉取svn目录
svn co --depth=empty https://dist.apache.org/repos/dist/dev/incubator/seata/
创建发布版本路径(dev路径中的文件夹必须携带RC代表其实一个预备状态),并将文件移入其中
cd seata
mkdir x.x.xRCN
mv ….. x.x.x
通过以上命令,移入其中后大概如下
-rw-r--r--@ 1 fe-work staff 180M 9 20 10:16 apache-seata-2.2.0-incubating-bin.tar.gz
-rw-r--r--@ 1 fe-work staff 180M 9 20 10:16 apache-seata-2.2.0-incubating-bin.tar.gz.asc
-rw-r--r--@ 1 fe-work staff 187B 9 20 10:16 apache-seata-2.2.0-incubating-bin.tar.gz.sha512
-rw-r--r--@ 1 fe-work staff 6.7M 9 20 10:16 apache-seata-2.2.0-incubating-src.zip
-rw-r--r--@ 1 fe-work staff 6.7M 9 20 10:16 apache-seata-2.2.0-incubating-src.zip.asc
-rw-r--r-- 1 fe-work staff 300B 9 20 10:16 apache-seata-2.2.0-incubating-src.zip.sha512
而其上级seata目录中的KEYS需要保证追加了第一步所说的,将构建的公钥放入其中
执行
svn add x.x.x
svn commit -m "submit x.x.x version"
如果更新了KEYS 需要在commit之前执行 svn update KEYS
执行commit后会提示输入apache ldap账号密码,输入后即可提交成功
➜ seata svn commit -m 'submit 2.2.0 version'
正在增加 2.2.0
正在增加 (二进制) 2.2.0/apache-seata-2.2.0-incubating-bin.tar.gz
正在增加 (二进制) 2.2.0/apache-seata-2.2.0-incubating-bin.tar.gz.asc
正在增加 2.2.0/apache-seata-2.2.0-incubating-bin.tar.gz.sha512
正在增加 (二进制) 2.2.0/apache-seata-2.2.0-incubating-src.zip
正在增加 (二进制) 2.2.0/apache-seata-2.2.0-incubating-src.zip.asc
正在增加 2.2.0/apache-seata-2.2.0-incubating-src.zip.sha512
传输文件数据......done
正在读取事务
提交后的版本为 71769。
3) 创建tag及releasenote
a. 创建tag
在x.x.x分支下执行
git tag vx.x.x -m 'release: release for x.x.x'
git push upstream(seata仓库repo) vx.x.x
b. 创建release note
通过该链接创建release note New release · apache/incubator-seata (github.com) 并将Choose a tag设置为对应的tag
并设置为Set as a pre-release 整体投票通过后再设置为Set as the latest release
2.3 验证Release Candidates
详细的检查列表请参考官方的check list
首先,从以下地址下载要发布的Release Candidate到本地环境:
https://dist.apache.org/repos/dist/dev/incubator/seata/${release_version}/
然后,开始验证环节,验证包含但不限于以下内容和形式
检查签名和hash等信息
检查sha512哈希
$ shasum -c apache-seata-${release_version}-incubating-bin.tar.gz.sha512
$ shasum -c apache-seata-${release_version}-incubating-src.tar.gz.sha512
检查gpg签名
如果是第一次检查,需要首先导入公钥。
$ curl https://downloads.apache.org/incubator/seata/KEYS >> KEYS # 下载公钥到本地
$ gpg --import KEYS # 导入公钥
$ gpg --edit-key xxx # xxx为你的apache id
> trust # 输入 trust 命令,信任xxx用户
然后使用如下命令检查签名
gpg --verify apache-seata-${release_version}-incubating-src.tar.gz.asc apache-seata-${release_version}-incubating-src.tar.gz
gpg --verify apache-seata-${release_version}-incubating-bin.tar.gz.asc apache-seata-${release_version}-incubating-bin.tar.gz
检查源码包的文件内容
解压缩apache-seata-${release_version}-incubating-src.tar.gz,进行如下检查:
- 目录名称中包含 'incubating'
apache-seata-${release_version}-incubating-src - 存在DISCLAIMER文件
- 存在LICENSE和NOTICE文件,且内容正确
- 所有文件存在,且不�包含二进制文件
- 所有文件均带有符合ASF标准的许可证声明头
- 能够从源代码编译
- 所有单元测试均可通过
./mvnw clean package -DskipTests=true - 确保发布候选版本与对应的标签一致,可在投票邮件中找到标签链接和哈希值。
- 检查pom.xml中的版本号是否一致
- 检查源代码包中是否有多余的文件或目录(例如空目录或无用的日志文件),此处需特别注意换行符是否一致,可以用
