Release Preparation

    This document describes the main process and prep work for release. For specific Doris component release steps, you can refer to the respective documentation:

    There are three main forms of releases for Apache projects.

    • Source Release: i.e. source release, this is mandatory.
    • Binary Release: e.g., release of a compiled executable. This is optional.
    • Convenience Binaries: Release to third-party platforms for user convenience, such as Maven, Docker, etc. This is also optional.

    Each project release requires a PMC member or Committer as the Release Manager.

    The overall release process is as follows.

    1. Environment preparation
    2. Release preparation
      1. the community initiates DISCUSS and communicates with the community about the specific release plan
      2. create a branch for the release
      3. clean up the issue
      4. merge the necessary patches into the released branch
    3. verify the branch
      1. stability testing
      2. verify the compilation flow of the branch code
      3. Prepare Release Nodes
    4. prepare release materials
      1. Tagging
      2. upload the content to be released to the Apache Dev SVN repositoryRelease Preparation - 图4 (opens new window)
      3. preparation of other Convenience Binaries (e.g. upload to )
    5. Community Release Polling Process
      1. Initiate a VOTE in the Doris Community Dev Mail Group.
      2. After the vote is approved, send a Result email in the Doris community.
      3. If it is an Incubator Project, you also need to
        1. initiate a VOTE in the . 2.
    6. Complete the work
      1. Upload the signed packages to the Apache Release repositoryRelease Preparation - 图6 (opens new window) and generate the relevant links.
      2. Post the download links on the Doris website and github, and clean up the old packages on svn.
      3. Send an Announce email to dev@doris.apache.org
      4. If it is an Incuator Project, you also need to
        1. Send an Announce email to general@incubator.apache.org

    If this is your first time as Release Manager, then you need to prepare the following tools in your environment

    1. gpgRelease Preparation - 图8 (opens new window)

    Release manager needs to create its own signature public key before release, and upload it to the public key server, then you can use this public key to sign the package to be released. If your KEY already exists in KEYSRelease Preparation - 图10 (opens new window), then you can skip this step.

    Installation and configuration of the signature software GnuPG

    GnuPG

    In 1991, programmer Phil Zimmermann developed the encryption software PGP in order to avoid government surveillance; it worked so well that it quickly spread and became an essential tool for many programmers. However, it was commercial software and could not be used freely. So, the Free Software Foundation decided to develop a replacement for PGP, named GnuPG, and that’s how GPG came to be.

    installation configuration

    CentOS installation command.

    After installation, the default configuration file gpg.conf will be placed in the home directory.

    If this directory or file does not exist, you can just create an empty file.

    Apache recommends SHA512 for signatures, which can be done by configuring gpg. Edit gpg.conf, adding the following three lines.

    1. personal-digest-preferences SHA512
    2. cert-digest-algo SHA512
    3. default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

    Generate a new signature

    Preparing a signature

    Recommended settings for generating new signatures.

    Here you must log in to the user account directly through a terminal such as SecureCRT, not through su - user or ssh, otherwise the password input box will not show up and an error will be reported.

    1. $ gpg --version
    2. gpg (GnuPG) 2.0.22
    3. libgcrypt 1.5.3
    4. Copyright (C) 2013 Free Software Foundation, Inc.
    5. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    6. This is free software: you are free to change and redistribute it.
    7. There is NO WARRANTY, to the extent permitted by law.
    8. Home: ~/.gnupg
    9. Supported algorithms:
    10. Pubkey: RSA, ?, ?, ELG, DSA
    11. Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
    12. CAMELLIA128, CAMELLIA192, CAMELLIA256
    13. Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    14. Compression: Uncompressed, ZIP, ZLIB, BZIP2
    Generate a new signature
    1. $ gpg --gen-key
    2. gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
    3. This is free software: you are free to change and redistribute it.
    4. There is NO WARRANTY, to the extent permitted by law.
    5. Please select what kind of key you want:
    6. (1) RSA and RSA (default)
    7. (2) DSA and Elgamal
    8. (3) DSA (sign only)
    9. Your selection? 1
    10. RSA keys may be between 1024 and 4096 bits long.
    11. What keysize do you want? (2048) 4096
    12. Requested keysize is 4096 bits
    13. Please specify how long the key should be valid.
    14. <n> = key expires in n days
    15. <n>w = key expires in n weeks
    16. <n>m = key expires in n months
    17. <n>y = key expires in n years
    18. Key is valid for? (0)
    19. Key does not expire at all
    20. Is this correct? (y/N) y
    21. GnuPG needs to construct a user ID to identify your key.
    22. Real name: xxx
    23. Name must be at least 5 characters long
    24. Real name: xxx-yyy
    25. Email address: xxx@apache.org
    26. Comment: xxx's key
    27. You selected this USER-ID:
    28. "xxx-yyy (xxx's key) <xxx@apache.org>"
    29. Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

    Real name should be the same as the id shown in id.apache.org. Email address is the apache email address.

