Home > Guides > Contributors Guide > Creating and Signing a Distribution > Building Struts 2 - Fast track release |
When a serious security issue arises, we should try to create a STRUTS_#_#_#_X
branch from the last GA release (from tag - check it out and use mvn release:branch
as below).
svn co https://svn.apache.org/repos/asf/struts/struts2/tags/STRUTS_#_#_# cd STRUTS_#_#_# mvn release:branch -DbranchName=STRUTS_#_#_#_X -DupdateBranchVersions=true -DupdateWorkingCopyVersions=false -DautoVersionSubmodules=true
Read the maven release:branch docs for further details or alternatively
Edit src/site/resources/archetype-catalog.xml
and change version of archetypes to current $VERSION, save and commit.
Apply and commit security patch.
Tag the release by using the {{release:prepare}} goal of Maven:
For a dry run, add '-DdryRun=true'. If you do a dry run, use 'mvn release:clean' to clean up after you have looked at the output.
When prompted for the SCM tag name, follow this pattern: STRUTS_2_3_[PATCH_VERSION]
This step will (more information):
This step will (more information):
After this step the artifacts will be hosted by Nexus
If you need to run perform again, (or in a different box), do:
Next, log in to Nexus and close staging repository.
After closing repository in Nexus, check if the version is available from staging repository as below:
In order to move the assemblies login to people.apache.org and execute the following code:
After that move the assemblies directory to the builds destination with
Post a release/quality vote to the dev list (and only the dev list). The example mail is on Sample announcements page. Include the term "fast-track" in the subject, as: [VOTE] Struts 2.0.9.1 quality (fast track).
After the vote, if the distribution is being mirrored (there was a favourable release vote) copy the Sources and Binaries:
If a new DTD was defined, copy it to /www/struts.apache.org/dtds/ and change permission to struts group (chown :struts *.dtd) and write rights (chmod g+w *.dtd).
Log in again to Nexus and release the repository, it will be automatically replicated across Maven Repositories
See Releasing a Maven-based project for further details.
Remove the old files from under /www/www.apache.org/dist/struts/ to synchronize only the latest version with peers. All the files from /www/www.apache.org/dist/ are always mirrored to http://archive.apache.org/dist/struts/
Wait 24 hours before proceeding.
If the release will fix a - hopefully yet undisclosed - security issue, it's now time to update the Security Bulletins page and add a new announcement. For a template, just check former announcements
Check out site src code
Use below script to perform update
We leave this as the last step, once the artifacts have had time to sync up on the mirrors.
Announce the release and the vulnerability. Typically this will be sent to the reporter, the project's users list (user@struts.a.o), the project's dev list (dev@struts.a.o), the project's announce list (announcements@struts.a.o), security@apache.org, full-disclosure@lists.grok.org.uk and bugtraq@securityfocus.com.
Samples are available at Sample announcements page.