diff -r rc_dir tag_dir命令来检查 - 检查标签最新的n个提交,深入查看相关文件并确认源代码包是否包含相同的修改
检查二进制包的文件内容
解压缩apache-seata-${release_version}-incubating-bin.tar.gz,进行如下检查:
- 检查签名是否正确有效
- 名称中包含"incubating"
- 存在LICENSE和NOTICE文件,且内容无误
注意,如果二进制包里面引入了第三方依赖,则需要更新LICENSE,加入第三方依赖的LICENSE,如果第三方依赖的LICENSE是Apache 2.0,并且对应的项目中包含了NOTICE,还需要更新NOTICE文件。 同时,如果一个依赖项是双重/多重许可的,只需选择最宽松的一个。 可以参考这篇文章:ASF第三方许可政策
2.4 投票阶段
1) 社区内部投票
投票持续至少 72 小时并获得 3 个+1 binding票
发送至:
dev@seata.apache.org
标题:
[VOTE]Release Apache Seata (Incubating) x.x.x(RoundN)
Round N的N代表次数,该版本的该阶段的第几次投票 如: 投票不通过该版本经修改后重新投票时需要N+1,如Round1投票不通过,下次投票就为Round2.
正文:
Hi Seata Community,
This is a call for vote to release Apache Seata(incubating) vx.x.x.
The release candidates:
https://dist.apache.org/repos/dist/dev/incubator/seata/x.x.x/
The staging repo:
https://repository.apache.org/content/repositories/${STAGING.RELEASE}/
Git tag for the release:
https://github.com/apache/incubator-seata/releases/tag/vx.x.x
Hash for the release tag:
tag分支最后一条commit的id
Release Notes:
https://github.com/apache/incubator-seata/releases/tag/vx.x.x
The artifacts have been signed with Key [ key-id ], corresponding
to
[ 邮箱如xxxx@apache.org ]
which can be found in the keys file:
https://downloads.apache.org/incubator/seata/KEYS
Build Environment: JDK 8+, Apache Maven 3.6.0+.
/mvnw clean package -DskipTests=true
CI Test Workflow:
涉及该版本最后一次commit的多个CI流水线链接,如
https://github.com/apache/incubator-seata/actions/runs/10938949607/job/30411922716
https://github.com/apache/incubator-seata/actions/runs/10938949623/job/30410204492
https://github.com/apache/incubator-seata/actions/runs/10938949605/job/30411747821
The vote will be open for at least 72 hours.
Please vote accordingly:
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove with the reason
Checklist for reference:
[ ] Download links are valid.
[ ] Checksums and signatures.
[ ] LICENSE/NOTICE files exist
[ ] No unexpected binary files
[ ] All source files have ASF headers
[ ] Can compile from source
To learn more about Apache Seata , please see https://seata.apache.org/
2) 完成投票
发布投票通过邮件
Hi Community,
The vote to release Apache Seata (Incubating) vx.x.x has passed
with 3 +1 binding votes, and no +0 or -1 votes.
3 (+1 binding)
- XXX
- XXX
- XXX
no further 0 or -1 votes.
The vote thread:
所对应投票邮件的thread链接,如:
https://lists.apache.org/thread/rwco6lms9qo10whjj8gg1dr8j7drl2gf
Thank you for reviewing and voting for our release candidate.
We will soon launch the second stage of voting.
3) 孵化器中投票
与社区投票类似,但是需要增加社区投票相关的thread链接,以证明已在社区内达成一致
发送邮件至 general@incubator.apache.org
标题:
[VOTE]Release Apache Seata (Incubating) x.x.x(RoundN)
投票持续至少 72 小时并获得 3 个+1 binding票
Hello everyone,
This is a call for vote to release Apache Seata(incubating) vx.x.x
The Apache Seata community has voted and approved the release of Apache
Seata(incubating) vx.x.x. We now kindly request the IPMC members
review and vote for this release.
