1# Apache Thrift Release Management
2
3Instructions for preparing and distributing a release of Apache Thrift are fairly complex.  These procedures are documented here, and we're working to automate as much of this as possible.  There are few projects like ours that integrate with 28 programming languages.  Given the extreme number of package management systems that Apache Thrift integrates with (compared to perhaps any), part of the burden of releasing Apache Thrift is to manually package and upload some of these [language-specific packages](http://thrift.apache.org/lib).
4
5It is important to note here that Apache Thrift is designed for version interoperability, so one can use a version 0.7.0 client with a 0.12.0 server.  A particular version number does not make any guarantees as to the features available in any given language.  See the [Language Feature Matrix](https://github.com/apache/thrift/blob/master/LANGUAGES.md) to learn more.
6
7## Concepts
8
9### Versioning
10
11Apache Thrift and the vast majority of package management systems out there conform to the [SemVer 2.0](https://semver.org/spec/v2.0.0.html) version numbering specification.  Apache Thrift uses the following versioning rules:
12
13- *major* is currently always zero;
14- *minor* is increased for each release cycle;
15- *patch* is increased for patch builds between release cycles to address critical defect, security, or packaging issues
16
17Further, if there are only packaging changes for a single third-party distribution point to correct an issue, the major.minor.patch may remain the same while adding a suffix compatible with that distribution point, for example, "0.12.0.1" for nuget, or "0.12.0-1" for maven.
18
19#### External Package Patches
20
21It is common to have language-specific critical defects or packaging errors that need to be resolved between releases of Apache Thrift.  The project handles these on a case-by-case basis for languages that have their own [package management systems](http://thrift.apache.org/lib).  When a language-specific patch is made, the patch level of the distribution pushed to the external package manager is bumped.
22
23 As such, there may be cases between Apache Thrift releases where there are (for example) a `0.12.1` and `0.12.2` version of a Haskell Hackage package, and perhaps also a `0.12.3` version of a dlang dub package.  You will not find a tag or an official project release in these cases, however, the code changes will be reflected in the release branch and in master.  In these cases we would not release a version of Apache Thrift nor would we refresh all the external language packages.
24
25#### Version in the master branch
26
27The master branch will always contain the next anticipated release version.  When a release cycle begins, a branch is cut from master.  The release branch will already have all of the correct versions, and therefore release branches can be easily merged back into master.  (This was not true of releases before 0.12.0).
28
29### Code Repository
30
31The authoritative repository for Apache Thrift is stored in [GitHub](https://github.com/apache/thrift).  It is mirrored by [GitBox](https://gitbox.apache.org/repos/asf?p=thrift.git).
32
33### Branches
34
35All code (submitted via pull request or direct push) is committed to the `master` branch.  Until version 1.0 of Apache Thrift each release branch was named `<version>`, for example in version `0.12.0` there is a branch named the same.  For version 1.0 releases any beyond, releases will have a branch named `release/<version>`.
36
37### Tags
38
39Up to version `0.12.0` each release of Apache Thrift was tagged with a `<version>` tag.  Starting with the `0.12.0` release, each release of Apache Thrift will be tagged with a `v<version>` tag to satisfy external package management tools (such as ones for dlang and golang).  For example the tag of version `0.12.0` is `v0.12.0`.
40
41## Release Procedures
42
43### Release Schedule
44
45Apache Thrift has no official release schedule, however the project aims to release at least twice per year.
46
47A complete release cycle will take about 1 week to complete, if things go well, with half of that time waiting for a vote.
48
49### Release Manager
50
51Before a release cycle begins, someone must nominate themselves on the development mailing list as the release manager for that release.  In order to be a release manager you must meet the following criteria:
52
531. You are a [member](http://people.apache.org/phonebook.html?pmc=thrift) of the Apache PMC group.
541. Your profile at https://id.apache.org/ is valid and contains a PGP key.  If it does not, see the [Apache OpenPGP Instructions](https://www.apache.org/dev/openpgp.html).  If your PGP private key creation seems to hang indefinitely while creating entropy, try these fixes:
55    - Generate disk I/O with: `dd if=/dev/sda of=/dev/zero`
56    - Install the `rng-tools` package.
