You need to use svn for https://dist.apache.org/repos/dist Your Apache ID and password are needed to authenticate. You need to add a KEYS file to release/incubator/hamilton. The RC should go in dev/incubator/hamilton. If the release is 0.10.0 then create an 0.10.0-RC1 dir in dev/incubator/hamilton and put all the RC files in it.
I would suggest that you do a sparse checkout because dist.apache.org is massive. svn checkout --depth immediates https://dist.apache.org/repos/dist dist cd dist/dev svn checkout https://dist.apache.org/repos/dist/dev/incubator/hamilton incubator/hamilton cd ../release svn checkout https://dist.apache.org/repos/dist/release/incubator/hamilton incubator/hamilton Hopefully, you will end up with dist dist/dev dist/dev/incubator/hamilton dist/release dist/release/incubator/hamilton dist/test Other than subdirs, all of these dirs should be empty initially. Example KEYS file: https://dist.apache.org/repos/dist/release/pekko/KEYS Example RC https://dist.apache.org/repos/dist/dev/incubator/amoro/0.8.0-incubating-RC2/ On Sat, 13 Sept 2025 at 21:21, Stefan Krawczyk <[email protected]> wrote: > > I have to confess -- the documentation on ASF incubator and related does > not lay out an easy 1, 2, 3 of what one should do with respect to setting > up a release. Can someone please confirm whether : > > uploading things to https://dist.apache.org/ ? > > is the place to upload? If so, where are the instructions to do that? Do I > have credentials? > > Otherwise I believe I have grokked enough of the signing process to know > how to do that -- again a 1, 2, 3 of here's how you upload the public key > to KEYS, would help here. > > Cheers, > > Stefan > > > On Sat, Sep 6, 2025 at 10:32 PM Stefan Krawczyk <[email protected]> > wrote: > > > Hey Mentors, > > > > Is this the right mental model: > > > > 1. Create a compressed file of the source release. > > 2. Sign it > > 3. Upload the release candidate + crypto signature to > > https://dist.apache.org/ > > 4. Vote > > 5. Move release candidate to be actual release. > > 6. Do any github/pypi stuff that's equivalent. > > > > ? > > > > Questions: > > > > 1. Can we sign up for automated release signing > > <https://infra.apache.org/release-signing.html#automated-release-signing>? > > Or explain if we do it off a laptop, how do we manage private keys? > > 2. How do we get access to uploading things to https://dist.apache.org/ ? > > 3. It seems like there is no single way to sign a package, we just have to > > sign it with something that's approved, right? > > 4. Who can create the pypi packages with the apache- prefix? Is that > > something infra owns? Or we do it ourselves? I want to dual publish the > > packages. > > > > Cheers, > > > > Stefan > >
