1# Apache Thrift Release Management 2 3Instructions for preparing and distributing a release of Apache Thrift are fairly complex. These procedures are documented here, and we're working to automate as much of this as possible. There are few projects like ours that integrate with 28 programming languages. Given the extreme number of package management systems that Apache Thrift integrates with (compared to perhaps any), part of the burden of releasing Apache Thrift is to manually package and upload some of these [language-specific packages](http://apache.thrift.org/libraries). 4 5It is important to note here that Apache Thrift is designed for version interoperability, so one can use a version 0.7.0 client with a 0.12.0 server. A particular version number does not make any guarantees as to the features available in any given language. See the [Language Feature Matrix](https://github.com/apache/thrift/blob/master/LANGUAGES.md) to learn more. 6 7## Concepts 8 9### Versioning 10 11Apache Thrift and the vast majority of package management systems out there conform to the [SemVer 2.0](https://semver.org/spec/v2.0.0.html) version numbering specification. Apache Thrift uses the following versioning rules: 12 13- *major* is currently always zero; 14- *minor* is increased for each release cycle; 15- *patch* is increased for patch builds between release cycles to address critical defect, security, or packaging issues 16 17Further, if there are only packaging changes for a single third-party distribution point to correct an issue, the major.minor.patch may remain the same while adding a suffix compatible with that distribution point, for example, "0.12.0.1" for nuget, or "0.12.0-1" for maven. 18 19#### External Package Patches 20 21It is common to have language-specific critical defects or packaging errors that need to be resolved between releases of Apache Thrift. The project handles these on a case-by-case basis for languages that have their own [package management systems](http://apache.thrift.org/libraries). When a language-specific patch is made, the patch level of the distribution pushed to the external package manager is bumped. 22 23 As such, there may be cases between Apache Thrift releases where there are (for example) a `0.12.1` and `0.12.2` version of a Haskell Hackage package, and perhaps also a `0.12.3` version of a dlang dub package. You will not find a tag or an official project release in these cases, however, the code changes will be reflected in the release branch and in master. In these cases we would not release a version of Apache Thrift nor would we refresh all the external language packages. 24 25#### Version in the master branch 26 27The master branch will always contain the next anticipated release version. When a release cycle begins, a branch is cut from master. The release branch will already have all of the correct versions, and therefore release branches can be easily merged back into master. (This was not true of releases before 0.12.0). 28 29### Code Repository 30 31The authoritative repository for Apache Thrift is stored in [GitHub](https://github.com/apache/thrift). It is mirrored by [GitBox](https://gitbox.apache.org/repos/asf?p=thrift.git). 32 33### Branches 34 35All code (submitted via pull request or direct push) is committed to the `master` branch. Until version 1.0 of Apache Thrift each release branch was named `<version>`, for example in version `0.12.0` there is a branch named the same. For version 1.0 releases any beyond, releases will have a branch named `release/<version>`. 36 37### Tags 38 39Up to version `0.12.0` each release of Apache Thrift was tagged with a `<version>` tag. Starting with the `0.12.0` release, each release of Apache Thrift will be tagged with a `v<version>` tag to satisfy external package management tools (such as ones for dlang and golang). For example the tag of version `0.12.0` is `v0.12.0`. 40 41## Release Procedures 42 43### Release Schedule 44 45Apache Thrift has no official release schedule, however the project aims to release at least twice per year. 46 47A complete release cycle will take about 1 week to complete, if things go well, with half of that time waiting for a vote. 48 49### Release Manager 50 51Before a release cycle begins, someone must nominate themselves on the development mailing list as the release manager for that release. In order to be a release manager you must meet the following criteria: 52 531. You are a [member](http://people.apache.org/phonebook.html?pmc=thrift) of the Apache PMC group. 