Table of Contents generated with DocToc
- SVN source-release runbook (signed
.ziptodist/dev/)- What a “release” is
- Where this fits in the 14-step lifecycle
- Prerequisites
- Step 1: Set the release variables
- Step 2: Tag the release candidate
- Step 3: Build the source
.zipfrom the tag - Step 4: Sign the
.zip(detached.asc) - Step 5: Generate the SHA-512 checksum
- Step 6: Verify your own artefacts before staging
- Step 7: Stage to
dist/dev/over SVN - What happens after staging
- Release Manager checklist
- Cross-references
SVN source-release runbook (signed .zip to dist/dev/)
A copy-paste command sequence for the mechanical core of an
Apache release on the svnpubsub distribution backend: take a
tagged revision, package it as a source .zip, sign it, checksum
it, and stage it to dist.apache.org/repos/dist/dev/ for the
[VOTE].
[!NOTE] This is the
svnpubsubbackend. For the Apache Trusted Releases (ATR) backend — compose a signed candidate in the ATR platform, let it run the checks and drive the vote, then finish to publish — see the ATR release runbook. Same 14-step lifecycle, same skills, different distribution backend.
This runbook is the hands-on companion to the
release-rc-cut skill
(lifecycle Steps 4–5). The skill emits this command set tailored
to the adopter’s release-build.md;
this document is the same set written out longhand so a Release
Manager (RM) can run a release by hand, or sanity-check what the
skill produced. Every command runs on the RM’s own machine, with
the RM’s own signing key, under the RM’s own ASF credentials — the
agent never holds the key and never publishes
(spec § Boundary 1 / Boundary 2).
What a “release” is
Per the ASF release policy § what is a release:
- The source package is the release. Everything else
(convenience binaries, wheels, images) is just that —
convenience. The
[VOTE]votes on the source.zip. - It must be a clean source snapshot of a tagged revision — the
exact tree at
<version>-rcN, with no VCS metadata and no compiled output. - It must contain
LICENSEandNOTICEat the artefact root (this repo already carries both —git archiveincludes them automatically). - It must be cryptographically signed by the RM with a
detached signature (
.asc), and accompanied by a SHA-512 checksum.MD5andSHA-1are prohibited for new releases per release-distribution § sigs-and-sums. - It must be distributed via
dist.apache.org(svnpubsub), staged underdist/dev/for the vote and only moved todist/release/after the vote passes.
Where this fits in the 14-step lifecycle
This runbook covers Steps 4–5 of the 14-step process:
| Step | Owner skill | This runbook |
|---|---|---|
| 1–2 Plan + version bump | release-prepare |
prerequisite |
3 KEYS reconciliation |
release-keys-sync |
prerequisite |
| 4 Cut RC: tag + build + sign | release-rc-cut |
Steps 2–6 below |
5 Stage to dist/dev/ |
release-rc-cut |
Step 7 below |
| 6 Pre-flight verify | release-verify-rc |
downstream |
| 7–9 Vote + tally | release-vote-draft, release-vote-tally |
downstream |
10 Promote dist/dev/ → dist/release/ |
release-promote |
downstream |
[!IMPORTANT] This runbook stops at
dist/dev/. Moving the artefacts todist/release/is the moment of release and happens only after the vote passes — seerelease-promote. Neversvn import/svn mvinto adist/release/path from here; that path is on a hard denylist in the release skills for good reason.
Prerequisites
Before you start, confirm:
- Your GPG key is in the project
KEYSfile athttps://dist.apache.org/repos/dist/release/magpie/KEYS, and the matching public key is on a keyserver (release-signing FAQ). If this is your first release, runrelease-keys-sync(Step 3) first. - You can write to the project’s SVN dist area. ASF committers
can write to
dist/dev/;dist/release/is PMC-only (that gate bites at promote time, not here). - The prep PR is merged — version strings,
CHANGELOG,NOTICE/LICENSEreflect<version>(release-prepare prep, Step 2). git,gpg,svn, and a SHA-512 tool are installed locally.
Step 1: Set the release variables
# --- edit these three lines, then paste the rest verbatim ---
export VERSION=0.1.0 # the release version, no rc suffix
export RC=rc1 # the release-candidate number
export ASF_ID=yourapacheid # your committer id (for svn auth)
# Derived names — do not edit.
export RC_TAG="${VERSION}-${RC}"
export ARTIFACT="apache-magpie-${VERSION}-source.zip"
export STAGE_DIR="$(pwd)/stage/${RC_TAG}"
Step 2: Tag the release candidate
Cut a signed tag at the commit you are releasing, and push it.
(If the release-rc-cut
skill already emitted and you already pushed this tag, skip to Step
3.)
git tag -s "${RC_TAG}" -m "Apache Magpie ${VERSION} ${RC}" HEAD
git push origin "${RC_TAG}" # 'origin' = your remote for apache/magpie
Tagging from
HEADassumes you are on the exact release commit. Double-checkgit log -1first.
