Home > Guides > Contributors Guide > Creating and Signing a Distribution > Building Struts 2 - Fast track release |
This version is outdated! Work-in-progress!
When a serious security issue arises, we should try to create a STRUTS_#_#_#_X
branch from the last GA release (from tag - check it out and use mvn release:branch
as below).
svn co https://svn.apache.org/repos/asf/struts/struts2/tags/STRUTS_#_#_# cd STRUTS_#_#_# mvn release:branch -DbranchName=STRUTS_#_#_#_X -DupdateBranchVersions=true -DupdateWorkingCopyVersions=false -DautoVersionSubmodules=true
Read the maven release:branch docs for further details or alternatively
Changing version in poms
If needed, you can use Versions Maven Plugin to set -SNAPSHOT version in all poms, like below:
mvn versions:set -DnewVersion=2.3.16.1-SNAPSHOT -DgenerateBackupPoms=false
Edit src/site/resources/archetype-catalog.xml
and change version of archetypes to current $VERSION, save and commit.
Apply and commit security patch.
Tag the release by using the {{release:prepare}} goal of Maven:
mvn release:prepare -DautoVersionSubmodules=true
For a dry run, add '-DdryRun=true'. If you do a dry run, use 'mvn release:clean' to clean up after you have looked at the output.
When prompted for the SCM tag name, follow this pattern: STRUTS_2_3_[PATCH_VERSION]
If you get the error message above, try to re-run mvn release:prepare -DautoVersionSubmodules=true command again, -Dresume flag is set to true by default and the plugin will resume the release process from where it failed before.
This step will (more information):
mvn release:perform -Dusername=yourSvnUsername
This step will (more information):
N.B.: this step takes a long time (about 2 hours with a broadband connection)
After this step the artifacts will be hosted by Nexus
If you need to run perform again, (or in a different box), do:
git clone https://git-wip-us.apache.org/repos/asf/struts.git git checkout $VERSION cd $VERSION mvn deploy --no-plugin-updates -DperformRelease=true
Next, log in to Nexus and close staging repository.
After closing repository in Nexus, check if the version is available from staging repository as below:
https://repository.apache.org/content/groups/staging/org/apache/struts/struts2-assembly/$VERSION/
In order to move the assemblies login to people.apache.org and execute the following code:
#!/bin/sh # create the destination directory mkdir $VERSION cd $VERSION # get the distro wget -erobots=off -nv -l 1 --accept=zip,md5,sha1,asc -r --no-check-certificate -nd -nH https://repository.apache.org/content/groups/staging/org/apache/struts/struts2-assembly/$VERSION # rename files for f in *2-assembly*.zip* do mv $f `echo $f | sed s/2-assembly//g` done # remove unneeded files for f in struts2-assembly-*.pom* do rm $f done # remove unneeded hashes rm *.asc.md5 rm *.asc.sha1
After that move the assemblies directory to the builds destination with
mv $VERSION /www/people.apache.org/builds/struts/
Post a release/quality vote to the dev list (and only the dev list). The example mail is on Sample announcements page. Include the term "fast-track" in the subject, as: [VOTE] Struts 2.0.9.1 quality (fast track).
After the vote, if the distribution is being mirrored (there was a favourable release vote) copy the Sources and Binaries:
ssh people.apache.org cd /www/people.apache.org/builds/struts/$VERSION cp struts-$VERSION-src.* /www/www.apache.org/dist/struts/source cp struts-$VERSION-docs.* /www/www.apache.org/dist/struts/documentation cp struts-$VERSION-lib.* /www/www.apache.org/dist/struts/library cp struts-$VERSION-apps.* /www/www.apache.org/dist/struts/examples cp struts-$VERSION-all.* /www/www.apache.org/dist/struts/binaries
If a new DTD was defined, copy it to /www/struts.apache.org/dtds/ and change permission to struts group (chown :struts *.dtd) and write rights (chmod g+w *.dtd).
The default setup on people.apache.org will leave the files and directories only changeable by the user who creates them. The last two steps will allow future releases to go smoothly.
Log in again to Nexus and release the repository, it will be automatically replicated across Maven Repositories
See Releasing a Maven-based project for further details.
Remove the old files from under /www/www.apache.org/dist/struts/ to synchronize only the latest version with peers. All the files from /www/www.apache.org/dist/ are always mirrored to http://archive.apache.org/dist/struts/
Wait 24 hours before proceeding.
If the release will fix a - hopefully yet undisclosed - security issue, it's now time to update the Security Bulletins page and add a new announcement. For a template, just check former announcements
Check out site src code
svn co https://svn.apache.org/repos/asf/struts/site/ struts-site
Use below script to perform update
#!/bin/sh # script used to update struts2-subsite after release VERSION=2.3.15 BRANCH=2.3.x TAG=STRUTS_2_3_15 svn co https://svn.apache.org/repos/infra/websites/production/struts/content/ struts-site svn co https://svn.apache.org/repos/asf/struts/struts2/tags/$TAG/ $TAG wget -erobots=off http://people.apache.org/builds/struts/$VERSION/struts-$VERSION-docs.zip unzip struts-$VERSION-docs.zip -d docs rm -r struts-site/release/$BRANCH/docs rm -r struts-site/release/$BRANCH/struts2-core rm -r struts-site/release/$BRANCH/struts2-plugins rm -r struts-site/release/$BRANCH/xwork-core mv -f docs/struts-$VERSION/docs/* struts-site/release/$BRANCH cd $TAG mvn site:site site:stage -DstagingDirectory=../struts-site/release/$BRANCH cd ../struts-site svn add --force ./ # Delete removed files svn st | grep '^!' | awk '{print $2}' | xargs svn delete --force svn commit -m "Updates Struts2 subsite after release process" cd .. rm -r struts-site rm -r $TAG rm -r docs rm struts-$VERSION-docs.zip
We leave this as the last step, once the artifacts have had time to sync up on the mirrors.
Announce the release and the vulnerability. Typically this will be sent to the reporter, the project's users list (user@struts.a.o), the project's dev list (dev@struts.a.o), the project's announce list (announcements@struts.a.o), security@apache.org, full-disclosure@lists.grok.org.uk and bugtraq@securityfocus.com.
Samples are available at Sample announcements page.