571. Your PGP key is visible in the [Apache Committer Keys](http://people.apache.org/keys/committer/) for code signing.  This list is updated periodically from your Apache ID (see previous step).
581. You have read and agree with the contents of the [ASF Release Distribution Policy](https://www.apache.org/dev/release-distribution.html).
591. You have access and the ability to use subversion.  All distribution artifacts are released through a subversion commit.
601. You can build in the Linux Docker Container, and you have Visual Studio 2017.
611. You have sufficient time to complete a release distribution.
62
63### Release Candidate
64
65All Apache Thrift releases go through a 72-hour final release candidate voting procedure.  Votes from members of the Apache Thrift PMC are binding, and all others are non-binding.  For these examples, the `master` branch is at version 1.0.0 and that is the next release.
66
671. Scrub the Apache Jira backlog.  There are a couple things to do:
68
69    1. [Open Issues without a Component](https://issues.apache.org/jira/issues/?filter=-1&jql=project%20%3D%20THRIFT%20and%20status%20!%3D%20Closed%20and%20component%20is%20empty) - make sure everything has an assigned component, as the release notes are grouped together by language.
70
71    1. [Open Issues with a Fix Version](https://issues.apache.org/jira/issues/?filter=-1&jql=project%20%3D%20THRIFT%20and%20status%20in%20(OPEN%2C%20%27IN%20PROGRESS%27%2C%20REOPENED)%20and%20fixVersion%20is%20not%20empty) - these will be issues that someone placed a fixVersion on in Jira, but have not been resolved or closed yet.  They are likely stale somehow.  Resolutions for these issues include resolving or closing the issue in Jira, or simply removing the fixVersion if the issue hasn't been fixed.
72
73    1. [Open Blocking Issues](https://issues.apache.org/jira/issues/?filter=-1&jql=project%20%3D%20THRIFT%20and%20priority%20in%20(blocker)%20and%20status%20not%20in%20(closed)%20order%20by%20component%20ASC) - blocking issues should block a release.  Scrub the list to see if they are really blocking the release, and if not change their priority.
74
75    1. [Open Critical Issues](https://issues.apache.org/jira/issues/?filter=-1&jql=project%20%3D%20THRIFT%20and%20priority%20in%20(critical)%20and%20status%20not%20in%20(closed)%20and%20type%20not%20in%20(%22wish%22)%20order%20by%20component%20ASC) - this list will end up in the known critical issues list in the changes file.  Scrub it to make sure everything is actually critical.
76
77    It is healthy to scrub these periodically, whether or not you are making a new release.
78
791. Check that the version number in the `master` branch matches the version number of the upcoming release.  To check the `master` branch version, run:
80
81    ```bash
82    thrift$ grep AC_INIT configure.ac | cut -d'[' -f3 | cut -d']' -f1
83    1.0.0
84    ```
85
86    If it does not match (this should be extremely rare), you need to submit a pull request setting the `master` branch to the desired version of the upcoming release.  In the following example, we prepare to commit a branch where the version number is changed from `1.0.0` to `1.1.0`:
87
88    ```bash
89    thrift$ git checkout -b fix-version-for-release
90    thrift$ build/veralign.sh 1.0.0 1.1.0
91    # check to see if any of the manually modified files needs changes
92    thrift$ git push ... # make a pull request
93    ```
94
951. Create a release branch for the release, in this example `1.0.0`:
96
97    ```bash
98    thrift$ git checkout master
99    thrift$ git pull
100    thrift$ git checkout -b "release/1.0.0"
101    thrift$ git push
102    ```
103
104    Now there is a `release/1.0.0` branch in GitHub for Apache Thrift.
105
106    By creating a release branch we allow work to continue on the `master` branch for the next release while we finalize this one.  Note that `release/1.0.0` and `master` in this example are now identical, and therefore it is possible to merge the release branch back into `master` at the end of the release!