Step 3: Build the source .zip from the tag
git archive produces a deterministic snapshot of only the
tracked files at the tag — no .git/ directory, no untracked
build output. The --prefix puts everything under a versioned top
folder so the unpacked tree is apache-magpie-<version>/.
git archive --format=zip \
--prefix="apache-magpie-${VERSION}/" \
-o "${ARTIFACT}" \
"${RC_TAG}"
Quick sanity check that LICENSE and NOTICE are present at the
root:
unzip -l "${ARTIFACT}" | grep -E "apache-magpie-${VERSION}/(LICENSE|NOTICE)$"
[!NOTE] To keep files like
.github/or CI config out of the source release, mark themexport-ignorein.gitattributes—git archivehonours it. The license-header pass (Apache RAT, run byrelease-verify-rcin Step 6) is the authoritative check on what the artefact must contain.
Step 4: Sign the .zip (detached .asc)
gpg --armor --detach-sign "${ARTIFACT}"
# produces ${ARTIFACT}.asc
No --passphrase on the command line — let your GPG agent prompt.
The signature must be detached and armored (.asc), never
an inline or binary .sig.
Step 5: Generate the SHA-512 checksum
# Linux / coreutils:
sha512sum "${ARTIFACT}" > "${ARTIFACT}.sha512"
# macOS (produces a -c-compatible file):
# shasum -a 512 "${ARTIFACT}" > "${ARTIFACT}.sha512"
SHA-512 is the baseline. Do not generate md5 or sha1 — they
are prohibited for new ASF releases.
Step 6: Verify your own artefacts before staging
Catch a bad signature or a typo’d checksum before voters do:
gpg --verify "${ARTIFACT}.asc" "${ARTIFACT}"
sha512sum -c "${ARTIFACT}.sha512" # macOS: shasum -a 512 -c
Both must report success (Good signature / OK).
Step 7: Stage to dist/dev/ over SVN
Assemble the three files into a clean staging directory, then
import that directory to the RC path under dist/dev/. The svnpubsub
machinery mirrors it to the public dist.apache.org host
automatically.
mkdir -p "${STAGE_DIR}"
cp "${ARTIFACT}" "${ARTIFACT}.asc" "${ARTIFACT}.sha512" "${STAGE_DIR}/"
svn import "${STAGE_DIR}" \
"https://dist.apache.org/repos/dist/dev/magpie/${RC_TAG}/" \
--username "${ASF_ID}" \
-m "Stage Apache Magpie ${VERSION} ${RC} for vote"
Confirm it landed:
svn list "https://dist.apache.org/repos/dist/dev/magpie/${RC_TAG}/"
# expect: apache-magpie-<version>-source.zip(.asc)(.sha512)
The staging URL the [VOTE] email points voters at is:
https://dist.apache.org/repos/dist/dev/magpie/<VERSION>-<RC>/
[!IMPORTANT] The target URL must contain
dist/dev/. Never stage to adist/release/path here — promotion is a separate, post-vote, PMC-gated step (release-promote).
What happens after staging
- Verify the staged RC end-to-end — signatures against the
project
KEYS(not your keyring), checksums, license headers,NOTICE/LICENSEpresence:release-verify-rc(Step 6). - Open the
[VOTE]thread ondev@magpie.apache.org:release-vote-draft(Step 7). Voting window ≥ 72 h, needs 3 binding+1and more+1than-1(release-policy § approval). - Tally the result:
release-vote-tally(Step 9). On failure, bump the RC number and rerun this runbook from Step 2. - Promote
dist/dev/ → dist/release/once the vote passes — the moment of release:release-promote(Step 10).
Release Manager checklist
- GPG key present in
dist/release/magpie/KEYSand on a keyserver - Prep PR merged; version strings,
CHANGELOG,NOTICE/LICENSEcorrect - Signed tag
<version>-<rc>created and pushed - Source
.zipbuilt from the tag (git archive, no.git/, no binaries) -
LICENSE+NOTICEpresent at artefact root - Detached
.ascsignature created -
.sha512checksum created (nomd5/sha1) -
gpg --verifyandsha512sum -cboth pass locally - Artefacts imported to
dist/dev/magpie/<version>-<rc>/ -
svn listconfirms the three files landed - Did not touch any
dist/release/path - Staging URL handed to
release-verify-rc/release-vote-draft
Cross-references
process.md— the 14-step lifecycle this runbook covers Steps 4–5 of.spec.md— the state-change boundaries (agent never holds the key, never publishes).release-rc-cut— the skill that emits this command set fromrelease-build.md.release-keys-sync,release-verify-rc,release-promote— the upstream and downstream skills.- ASF release policy — canonical; § what is a release and § release approval.
- ASF release distribution
—
dist/dev/+dist/release/mechanics, mirror propagation, § sigs-and-sums. - ASF release signing
—
KEYSfile and signing-key onboarding.