541. Your profile at https://id.apache.org/ is valid and contains a PGP key. If it does not, see the [Apache OpenPGP Instructions](https://www.apache.org/dev/openpgp.html). If your PGP private key creation seems to hang indefinitely while creating entropy, try these fixes: 55 - Generate disk I/O with: `dd if=/dev/sda of=/dev/zero` 56 - Install the `rng-tools` package. 571. Your PGP key is visible in the [Apache Committer Keys](http://people.apache.org/keys/committer/) for code signing. This list is updated periodically from your Apache ID (see previous step). 581. You have read and agree with the contents of the [ASF Release Distribution Policy](https://www.apache.org/dev/release-distribution.html). 591. You have access and the ability to use subversion. All distribution artifacts are released through a subversion commit. 601. You can build in the Linux Docker Container, and you have Visual Studio 2017. 611. You have sufficient time to complete a release distribution. 62 63### Release Candidate 64 65All Apache Thrift releases go through a 72-hour final release candidate voting procedure. Votes from members of the Apache Thrift PMC are binding, and all others are non-binding. For these examples, the `master` branch is at version 1.0.0 and that is the next release. 66 671. Scrub the Apache Jira backlog. There are a couple things to do: 68 69 1. [Open Issues without a Component](https://issues.apache.org/jira/issues/?filter=-1&jql=project%20%3D%20THRIFT%20and%20status%20!%3D%20Closed%20and%20component%20is%20empty) - make sure everything has an assigned component, as the release notes are grouped together by language. 70 71 1. [Open Issues with a Fix Version](https://issues.apache.org/jira/issues/?filter=-1&jql=project%20%3D%20THRIFT%20and%20status%20in%20(OPEN%2C%20%27IN%20PROGRESS%27%2C%20REOPENED)%20and%20fixVersion%20is%20not%20empty) - these will be issues that someone placed a fixVersion on in Jira, but have not been resolved or closed yet. They are likely stale somehow. Resolutions for these issues include resolving or closing the issue in Jira, or simply removing the fixVersion if the issue hasn't been fixed. 72 73 1. [Open Blocking Issues](https://issues.apache.org/jira/issues/?filter=-1&jql=project%20%3D%20THRIFT%20and%20priority%20in%20(blocker)%20and%20status%20not%20in%20(closed)%20order%20by%20component%20ASC) - blocking issues should block a release. Scrub the list to see if they are really blocking the release, and if not change their priority. 74 75 1. [Open Critical Issues](https://issues.apache.org/jira/issues/?filter=-1&jql=project%20%3D%20THRIFT%20and%20priority%20in%20(critical)%20and%20status%20not%20in%20(closed)%20and%20type%20not%20in%20(%22wish%22)%20order%20by%20component%20ASC) - this list will end up in the known critical issues list in the changes file. Scrub it to make sure everything is actually critical. 76 77 It is healthy to scrub these periodically, whether or not you are making a new release. 78 791. Check that the version number in the `master` branch matches the version number of the upcoming release. To check the `master` branch version, run: 80 81 ```bash 82 thrift$ grep AC_INIT configure.ac | cut -d'[' -f3 | cut -d']' -f1 83 1.0.0 84 ``` 85 86 If it does not match (this should be extremely rare), you need to submit a pull request setting the `master` branch to the desired version of the upcoming release. In the following example, we prepare to commit a branch where the version number is changed from `1.0.0` to `1.1.0`: 87 88 ```bash 89 thrift$ git checkout -b fix-version-for-release 90 thrift$ build/veralign.sh 1.0.0 1.1.0 91 # check to see if any of the manually modified files needs changes 92 thrift$ git push ... # make a pull request 93 ``` 94 951. Create a release branch for the release, in this example `1.0.0`: 96 97 ```bash 98 thrift$ git checkout master 99 thrift$ git pull 100 thrift$ git checkout -b "release/1.0.0" 101 thrift$ git push 102 ``` 103 104 Now there is a `release/1.0.0` branch in GitHub for Apache Thrift. 