On 01/04/2011 16:03, Paul Sharples wrote:
On 01/04/2011 11:29, Ross Gardler wrote:
On 01/04/2011 10:29, Paul Sharples wrote:
Just to expand on that I mean I would rebuild the 0.9.0 branch to
recreate the builds with the added KEYS file (containing the commiters
public keys) and new updated NOTES file (containing the few issues we
found in WOOKIE-181), then sign the binaries. Additionally the ant
build-release tasks also make tar archives which are not currently on my
people.apache.org space. (if you want to double check these then use the
ant build-release task in the 0.9.0 branch to build them yourself).
Nothing has changed in the branch since i built them last time, so they
should in theory be exactly the same.
Is there anything I've missed?
When I moved the release process docs across to the CMS last night I
added some more detail to the process. You can see it at
http://wookie.staging.apache.org/wookie/docs/developer/release.html
(committers only as we have not published this new site yet).
Ross
Thanks for this Ross it helps a lot,
I should make it clear that this is not set in stone. This is the way
*I'm* used to doing it in ASF projects. There are very few steps in this
process that are required, I just find it easier this way. If you, as
release manager on this release want to change it feel free. Your
mentors will pull you up if there is an issue.
One question...
I'm obviously going to have to rebuild the releases as the ones up on my
people.apache.org site are not signed, don't contain the file KEYS etc.
Sure, that is done after testing when you build the release (as opposed
to release candidate).
But the "Web of Trust" is marked as "post release" in the doc you put
up. Does this mean I can now add your public key (as well as Scotts,
Kris's and Raidos as they are - even if one or more of us haven't signed
/ trusted each others?) Or does that have to be in place before I sign
the build?
That's a cut and past error (now fixed) in the heading. I've moved it to
the "development" phase. We should all be seeking to get our keys signed
by as many people as possible, all the time. Strictly speaking it's not
part of the release process itself.
We need to make sure the public keys are recorded so you can sign the
release itself. However the signing of one anothers keys in the "web of
trust" can happen at any time. The more people who sign our keys the
more likely a paranoid sysadmin will be able to find someone within
their "web of trust" who's signed the release.
Next time I'm up in Bolton remind me to do the key signing thing. I'm
afraid I'm a bit severe on signing keys. I insist on seeing ID, the key
and the person all together at the same time before I'll sign. Of course
that does mean you can truly trust any key I've signed (if you trust me
of course). Unfortunately this means I have not signed enough keys.
Ross
--
[email protected]
@rgardler
