...And congratulations on a job well done! El dom, 19 sept 2021 a las 11:09, ste...@eissing.org (<ste...@eissing.org>) escribió: > > Compiling the release experience. > > Apache httpd 2.4.49 was released on September 15/16 20201. > There were changes to the release process and some resulting > hickups, but it went through. > > New in the release process were: > - a switch from always incrementing version numbers to > release candidate numberings. > - adaptations of our process to the general apache security > CVE handling from cveprocess.apache.org > > The switch away from incrementing version numbers before > a release voting led in the past to confusions to our users > and extra work on our part. Users, for example, overlooked > CHANGES reported on unreleased versions. CVEs were reported > on versions the users never saw. > > With the new release candidate numbers, we can keep the next > release number stable (whatever source revision will be selected). > We can now communicate "this will be fixed in 2.4.50" and this > will be the version that users get. > > The CVE handling via cveprocess.apache.org is seen as an > overall improvements to the process. However, lacking an > API usable for automation, it still involves manual steps > which we would like to automate more. > > For example, since we cannot download CVE JSON data, release > and "readiness" scripts could not do a full status check. This > led to missing fields being unnoticed during release. As > a result, vulnerability pages became 404s on our site and > we needed manual intervention to get it right. > > We will adjust our processes to have a minimum of manual > steps here and check data completeness before release. We hope > that mid-term, the cveprocess site can offer non-browser access > to features. Maybe apache infra can be of help. This should > be beneficial to all apache projects. > > Then we had some things fumbled by our new release manager (myself): > - the RMs PGP key was kept in the KEYS file, but not registered > in the directories and as its apache committers pgp key. This > led to irritations for folks that verified our tarballs. > - The general announcement emails did not go through for > annou...@apache.org, moderators did not see it. The issue, > as it turned out later, was that the RM was not subscribed to > that list with his apache email id. The list silently dropped > the mails. > - A twitter announcement for @apache_httpd was not generated. > We need to handshake with the holder of that handle on how to > get this out in the future. > > This should serve as a record for things to improve in the next > release - while memory of this one is still fresh. Please add to > this anything I might have missed or additional things you like > us to tackle in the next release. > > Thanks, > Stefan > >
-- Daniel Ferradal HTTPD Project #httpd help at Libera.Chat
