Hi, Sorry for not replying this thread.
I think that the biggest problem is related to our Java package. We'll be able to resolve the GPG key problem by creating a GPG key only for nightly release test. We can share the test GPG key publicly because it's a just for testing. It'll work for our binary artifacts and APT/Yum repositories but not work for our Java package. I don't know where GPG key is used in our Java package... We'll be able to resolve the Git commit problem by creating a cloned Git repository for test. It's done in our dev/release/00-prepare-test.rb[1]. [1] https://github.com/apache/arrow/blob/master/dev/release/00-prepare-test.rb#L30 The biggest problem for the Git commit is our Java package requires "apache-arrow-${VERSION}" tag on https://github.com/apache/arrow . (Right?) I think that "mvm release:perform" in dev/release/01-perform.sh does so but I don't know the details of "mvm release:perform"... More details: dev/release/00-prepare.sh: We'll be able to run this automatically when we can resolve the above GPG key problem in our Java package. We can resolve the Git commit problem by creating a cloned Git repository. dev/release/01-prepare.sh: We'll be able to run this automatically when we can resolve the above Git commit ("apche-arrow-${VERSION}" tag) problem in our Java package. dev/release/02-source.sh: We'll be able to run this automatically by creating a GPG key for nightly release test. We'll use Bintray to upload RC source archive instead of dist.apache.org. Ah, we need a Bintray API key for this. It must be secret. dev/release/03-binary.sh: We'll be able to run this automatically by creating a GPG key for nightly release test. We need a Bintray API key too. We need to improve this to support nightly release test. It use "XXX-rc" such as "debian-rc" for Bintray "package" name. It should use "XXX-nightly" such as "debian-nightly" for nightly release test instead. dev/release/post-00-release.sh: We'll be able to skip this. dev/release/post-01-upload.sh: We'll be able to skip this. dev/release/post-02-binary.sh: We'll be able to run this automatically by creating Bintray "packages" for nightly release and use them. We can create "XXX-nightly-release" ("debian-nightly-release") Bintray "packages" and use them instead of "XXX" ("debian") Bintray "packages". "debian" Bintray "package": https://bintray.com/apache/debian/ We need to improve this to support nightly release. dev/release/post-03-website.sh: We'll be able to run this automatically by creating a cloned Git repository for test. It's better that we have a Web site to show generated pages. We can create https://github.com/apache/arrow-site/tree/asf-site/nightly and use it but I don't like it. Because arrow-site increases a commit day by day. Can we prepare a Web site for this? (arrow-nightly.ursalabs.org?) dev/release/post-04-rubygems.sh: We may be able to use GitHub Package Registry[2] to upload RubyGems. We can use "pre-release" package feature of https://rubygems.org/ but it's not suitable for nightly. It's for RC or beta release. [2] https://github.blog/2019-05-10-introducing-github-package-registry/ dev/release/post-05-js.sh: We may be able to use GitHub Package Registry[2] to upload npm packages. dev/release/post-06-csharp.sh: We may be able to use GitHub Package Registry[2] to upload NuGet packages. dev/release/post-07-rust.sh: I don't have any idea. But it must be ran automatically. It's always failed. I needed to run each command manually. dev/release/post-08-remove-rc.sh: We'll be able to skip this. Thanks, -- kou In <CAJPUwMAmp0jvz6qrdqehBEUB_NdbGEsHFNgLW9Q6V9RFTnk=3...@mail.gmail.com> "Re: [DISCUSS] Release cadence and release vote conventions" on Wed, 31 Jul 2019 15:35:57 -0500, Wes McKinney <wesmck...@gmail.com> wrote: > The PMC member and their GPG keys need to be in the loop at some > point. The release artifacts can be produced by some kind of CI/CD > system so long as the PMC member has confidence in the security of > those artifacts before signing them. For example, we build the > official binary packages on public CI services and then download and > sign them with Crossbow. I think the same could be done in theory with > the source release but we'd first need to figure out what to do about > the parts that create git commits. > > On Wed, Jul 31, 2019 at 11:23 AM Andy Grove <andygrov...