105 106 By creating a release branch we allow work to continue on the `master` branch for the next release while we finalize this one. Note that `release/1.0.0` and `master` in this example are now identical, and therefore it is possible to merge the release branch back into `master` at the end of the release! 107 1081. Modify these files manually, inserting the release into them at the appropriate location. Follow existing patterns in each file: 109 - `doap.rdf` 110 - `debian/changelog` 111 1121. Generate the content for `CHANGES.md` - this is one of the most time-consuming parts of the release cycle. It is a lot of work, but the result is well worth it to the consumers of Apache Thrift: 113 114 1. Find all [Issues Fixed but not Closed in 1.0.0](https://issues.apache.org/jira/issues/?filter=-1&jql=project%20%3D%20thrift%20and%20fixVersion%20%3D%201.0.0%20and%20status%20!%3D%20closed) (adjust the version in the link to suit your needs). 115 116 1. Export the list of issues to a CSV (Current Fields) and open in Excel (or a similar spreadsheet). 117 118 1. Hide all columns except for the issue id (i.e. THRIFT-nnnn), the component (first one), and the summary. 119 120 1. Sort by component ascending and then by id ascending. 121 122 1. Create a fourth column that will contain the contents of each line that goes into the release notes. Once you have the formula working in one cell paste it into the other rows to populate them. Use a formula to get the column to look like this: 123 124 ```vcol 125 Issue Component Summary RelNote 126 THRIFT-123 C++ - Library Drop C++03 [THRIFT-123](https://issues.apache.org/jira/browse/THRIFT-3978) - Drop C++03 127 ``` 128 129 For example, if the row above was row "B" in EXCEL it would look something like: 130 131 ```text 132 =CONCAT("[", B1, "]", 133 "https://issues.apache.org/jira/browse/", 134 B1, " - ", B3) 135 ``` 136 137 1. Create a level 3 section in `CHANGES.md` under the release for each component and copy the items from the RelNote column into the changes file. 138 139 1. Find all [Open Critical Issues](https://issues.apache.org/jira/issues/?filter=-1&jql=project%20%3D%20THRIFT%20and%20priority%20in%20(critical)%20and%20status%20not%20in%20(closed)%20and%20type%20not%20in%20(%22wish%22)%20order%20by%20component%20ASC) and add them to `CHANGES.md` in the list of known critical issues for the release. 140 1411. Commit all changes to the release branch. 142 1431. Generate the source tarball. 144 145 1. On a linux system get a clean copy of the release branch, for example: 146 147 ```bash 148 ~$ git clone -b "release/1.0.0" git@github.com:apache/thrift.git thrift-1.0.0-src 149 ``` 150 151 1. In the clean copy of the release branch, start a docker build container and run `make dist`: 152 153 ```code 154 ~$ cd thrift-1.0.0-src 155 ~/thrift-1.0.0-src$ docker run -v $(pwd):/thrift/src:rw \ 156 -it thrift/thrift-build:ubuntu-bionic /bin/bash 157 root@8b4101188aa2:/thrift/src# ./bootstrap.sh && ./configure && make dist 158 ``` 159 160 The result will be a file named `thrift-1.0.0.tar.gz`. Check the size and make sure it is roughly 4MB. It could get larger over time, but it shouldn't jump by orders of magnitude. Once satisfied you can exit the docker container with `exit`. 161 162 1. Generate signatures and checksums for the tarball: 163 164 ```bash 165 gpg --armor --output thrift-1.0.0.tar.gz.asc --detach-sig thrift-1.0.0.tar.gz 166 md5sum thrift-1.0.0.tar.gz > thrift-1.0.0.tar.gz.md5 167 sha1sum thrift-1.0.0.tar.gz > thrift-1.0.0.tar.gz.sha1 168 sha256sum thrift-1.0.0.tar.gz > thrift-1.0.0.tar.gz.sha256 169 1701. Generate the Windows Thrift Compiler. This is a statically linked compiler that is portable and folks find it useful to be able to download one, especially if they are using third-party distributed runtime libraries for interpreted languages on Windows. There are two ways to generate this: 171 172 - Using a Development VM 173 174 1. On a Windows machine with Visual Studio, pull down the source code and checkout the release branch. 175 1. Open an x64 Native Tools Command Prompt for VS 2017 and create an out-of-tree build directory. 176 1. Install the latest version of cmake. 177 1. Install chocolatey and install winflexbison with chocolatey. 