107
1081. Modify these files manually, inserting the release into them at the appropriate location.  Follow existing patterns in each file:
109    - `doap.rdf`
110    - `debian/changelog`
111
1121. Generate the content for `CHANGES.md` - this is one of the most time-consuming parts of the release cycle.  It is a lot of work, but the result is well worth it to the consumers of Apache Thrift:
113
114    1. Find all [Issues Fixed but not Closed in 1.0.0](https://issues.apache.org/jira/issues/?filter=-1&jql=project%20%3D%20thrift%20and%20fixVersion%20%3D%201.0.0%20and%20status%20!%3D%20closed) (adjust the version in the link to suit your needs).
115
116    1. Export the list of issues to a CSV (Current Fields) and open in Excel (or a similar spreadsheet).
117
118    1. Hide all columns except for the issue id (i.e. THRIFT-nnnn), the component (first one), and the summary.
119
120    1. Sort by component ascending and then by id ascending.
121
122    1. Create a fourth column that will contain the contents of each line that goes into the release notes.  Once you have the formula working in one cell paste it into the other rows to populate them.  Use a formula to get the column to look like this:
123
124        ```vcol
125        Issue       Component      Summary     RelNote
126        THRIFT-123  C++ - Library  Drop C++03  [THRIFT-123](https://issues.apache.org/jira/browse/THRIFT-3978) - Drop C++03
127        ```
128
129        For example, if the row above was row "B" in EXCEL it would look something like:
130
131        ```text
132        =CONCAT("[", B1, "]",
133                "https://issues.apache.org/jira/browse/",
134                B1, " - ", B3)
135        ```
136
137    1. Create a level 3 section in `CHANGES.md` under the release for each component and copy the items from the RelNote column into the changes file.
138
139    1. Find all [Open Critical Issues](https://issues.apache.org/jira/issues/?filter=-1&jql=project%20%3D%20THRIFT%20and%20priority%20in%20(critical)%20and%20status%20not%20in%20(closed)%20and%20type%20not%20in%20(%22wish%22)%20order%20by%20component%20ASC) and add them to `CHANGES.md` in the list of known critical issues for the release.
140
1411. Commit all changes to the release branch.
142
1431. Generate the source tarball.
144
145    1. On a linux system get a clean copy of the release branch, for example:
146
147        ```bash
148        ~$ git clone -b "release/1.0.0" git@github.com:apache/thrift.git thrift-1.0.0-src
149        ```
150
151    1. In the clean copy of the release branch, start a docker build container and run `make dist`:
152
153        ```code
154        ~$ cd thrift-1.0.0-src
155        ~/thrift-1.0.0-src$ docker run -v $(pwd):/thrift/src:rw \
156            -it thrift/thrift-build:ubuntu-bionic /bin/bash
157        root@8b4101188aa2:/thrift/src# ./bootstrap.sh && ./configure && make dist
158        ```
159
160        The result will be a file named `thrift-1.0.0.tar.gz`.  Check the size and make sure it is roughly 4MB.  It could get larger over time, but it shouldn't jump by orders of magnitude.  Once satisfied you can exit the docker container with `exit`.
161
162    1. Generate signatures and checksums for the tarball:
163
164        ```bash
165        gpg --armor --output thrift-1.0.0.tar.gz.asc --detach-sig thrift-1.0.0.tar.gz
166        md5sum thrift-1.0.0.tar.gz > thrift-1.0.0.tar.gz.md5
167        sha1sum thrift-1.0.0.tar.gz > thrift-1.0.0.tar.gz.sha1
168        sha256sum thrift-1.0.0.tar.gz > thrift-1.0.0.tar.gz.sha256
169
1701. Generate the Windows Thrift Compiler.  This is a statically linked compiler that is portable and folks find it useful to be able to download one, especially if they are using third-party distributed runtime libraries for interpreted languages on Windows.  There are two ways to generate this:
171
172    - Using a Development VM
173
174        1. On a Windows machine with Visual Studio, pull down the source code and checkout the release branch.
175        1. Open an x64 Native Tools Command Prompt for VS 2017 and create an out-of-tree build directory.
176        1. Install the latest version of cmake.
177        1. Install chocolatey and install winflexbison with chocolatey.