@gmail.com> wrote: >> >> To what extent would it be possible to automate the release process via >> CICD? >> >> On Wed, Jul 31, 2019 at 9:19 AM Wes McKinney <wesmck...@gmail.com> wrote: >> >> > I think one thing that would help would be improving the >> > reproducibility of the source release process. The RM has to have >> > their machine configured in a particular way for it to work. >> > >> > Before anyone says "Docker" it isn't an easy solution because the >> > release scripts need to be able to create git commits (created by the >> > Maven release plugin) and sign artifacts using the RM's GPG keys. >> > >> > On Sat, Jul 27, 2019 at 10:04 PM Micah Kornfield <emkornfi...@gmail.com> >> > wrote: >> > > >> > > I just wanted to bump this thread. Kou and KrisztiƔn as the last two >> > > release managers is there any specific infrastructure that you think >> > might >> > > have helped? >> > > >> > > Thanks, >> > > Micah >> > > >> > > On Wed, Jul 17, 2019 at 11:29 PM Micah Kornfield <emkornfi...@gmail.com> >> > > wrote: >> > > >> > > > I'd can help as well, but not exactly sure where to start. It seems >> > like >> > > > there are already some JIRAs opened [1] >> > > > for improving the release? Could someone more familiar with the >> > process >> > > > pick out the highest priority ones? Do more need to be opened? >> > > > >> > > > Thanks, >> > > > Micah >> > > > >> > > > [1] >> > > > >> > https://issues.apache.org/jira/browse/ARROW-2880?jql=project%20%3D%20ARROW%20AND%20status%20in%20(Open%2C%20%22In%20Progress%22%2C%20Reopened)%20AND%20component%20in%20(%22Developer%20Tools%22%2C%20Packaging)%20and%20summary%20~%20Release >> > > > >> > > > On Sat, Jul 13, 2019 at 7:17 AM Wes McKinney <wesmck...@gmail.com> >> > wrote: >> > > > >> > > >> To be effective at improving the life of release managers, the nightly >> > > >> release process really should use as close as possible to the same >> > > >> scripts that the RM uses to produce the release. Otherwise we could >> > > >> have a situation where the nightlies succeed but there is some problem >> > > >> that either fails an RC or is unable to be produced at all. >> > > >> >> > > >> On Sat, Jul 13, 2019 at 9:12 AM Andy Grove <andygrov...@gmail.com> >> > wrote: >> > > >> > >> > > >> > I would like to volunteer to help with Java and Rust release process >> > > >> work, >> > > >> > especially nightly releases. >> > > >> > >> > > >> > Although I'm not that familiar with the Java implementation of >> > Arrow, I >> > > >> > have been using Java and Maven for a very long time. >> > > >> > >> > > >> > Do we envisage a single nightly release process that releases all >> > > >> languages >> > > >> > simultaneously? or do we want separate process per language, with >> > > >> different >> > > >> > maintainers? >> > > >> > >> > > >> > >> > > >> > >> > > >> > On Wed, Jul 10, 2019 at 8:18 AM Wes McKinney <wesmck...@gmail.com> >> > > >> wrote: >> > > >> > >> > > >> > > On Sun, Jul 7, 2019 at 7:40 PM Sutou Kouhei <k...@clear-code.com> >> > > >> wrote: >> > > >> > > > >> > > >> > > > Hi, >> > > >> > > > >> > > >> > > > > in future releases we should >> > > >> > > > > institute a minimum 24-hour "quiet period" after any community >> > > >> > > > > feedback on a release candidate to allow issues to be examined >> > > >> > > > > further. >> > > >> > > > >> > > >> > > > I agree with this. I'll do so when I do a release manager in >> > > >> > > > the future. >> > > >> > > > >> > > >> > > > > To be able to release more often, two things have to happen: >> > > >> > > > > >> > > >> > > > > * More PMC members must engage with the release management >> > role, >> > > >> > > > > process, and tools >> > > >> > > > > * Continued improvements to release tooling to make the >> > process >> > > >> less >> > > >> > > > > painful for the release manager. For example, it seems we may >> > > >> want to >> > > >> > > > > find a different place than Bintray to host binary artifacts >> > > >> > > > > temporarily during release votes >> > > >> > > > >> > > >> > > > My opinion that we need to build nightly release system. >> > > >> > > > >> > > >> > > > It uses dev/release/NN-*.sh to build .tar.gz and binary >> > > >> > > > artifacts from the .tar.gz. >> > > >> > > > It also uses dev/release/verify-release-candidate.