178 1. Run cmake to generate an out-of-tree build environment: 179 ```cmd 180 C:\build> cmake ..\thrift -DBISON_EXECUTABLE=c:\ProgramData\chocolatey\lib\winflexbison\tools\win_bison.exe -DFLEX_EXECUTABLE=c:\ProgramData\chocolatey\lib\winflexbison\tools\win_flex.exe -DWITH_MT=ON -DWITH_SHARED_LIB=OFF -DWITH_CPP=OFF -DWITH_JAVA=OFF -DWITH_HASKELL=OFF -DWITH_PYTHON=OFF -DWITH_C_GLIB=OFF -DBUILD_TESTING=OFF -DBUILD_TUTORIALS=OFF -DBUILD_COMPILER=ON 181 C:\build> cmake --build . --config Release 182 ``` 183 184 - Using [Docker for Windows](../build/docker/msvc2017/README.md), follow the instructions for building the compiler. 185 - In both cases: 186 1. Verify the executable only depends on kernel32.dll using [depends.exe](http://www.dependencywalker.com/). 187 1. Copy the executable `thrift.exe` to your linux system where the signed tarball lives and rename it to `thrift-1.0.0.exe` (substitute the correct version, of course). 188 1. Sign the executable the same way you signed the tarball. 189 1901. Upload the release artifacts to the Apache Dist/Dev site. This requires subversion: 191 192 ```bash 193 ~$ mkdir -p dist/dev 194 ~$ cd dist/dev 195 ~/dist/dev$ svn co "https://dist.apache.org/repos/dist/dev/thrift" thrift 196 ~/dist/dev$ cd thrift 197 ``` 198 199 Copy the tarball, windows compiler executable, and 8 additional signing files into a new directory for the release: 200 201 ``` bash 202 ~/dist/dev/thrift$ mkdir 1.0.0-rc0 203 # copy the files into the directory 204 ~/dist/dev/thrift$ svn add 1.0.0-rc0 205 ``` 206 207 The layout of the files should match the [current release](https://www.apache.org/dist/thrift/). Once done, add the release candidate and check it in: 208 209 ```bash 210 ~/dist/dev/thrift$ svn status 211 # verify everything is correct 212 ~/dist/dev/thrift$ svn commit -m "Apache Thrift 1.0.0-rc0 in dist dev" \ 213 --username <apache-username> --password <apache-password> 214 ``` 215 2161. Verify the release candidate artifacts are available at: 217 218 [https://dist.apache.org/repos/dist/dev/thrift/](https://dist.apache.org/repos/dist/dev/thrift/) 219 2201. Send a voting announcement message to `dev@thrift.apache.org` following this template as a guide: 221 222 ```code 223 To: dev@thrift.apache.org 224 Subject: [VOTE] Apache Thrift 1.0.0-rc0 release candidate 225 --- 226 All, 227 228 I propose that we accept the following release candidate as the official Apache Thrift 1.0.0 release: 229 230 https://dist.apache.org/repos/dist/dev/thrift/1.0.0-rc0/thrift-1.0.0-rc0.tar.gz 231 232 The release candidate was created from the release/1.0.0 branch and can be cloned using: 233 234 git clone -b release/1.0.0 https://github.com/apache/thrift.git 235 236 The release candidates GPG signature can be found at: 237 https://dist.apache.org/repos/dist/dev/thrift/1.0.0-rc0/thrift-1.0.0-rc0.tar.gz.asc 238 239 The release candidates checksums are: 240 md5: 241 sha1: 242 sha256: 243 244 245 A prebuilt statically-linked Windows compiler is available at: 246 https://dist.apache.org/repos/dist/dev/thrift/1.0.0-rc0/thrift-1.0.0-rc0.exe 247 248 Prebuilt statically-linked Windows compiler GPG signature: 249 https://dist.apache.org/repos/dist/dev/thrift/1.0.0-rc0/thrift-1.0.0-rc0.exe.asc 250 251 Prebuilt statically-linked Windows compiler checksums are: 252 md5: 253 sha1: 254 sha256: 255 256 257 The source tree as ZIP file to be published via Github releases: 258 https://dist.apache.org/repos/dist/dev/thrift/1.0.0-rc0/thrift-1.0.0-rc0.zip 259 260 ZIP source tree GPG signature: 261 https://dist.apache.org/repos/dist/dev/thrift/1.0.0-rc0/thrift-1.0.0-rc0.zip.asc 262 263 ZIP source tree checksums are: 264 md5: 265 sha1: 266 sha256: 267 268 The CHANGES list for this release is available at: 269 https://github.com/apache/thrift/blob/release/1.0.0/CHANGES.md 270 271 272 Please download, verify sig/sum, install and test the libraries and languages of your choice. 273 274 This vote will close in 72 hours on 2019-07-06 21:00 UTC 275 276 [ ] +1 Release this as Apache Thrift 1.0.0 277 [ ] +0 278 [ ] -1 Do not release this as Apache Thrift 1.0.0 because... 279 ``` 280 2811. If any issues are brought up with the release candidate, you will need to package another and reset the voting clock. 