    Enter passphrase, twice, more than 8 characters.

    The secret key here must be remembered, it will be used later when signing. It will also be used for publishing other components

    View and output

    The first line shows the public key file name (pubring.gpg), the second line shows the public key characteristics (4096 bits, hash string and generation time), the third line shows the “user ID”, comments, emails, and the fourth line shows the private key characteristics.

    where xxx-yyyy is the user ID.

    1. gpg --armor --output public-key.txt --export [user-id]
    1. $ gpg --armor --output public-key.txt --export xxx-yyyy
    2. $ cat public-key.txt
    3. -----BEGIN PGP PUBLIC KEY BLOCK-----
    4. Version: GnuPG v2.0.22 (GNU/Linux)
    5. mQINBFwJEQ0BEACwqLluHfjBqD/RWZ4uoYxNYHlIzZvbvxAlwS2mn53BirLIU/G3
    6. 9opMWNplvmK+3+gNlRlFpiZ7EvHsF/YJOAP59HmI2Z...

    Uploading Signed Public Keys

    A public key server is a server on the network dedicated to storing the user’s public key. send-keys parameter can upload the public key to the server.

    1. gpg --send-keys xxxx --keyserver https://keyserver.ubuntu.com/

    where xxxx is the string after pub in the -list-keys result of the previous step, e.g., 33DBF2E0

    You can also upload the contents of the above public-key.txt via .

    After successful upload, you can query this https://keyserver.ubuntu.com/Release Preparation - 图12 (opens new window) by entering 0x33DBF2E0. (Note that it needs to start with 0x)

    There is a delay in querying this website, you may need to wait for 1 hour.

    generates fingerprint and uploads it to apache user information

    Since the public key server has no checking mechanism, anyone can upload a public key in your name, so there is no way to guarantee the reliability of the public key on the server. Usually, you can publish a public key fingerprint on your website and let other people check whether the downloaded public key is genuine or not.

    The fingerprint parameter generates a public key fingerprint.

    1. gpg --fingerprint [user-id]

    Paste the fingerprint above (i.e. 07AA E690 B01D 1A4B 469B 0BEF 5E29 CE39 33DB F2E0) into your own user information at

    OpenPGP Public Key Primary Fingerprint:

    generates keys

    Be careful not to delete existing content in the KEYS file, it can only be added.

    1. svn co https://dist.apache.org/repos/dist/dev/incubator/doris/
    2. # edit doris/KEYS file
    3. gpg --list-sigs [user-id] >> doris/KEYS
    4. gpg --armor --export [user ID] >> doris/KEYS
    5. svn ci --username $ASF_USERNAME --password "$ASF_PASSWORD" -m "UPDATE KEYS"

    Note that the KEYS file should also be published to the following svn library.

    1. svn co https://dist.apache.org/repos/dist/release/incubator/doris
    2. # edit doris/KEYS file
    3. svn ci --username $ASF_USERNAME --password "$ASF_PASSWORD" -m "UPDATE KEYS"

    After that it will automatically sync to.

    1. https://downloads.apache.org/incubator/doris/KEYS

    In subsequent release poll emails, use the KEYS file here in https://downloads.apache.org/incubator/doris/KEYS.

    For components such as the Doris Connector, you need to use maven for the release.

    1. Generate a master password

      mvn --encrypt-master-password <password>

      This password is only used to encrypt other passwords that follow, and the output is something like {VSb+6+76djkH/43...} Then create the ~/.m2/settings-security.xml file with the following content

      1. <settingsSecurity>
      2. <master>{VSb+6+76djkH/43...}</master>
      3. </settingsSecurity>

    DISCUSS is not a required process before a release, but it is highly recommended to start a discussion in the dev@doris mail group before a major release. Content includes, but is not limited to, descriptions of important features, bug fixes, etc.