The vote thread:
社区中投票的thread链接, 如:
https://lists.apache.org/thread/rwco6lms9qo10whjj8gg1dr8j7drl2gf
Vote Result:
社区中投票通过的result thread链接,如:
https://lists.apache.org/thread/ybo9c5hrx2h2glg2bdgs3t22xg734y7r
The release candidates:
https://dist.apache.org/repos/dist/dev/incubator/seata/x.x.x/
The staging repo:
https://repository.apache.org/content/repositories/${STAGING.RELEASE}/
Git tag for the release:
https://github.com/apache/incubator-seata/releases/tag/vx.x.x
Hash for the release tag:
tag分支最后一条commit的id
Release Notes:
https://github.com/apache/incubator-seata/releases/tag/vx.x.x
The artifacts have been signed with Key [ key-id ], corresponding
to
[ 邮箱如xxxx@apache.org ]
which can be found in the keys file:
https://downloads.apache.org/incubator/seata/KEYS
Build Environment: JDK 8+, Apache Maven 3.6.0+.
/mvnw clean package -DskipTests=true
CI Test Workflow:
涉及该版本最后一次commit的多个CI流水线链接,如
https://github.com/apache/incubator-seata/actions/runs/10938949607/job/30411922716
https://github.com/apache/incubator-seata/actions/runs/10938949623/job/30410204492
https://github.com/apache/incubator-seata/actions/runs/10938949605/job/30411747821
The vote will be open for at least 72 hours.
Please vote accordingly:
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove with the reason
Checklist for reference:
[ ] Download links are valid.
[ ] Checksums and signatures.
[ ] LICENSE/NOTICE files exist
[ ] No unexpected binary files
[ ] All source files have ASF headers
[ ] Can compile from source
To learn more about Apache Seata , please see https://seata.apache.org/
4) 公示孵化器投票结果
72 小时后,若至少有 3 票通过而没有反对票,则参考如下邮件进行发送结果
发送邮件至 general@incubator.apache.org
标题:[RESULT][VOTE] Release Apache Seata (incubating) x.x.x(RoundN)
Hi Incubator PMC,
The vote to release Apache Seata(incubating) X.X.X has passed with
3 +1 binding and 1 +1 non-binding votes, no +0 or -1 votes.
Binding votes:
- XXX
- XXX
- XXX
Non-Binding votes:
- XXX
Vote thread:
https://lists.apache.org/thread/o7vwdvtolclcv1y4j4ozshj923ppwlnl
Thanks for reviewing and voting for our release candidate. We will
proceed with publishing the approved artifacts and sending out the
announcement soon.
5) 投票中断
如出现在投票过程中验证不通过,如license,或者版本存在bug等,经评估需要修复后才能发版,那么需要中断本次投票
标题:[CANCEL][VOTE] Release Apache Seata (incubating) x.x.x(RoundN)
Hi Incubator PMC,
I'm cancelling this vote:
之前投票的链接
描述为何中断的原因: 如license缺漏,或者版本存在bug等
注: 孵化器中投票终止后,新的投票需要从社区内部重新开始
2.5.完成发布
1) release 版本
-
从Apache Nexus 仓库, 选择之前进行close过的的 orgapacheseata-XXX 点击
Release图标发布 -
将dev下的签名文件、src、bin移动到release路径下,参考如下命令:
svn mv https://dist.apache.org/repos/dist/dev/incubator/seata/incubator-seata/x.x.x-RCN https://dist.apache.org/repos/dist/release/incubator/seata/x.x.x -m "Release Seata X.X.X" -
将之前release note设置为Set as the latest release并提交
-
将x.x.x的文档更新至seata官网中,并补充对应binary和source的下载链接
2) 版本公示
发送邮件至 general@incubator.apache.org
标题 [ANNOUNCE] Apache Seata(Incubating) vx.x.x available
Hi All,
The Apache Seata(Incubating) vx.x.x has been released!
Apache Seata is an easy-to-use, high-performance, open source distributed transaction solution.
Download Links: https://seata.apache.org/download/seata-server/
Release Notes:
https://github.com/apache/incubator-seata/releases/tag/vx.x.x/
Website: https://seata.apache.org/
Resources:
- Issue: https://github.com/apache/incubator-seata/issues
- Mailing list: dev@seata.apache.org
3) 归档老版本
发布新版本后,需要将上一个版本归档,确保在download 只保留同一维护分支的最新版本。Archive 版本在发布新版本时会自动同步到归档。因此,只需要删除download 中老的版本即可,参考命令如下:
svn delete x.x.x
svn commit -m "archive seata-x.x.x"