282 283Voting on the development mailing list provides additional benefits (wisdom from [Christopher Tubbs](https://issues.apache.org/jira/browse/THRIFT-4506?focusedCommentId=16791902&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16791902)): 284- It creates a public record for the vote, 285- It allows for participation/evaluation from our wider user audience (more diversity in evaluators improves quality), and 286- It provides more entry points for potential future committers/PMC members to earn merit through participation. 287 288### Official Release 289 2901. Send a message to `dev@thrift.apache.org` with the voting results. Use this template as a guide: 291 292 ```code 293 To: dev~thrift.apache.org 294 Subject: [VOTE][RESULT] Release Apache Thrift 1.0.0 295 --- 296 All, 297 298 Including my own vote of +1 we have N binding +1 and no -1. 299 The vote for the Apache Thrift 1.0.0 release is ***successful***. 300 Thank you to all who helped test and verify. 301 ``` 302 3031. Use svn to checkout the release part of thrift (similar to dev) and copy the files over from dev, matching the previous release structure: 304 305 ```bash 306 ~$ mkdir -p dist/release 307 ~$ cd dist/release 308 ~/dist/release$ svn co "https://dist.apache.org/repos/dist/release/thrift" thrift 309 ~/dist/release$ cd thrift 310 ~/dist/release/thrift$ mkdir 1.0.0 311 ~/dist/release/thrift$ cp -p ../../dev/thrift/1.0.0-rc0/* 1.0.0/ 312 ~/dist/release/thrift$ svn status 313 # verify everything is correct 314 ~/dist/release/thrift$ svn commit -m "Apache Thrift 1.0.0 official release" \ 315 --username <apache-username> --password <apache-password> 316 ``` 317 318 **NOTE** Once you check-in, you need to wait about a day for all the mirrors to update. You cannot send the announcement email or update the web site until the mirrors are updated. 319 3201. Create and push a tag for the release, for example "v1.0.0". 321 322 **NOTE:** All new releases must have the "v" prefix to satisfy third-party package managers (dlang dub, golang, etc..) 323 324 **NOTE:** You **should** [sign the release tag](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work). Since you already have a GPG signing key for publishing the Apache Release, you want to [upload that key to your GitHub account](https://help.github.com/en/articles/adding-a-new-gpg-key-to-your-github-account). Once the key is known by GitHub you can sign the tag. 325 326 ```bash 327 ~/thrift$ # make sure you are on the release branch 328 ~/thrift$ git checkout release/1.0.0 329 ~/thrift$ git pull 330 ~/thrift$ git tag -s v1.0.0 -m "Version 1.0.0" 331 ~/thrift$ git push --tags 332 ``` 333 334 **NOTE:** If you get the error "gpg failed to sign the data" when tagging, try this fix: ```export GPG_TTY=$(tty)```. Alternatively, it may be necessary to specify the ```-u <keyid>``` as an additional argument. 335 3361. Create a new release from the [GitHub Tags Page](https://github.com/apache/thrift/tags). Attach the statically built Windows thrift compiler as a binary here. 337 3381. Merge the release branch into master. This ensures all changes made to fix up the release are in master. 339 340 ```bash 341 ~/thrift$ git checkout master 342 ~/thrift$ git pull 343 ~/thrift$ git merge release/1.0.0 344 ``` 345 346 The merge of 1.0.0 into master should proceed as a fast-forward since the 1.0.0 release branch. If there are discrepancies the best thing to do is resolve them and then submit a pull request. This pull request must be *MERGED* and not *REBASED* after the CI build is successful. You may want to do this yourself and mark the pull request as `[DO NOT MERGE]`. 347 3481. Update the ASF CMS content for thrift to include the new release. Note over time we will retire this in favor of including all documentation in the GitHub repository. The page with the variables that are important like the current release or distribution links is in trunk/lib/path.pm in the ASF CMS for thrift. 349 350 1. Go to the [ASF CMS for Thrift](https://cms.apache.org/thrift/). 351 1. Get a working copy. 352 1. On the top right, click on `trunk`. 353 1. Navigate into `lib`. 354 1. Open `path.pm`. 355 1. Edit 356 1. Change `current_release` and `current_release_date` to reflect the correct information. 357 1. Submit 358 1. Commit 359 1. Submit 360 1. Follow Staging Build until it completes. 