tools: add release tool, remove old tools (WIP) #681
Conversation
rvagg
force-pushed
the
release-tooling
branch
from
4bd3fc2
to
5af3cd0
Compare
|
Should be ready to merge now I think. Please review @chrisdickinson (and anyone else that wants to). I've added a verbose releases.md document that describes the release process for anyone authorized to make a release. I don't see this as a final state but simply documenting how it works now; I imagine we'll be iterating on this over time and we'll need to keep this updated. Also, @chrisdickinson, can you give me your SSH pubkey, you have 3 listed here. I just need to get Chris' key onto the web server and this is ready to roll I think. I also need to get more stuff into the build repo so I can show what's actually running on the server to make this work, that's not blocking a release but I'll get to it ASAP. |
|
Oh, I changed the README to include a section on downloading binaries and some stuff about how to verify checksums and verify checksum files using GPG. |
rvagg
force-pushed
the
release-tooling
branch
from
5af3cd0
to
593de01
Compare
| @@ -0,0 +1,121 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
how about env bash instead? bash lives elsewhere on FreeBSD and some other systems.
rvagg
force-pushed
the
release-tooling
branch
from
593de01
to
77ccc36
Compare
|
| | sed -E 's|__VERSION__|v'$(python tools/getnodeversion.py)'|g' \ | ||
| > out/doc/changelog.html | ||
|
|
||
| rm out/doc/changelog-body.html |
There was a problem hiding this comment.
What do we use for the changelog now?
There was a problem hiding this comment.
nada, that stuff was for changelog.html, which we don't publish (yet); we just point people to CHANGELOG.md currently.
When we come up with a better strategy we can fix this, however I think this might be something that the @iojs/website team takes responsibility for building something for coming up wtih something much prettier for.
For details on how to build the CHANGELOG.md entry itself, see doc/releases.md above.
rvagg
force-pushed
the
release-tooling
branch
from
77ccc36
to
8bb60f0
Compare
|
| @@ -209,6 +265,7 @@ information about the governance of the io.js project, see | |||
| * **Colin Ihrig** ([@cjihrig](https://github.com/cjihrig)) <cjihrig@gmail.com> (Technical Committee) | |||
| * **Mikeal Rogers** ([@mikeal](https://github.com/mikeal)) <mikeal.rogers@gmail.com> | |||
| * **Rod Vagg** ([@rvagg](https://github.com/rvagg)) <rod@vagg.org> | |||
| <br>Release GPG key: DD8F2338BAE7501E3DD5AC78C273792F7D83545D | |||
There was a problem hiding this comment.
Maybe a naive question but can't we use a single master key with as many sub-keys as there are release managers? It would make all releases be signed by "io.js Release Engineering <releng@iojs.org>" (or whatever we decide to call ourselves) and it makes revocation a little easier. Master key management is an open issue, though; who gets to own it?
There was a problem hiding this comment.
Good question, to which I don't have a simple answer unfortunately.
My personal bias is towards decentralising this and making individuals responsible for signing their releases with their own keys, simply because I think decentralisation in most aspects of the project are more healthy for the community focus and ethos that we're trying to foster. It also makes that individual properly responsible for that release rather than it just being a mechanical task.
However, I don't have any strong technical objections to a more rigid signing mechanism if others prefer that. Perhaps a question for @iojs/tc.
rvagg
force-pushed
the
release-tooling
branch
from
8bb60f0
to
8bfb7c4
Compare
Also added binary download documentation to the README.md and GPG release key fingerprint for @rvagg.
rvagg
force-pushed
the
release-tooling
branch
from
8bfb7c4
to
034d4be
Compare
|
|
||
| A SHASUMS256.txt file is produced for every promoted build, nightly and releases. Additionally for releases, this file is signed by the individual responsible for that release. In order to be able to verify downloaded binaries, the public should be able to check that the SHASUMS256.txt file has been signed by someone who has been authorized to create a release. | ||
|
|
||
| The GPG keys should be fetchable from a known third-party keyserver, currently the SKS Keyservers at <https://sks-keyservers.net> are recommended. Use the [submission](https://sks-keyservers.net/i/#submit) form to submit a new GPG key. Keys should be fetchable via: |
There was a problem hiding this comment.
I'm getting an insecure connection warning when I try to submit my pubkey to this server. Is this something I should be worried about?
There was a problem hiding this comment.
Btw, is there any reason to not use https://pgp.mit.edu/ ?
There was a problem hiding this comment.
Eventually went ahead with sending my pubkey despite the insecure connection. Was rewarded with a 500 Internal Server Error. ):
There was a problem hiding this comment.
The only reason I chose sks-keyservers.net was because the only precedent I'm aware of for checking signed shasums is in the Docker images for both Node (official Docker ones) and io.js and that's what they've chosen to use. I don't know the reasoning behind this but I went with that as an established convention.
I'm happy to change based on recommendation, @bnoordhuis also had some thoughts about PGP keys so we should chat about this tomorrow at TC.
There was a problem hiding this comment.
Ok, sounds like a good topic for @iojs/tc agenda. @rvagg let's land it the way it is for now, we will fix it later.
|
LGTM FWIW |
|
landed @ df48faf, thanks |
|
|
||
| ``` | ||
| git push origin branch vx.y.z | ||
| # where "branch" is the working branch and "vx.y.z" the the release version |
There was a problem hiding this comment.
(we may later add e.g., v1.x here)
Not finished, pushing now in case people want to give feedback.
This is a release tool to be used by those authorized by the TC to create and promote releases. The person doing the releases will need to:
This is nearly ready, I just have some minor items to sort out but we'll get this in to use for the 1.1.0 in #674 where @chrisdickinson will be my guinea-pig! There should also be a document in doc/ to go along with this to explain the process and how to cut a release.
I also need to update the server-side scripts that pair with this in the https://github.com/iojs/build repo, some of it is already there but I need to be able to publicly show the whole lot of this process.