178        1. Run cmake to generate an out-of-tree build environment:
179            ```cmd
180            C:\build> cmake ..\thrift -DBISON_EXECUTABLE=c:\ProgramData\chocolatey\lib\winflexbison\tools\win_bison.exe -DFLEX_EXECUTABLE=c:\ProgramData\chocolatey\lib\winflexbison\tools\win_flex.exe -DWITH_MT=ON -DWITH_SHARED_LIB=OFF -DWITH_CPP=OFF -DWITH_JAVA=OFF -DWITH_HASKELL=OFF -DWITH_PYTHON=OFF -DWITH_C_GLIB=OFF -DBUILD_TESTING=OFF -DBUILD_TUTORIALS=OFF -DBUILD_COMPILER=ON
181            C:\build> cmake --build . --config Release
182            ```
183
184    - Using [Docker for Windows](../build/docker/msvc2017/README.md), follow the instructions for building the compiler.
185    - In both cases:
186        1. Verify the executable only depends on kernel32.dll using [depends.exe](http://www.dependencywalker.com/).
187        1. Copy the executable `thrift.exe` to your linux system where the signed tarball lives and rename it to `thrift-1.0.0.exe` (substitute the correct version, of course).
188        1. Sign the executable the same way you signed the tarball.
189
1901. Upload the release artifacts to the Apache Dist/Dev site.  This requires subversion:
191
192    ```bash
193    ~$ mkdir -p dist/dev
194    ~$ cd dist/dev
195    ~/dist/dev$ svn co "https://dist.apache.org/repos/dist/dev/thrift" thrift
196    ~/dist/dev$ cd thrift
197    ```
198
199    Copy the tarball, windows compiler executable, and 8 additional signing files into a new directory for the release:
200
201    ``` bash
202    ~/dist/dev/thrift$ mkdir 1.0.0-rc0
203    # copy the files into the directory
204    ~/dist/dev/thrift$ svn add 1.0.0-rc0
205    ```
206
207    The layout of the files should match the [current release](https://www.apache.org/dist/thrift/).  Once done, add the release candidate and check it in:
208
209    ```bash
210    ~/dist/dev/thrift$ svn status
211    # verify everything is correct
212    ~/dist/dev/thrift$ svn commit -m "Apache Thrift 1.0.0-rc0 in dist dev" \
213        --username <apache-username> --password <apache-password>
214    ```
215
2161. Verify the release candidate artifacts are available at:
217
218    [https://dist.apache.org/repos/dist/dev/thrift/](https://dist.apache.org/repos/dist/dev/thrift/)
219
2201. Send a voting announcement message to `dev@thrift.apache.org` following this template as a guide:
221
222    ```code
223    To: dev@thrift.apache.org
224    Subject: [VOTE] Apache Thrift 1.0.0-rc0 release candidate
225    ---
226    All,
227
228    I propose that we accept the following release candidate as the official Apache Thrift 1.0.0 release:
229
230    https://dist.apache.org/repos/dist/dev/thrift/1.0.0-rc0/thrift-1.0.0-rc0.tar.gz
231
232    The release candidate was created from the release/1.0.0 branch and can be cloned using:
233
234    git clone -b release/1.0.0 https://github.com/apache/thrift.git
235
236    The release candidates GPG signature can be found at:
237    https://dist.apache.org/repos/dist/dev/thrift/1.0.0-rc0/thrift-1.0.0-rc0.tar.gz.asc
238
239    The release candidates checksums are:
240    md5:
241    sha1:
242    sha256:
243
244
245    A prebuilt statically-linked Windows compiler is available at:
246    https://dist.apache.org/repos/dist/dev/thrift/1.0.0-rc0/thrift-1.0.0-rc0.exe
247
248    Prebuilt statically-linked Windows compiler GPG signature:
249    https://dist.apache.org/repos/dist/dev/thrift/1.0.0-rc0/thrift-1.0.0-rc0.exe.asc
250
251    Prebuilt statically-linked Windows compiler checksums are:
252    md5:
253    sha1:
254    sha256:
255
256
257    The source tree as ZIP file to be published via Github releases:
258    https://dist.apache.org/repos/dist/dev/thrift/1.0.0-rc0/thrift-1.0.0-rc0.zip
259
260    ZIP source tree GPG signature:
261    https://dist.apache.org/repos/dist/dev/thrift/1.0.0-rc0/thrift-1.0.0-rc0.zip.asc
262
263    ZIP source tree checksums are:
264    md5:
265    sha1:
266    sha256:
267
268    The CHANGES list for this release is available at:
269    https://github.com/apache/thrift/blob/release/1.0.0/CHANGES.md
270
271
272    Please download, verify sig/sum, install and test the libraries and languages of your choice.
273
274    This vote will close in 72 hours on 2019-07-06 21:00 UTC
275
276    [ ] +1 Release this as Apache Thrift 1.0.0
277    [ ] +0
278    [ ] -1 Do not release this as Apache Thrift 1.0.0 because...