361 1. Open the Staged site. 362 1. Ensure the download links work. 363 1. Publish Site. 364 3651. Make an announcement on the dev@ and user@ mailing lists of the release. There's no template to follow, but you can point folks to the official web site at https://thrift.apache.org, and to the GitHub site at https://github.org/apache.thrift. 366 367### Post-Release 368 3691. Visit https://reporter.apache.org/addrelease.html?thrift and register it. You will get an automated reminder as the one who committed into dist. This informs the Apache Board of Directors of releases through project reports. 370 3711. Create a local branch to bump the release number to the next anticipated release: 372 373 ```bash 374 ~/thrift$ git checkout -b bump-master 375 ~/thrift$ build/veralign.sh 1.0.0 1.1.0 376 ``` 377 378 The veralign script will set the version number in all of the language packaging files and headers. You do not need to worry about the manually modified files at this time. You should however ensure everything is correct by looking at the diff. 379 3801. Create a pull request to advance master to the next anticipated release. 381 3821. In Apache Jira, select all tickets where the fix version is the release and the status is not closed ([example](https://issues.apache.org/jira/issues/?jql=project%20%3D%20THRIFT%20AND%20fixVersion%20%3D%201.0%20%20and%20status%20!%3D%20Closed)) and use the bulk editing tool to close them. 3831. **FIXME** Ask someone with admin access to Apache Jira to change the fixVersion in question from unreleased to released, for example: 384 https://issues.apache.org/jira/browse/THRIFT-4686 385 3861. Ensure that the [Jira release page](https://issues.apache.org/jira/projects/THRIFT?selectedItem=com.atlassian.jira.jira-projects-plugin%3Arelease-page&status=unreleased) for the version has the same number of issues in the version as issues done, and that there are no issues in progress and no issues to do, and no warnings. Finally, mark it as released and set the date of the release. 387 388* [Report any CVEs](https://apache.org/security/committers.html) that were fixed. You can email `security@apache.org` if you are not sure if there are any CVEs to report. 389 390#### Third Party Package Managers 391 392See https://thrift.apache.org/lib/ for the current status of each external package manager's distribution. The information below is from the 0.12.0 release: 393 394 > This section needs to be updated with detailed instructions for each language, or pointers to the README.md files in each language directory with detailed release instructions for the given package management system. 395 396* [dart] Releasing this requires a google account. 397 * You will need to install the same version of dart that is used in the docker image. 398 * Go into lib/dart and run "pub publish --dry-run" and resolve any warnings. 399 * Run "pub publish" and go through the google account authorization to allow it. 400* [dlang] Within a day, the dlang dub site https://code.dlang.org/packages/apache-thrift?tab=info 401 should pick up the release based on the tag. No action is needed. 402* [haskell] https://hackage.haskell.org/package/thrift 403 https://jira.apache.org/jira/browse/THRIFT-4698 404* [npmjs] @jfarrell is the only one who can do this right now. 405 https://issues.apache.org/jira/browse/THRIFT-4688 406* [perl] A submission to CPAN is necessary (normally jeking3 does this): 407 * Checkout the release branch or tag on a linux system. 408 * Fire up the docker build container. 409 * Run "make clean" and remove any gen-perl directories. 410 * Inside `lib/perl` run the script `build-cpan-dist.sh`. 411 * Upload the resulting package. If there's a mistake that needs to be corrected, 412 increase the suffix. (_1, _2, ...) and upload another. You cannot replace a release on CPAN. 413* [php] @jfarrell, @bufferoverflow, @jeking3 are the only ones who can do this right now. 414 * Once the release is tagged, one just has to hit the "Update" button to pick it up. 415* [pypi] @jfarrell is the only one who can do this right now. 416 https://issues.apache.org/jira/browse/THRIFT-4687 417* [rust] Any thrift project committer is allowed to upload a new crate. 418 419If you have any questions email `dev@thrift.apache.org`. 420