279    ```
280
2811. If any issues are brought up with the release candidate, you will need to package another and reset the voting clock.
282
283Voting on the development mailing list provides additional benefits (wisdom from [Christopher Tubbs](https://issues.apache.org/jira/browse/THRIFT-4506?focusedCommentId=16791902&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16791902)):
284- It creates a public record for the vote,
285- It allows for participation/evaluation from our wider user audience (more diversity in evaluators improves quality), and
286- It provides more entry points for potential future committers/PMC members to earn merit through participation.
287
288### Official Release
289
2901. Send a message to `dev@thrift.apache.org` with the voting results.  Use this template as a guide:
291
292    ```code
293    To: dev~thrift.apache.org
294    Subject: [VOTE][RESULT] Release Apache Thrift 1.0.0
295    ---
296    All,
297
298    Including my own vote of +1 we have N binding +1 and no -1.
299    The vote for the Apache Thrift 1.0.0 release is ***successful***.
300    Thank you to all who helped test and verify.
301    ```
302
3031. Use svn to checkout the release part of thrift (similar to dev) and copy the files over from dev, matching the previous release structure:
304
305    ```bash
306    ~$ mkdir -p dist/release
307    ~$ cd dist/release
308    ~/dist/release$ svn co "https://dist.apache.org/repos/dist/release/thrift" thrift
309    ~/dist/release$ cd thrift
310    ~/dist/release/thrift$ mkdir 1.0.0
311    ~/dist/release/thrift$ cp -p ../../dev/thrift/1.0.0-rc0/* 1.0.0/
312    ~/dist/release/thrift$ svn status
313    # verify everything is correct
314    ~/dist/release/thrift$ svn commit -m "Apache Thrift 1.0.0 official release" \
315        --username <apache-username> --password <apache-password>
316    ```
317
318    **NOTE** Once you check-in, you need to wait about a day for all the mirrors to update.  You cannot send the announcement email or update the web site until the mirrors are updated.
319
3201. Create and push a tag for the release, for example "v1.0.0".
321
322    **NOTE:** All new releases must have the "v" prefix to satisfy third-party package managers (dlang dub, golang, etc..)
323
324    **NOTE:** You **should** [sign the release tag](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work).  Since you already have a GPG signing key for publishing the Apache Release, you want to [upload that key to your GitHub account](https://help.github.com/en/articles/adding-a-new-gpg-key-to-your-github-account).  Once the key is known by GitHub you can sign the tag.
325
326    ```bash
327    ~/thrift$ # make sure you are on the release branch
328    ~/thrift$ git checkout release/1.0.0
329    ~/thrift$ git pull
330    ~/thrift$ git tag -s v1.0.0 -m "Version 1.0.0"
331    ~/thrift$ git push --tags
332    ```
333
334    **NOTE:** If you get the error "gpg failed to sign the data" when tagging, try this fix: ```export GPG_TTY=$(tty)```. Alternatively, it may be necessary to specify the ```-u <keyid>``` as an additional argument.
335
3361. Create a new release from the [GitHub Tags Page](https://github.com/apache/thrift/tags).  Attach the statically built Windows thrift compiler as a binary here.
337
3381. Merge the release branch into master.  This ensures all changes made to fix up the release are in master.
339
340    ```bash
341    ~/thrift$ git checkout master
342    ~/thrift$ git pull
343    ~/thrift$ git merge release/1.0.0
344    ```
345
346    The merge of 1.0.0 into master should proceed as a fast-forward since the 1.0.0 release branch.  If there are discrepancies the best thing to do is resolve them and then submit a pull request.  This pull request must be *MERGED* and not *REBASED* after the CI build is successful.  You may want to do this yourself and mark the pull request as `[DO NOT MERGE]`.
347
3481. Update the web site content to include the new release. The repository is located at https://github.com/apache/thrift-website and there are plenty of instructions how to update both staging and live web site. With regard to the release, its actually quite simple: check out the main branch and edit two lines in _config.yml, then commit. The build bot will update staging. After checking everything is right, simply fast-forward "asf-site" to "asf-staging" and push, then production site will automatically get updated as well
349
3501. Make an announcement on the dev@ and user@ mailing lists of the release.  There's no template to follow, but you can point folks to the official web site at https://thrift.apache.org, and to the GitHub site at https://github.org/apache.thrift.
351
352### Post-Release
353
3541. Visit https://reporter.apache.org/addrelease.html?thrift and register it.  You will get an automated reminder as the one who committed into dist.  This informs the Apache Board of Directors of releases through project reports.
355
3561. Create a local branch to bump the release number to the next anticipated release:
357
358    ```bash
359    ~/thrift$ git checkout -b bump-master
360    ~/thrift$ build/veralign.sh 1.0.0 1.1.0
361    ```
362
363    The veralign script will set the version number in all of the language packaging files and headers.  You do not need to worry about the manually modified files at this time.  You should however ensure everything is correct by looking at the diff.
364
3651. Create a pull request to advance master to the next anticipated release.
366
3671. In Apache Jira, select all tickets where the fix version is the release and the status is not closed ([example](https://issues.apache.org/jira/issues/?jql=project%20%3D%20THRIFT%20AND%20fixVersion%20%3D%201.0%20%20and%20status%20!%3D%20Closed)) and use the bulk editing tool to close them.
3681. **FIXME** Ask someone with admin access to Apache Jira to change the fixVersion in question from unreleased to released, for example:
369    https://issues.apache.org/jira/browse/THRIFT-4686
370
3711. Ensure that the [Jira release page](https://issues.apache.org/jira/projects/THRIFT?selectedItem=com.atlassian.jira.jira-projects-plugin%3Arelease-page&status=unreleased) for the version has the same number of issues in the version as issues done, and that there are no issues in progress and no issues to do, and no warnings.  Finally, mark it as released and set the date of the release.
372
373* [Report any CVEs](https://apache.org/security/committers.html) that were fixed.  You can email `security@apache.org` if you are not sure if there are any CVEs to report.
374
375#### Third Party Package Managers
376
377See https://thrift.apache.org/lib/ for the current status of each external package manager's distribution.  The information below is from the 0.12.0 release:
378
379  > This section needs to be updated with detailed instructions for each language, or pointers to the README.md files in each language directory with detailed release instructions for the given package management system.
380
381* [dart] Releasing this requires a google account.
382  * You will need to install the same version of dart that is used in the docker image.
383  * Go into lib/dart and run "pub publish --dry-run" and resolve any warnings.
384  * Run "pub publish" and go through the google account authorization to allow it.
385* [dlang] Within a day, the dlang dub site https://code.dlang.org/packages/apache-thrift?tab=info
386  should pick up the release based on the tag.  No action is needed.
387* [npmjs] @jfarrell is the only one who can do this right now.
388    https://issues.apache.org/jira/browse/THRIFT-4688
389* [perl] A submission to CPAN is necessary (normally jeking3 does this):
390  * Checkout the release branch or tag on a linux system.
391  * Fire up the docker build container.
392  * Run "make clean" and remove any gen-perl directories.
393  * Inside `lib/perl` run the script `build-cpan-dist.sh`.
394  * Upload the resulting package.  If there's a mistake that needs to be corrected,
395    increase the suffix. (_1, _2, ...) and upload another.  You cannot replace a release on CPAN.
396* [php] @jfarrell, @bufferoverflow, @jeking3 are the only ones who can do this right now.
397  * Once the release is tagged, one just has to hit the "Update" button to pick it up.
398* [pypi] @jfarrell is the only one who can do this right now.
399    https://issues.apache.org/jira/browse/THRIFT-4687
400* [rust] Any thrift project committer is allowed to upload a new crate.
401
402If you have any questions email `dev@thrift.apache.org`.
403