* to >> > > >> > > > verify build .tar.gz and binary artifacts. >> > > >> > > > It also uses dev/release/post-NN-*.sh to do post release >> > > >> > > > tasks. (Some tasks such as uploading a package to packaging >> > > >> > > > system will be dry-run.) >> > > >> > > > >> > > >> > > >> > > >> > > I agree that having a turn-key release system that's capable of >> > > >> > > producing nightly packages is the way to do. That way any problems >> > > >> > > that would block a release will come up as they happen rather than >> > > >> > > piling up until the very end like they are now. >> > > >> > > >> > > >> > > > I needed 10 or more changes for dev/release/ to create >> > > >> > > > 0.14.0 RC0. (Some of them are still in my local stashes. I >> > > >> > > > don't have time to create pull requests for them >> > > >> > > > yet. Because I postponed some tasks of my main >> > > >> > > > business. I'll create pull requests after I finished the >> > > >> > > > postponed tasks of my main business.) >> > > >> > > > >> > > >> > > >> > > >> > > Thanks. I'll follow up on the 0.14.1/0.15.0 thread -- since we >> > need to >> > > >> > > release again soon because of problems with 0.14.0 please let us >> > know >> > > >> > > what patches will be needed to make another release. >> > > >> > > >> > > >> > > > If we fix problems related to dev/release/ in our normal >> > > >> > > > development process, release process will be less painful. >> > > >> > > > >> > > >> > > > The biggest problem for 0.14.0 RC0 is java/pom.xml related: >> > > >> > > > https://github.com/apache/arrow/pull/4717 >> > > >> > > > >> > > >> > > > It was difficult for me because I don't have Java >> > > >> > > > knowledge. Release manager needs help from many developers >> > > >> > > > because release manager may not have knowledge of all >> > > >> > > > supported languages. Apache Arrow supports 10 over >> > > >> > > > languages. >> > > >> > > > >> > > >> > > > >> > > >> > > > For Bintray API limit problem, we'll be able to resolve it. >> > > >> > > > I was added to https://bintray.com/apache/ members: >> > > >> > > > >> > > >> > > > https://issues.apache.org/jira/browse/INFRA-18698 >> > > >> > > > >> > > >> > > > I'll be able to use Bintray API without limitation in the >> > > >> > > > future. Release managers should also request the same thing. >> > > >> > > > >> > > >> > > >> > > >> > > This is good, I will add myself. Other PMC members should also add >> > > >> > > themselves. >> > > >> > > >> > > >> > > > >> > > >> > > > Thanks, >> > > >> > > > -- >> > > >> > > > kou >> > > >> > > > >> > > >> > > > In <CAJPUwMBRzYQ=hbVwFuPYAB-O= >> > > >> lsowxqxidjapc_cofguksj...@mail.gmail.com> >> > > >> > > > "[DISCUSS] Release cadence and release vote conventions" on >> > Sat, >> > > >> 6 Jul >> > > >> > > 2019 16:28:50 -0500, >> > > >> > > > Wes McKinney <wesmck...@gmail.com> wrote: >> > > >> > > > >> > > >> > > > > hi folks, >> > > >> > > > > >> > > >> > > > > As a reminder, particularly since we have many new community >> > > >> members >> > > >> > > > > (some of whom have never been involved with an ASF project >> > > >> before), >> > > >> > > > > releases are approved exclusively by the PMC and in general >> > > >> releases >> > > >> > > > > cannot be vetoed. In spite of that, we strive to make releases >> > > >> that >> > > >> > > > > have unanimous (either by explicit +1 or lazy consent) >> > support of >> > > >> the >> > > >> > > > > PMC. So it is better to have unanimous 5 +1 votes than 6 +1 >> > votes >> > > >> with >> > > >> > > > > a -1 dissenting vote. >> > > >> > > > > >> > > >> > > > > On the 0.14.0 vote, as with previous release votes, some >> > issues >> > > >> with >> > > >> > > > > the release were raised by members of the community, whether >> > > >> build or >> > > >> > > > > test-related problems or other failures. Technically speaking, >> > > >> such >> > > >> > > > > issues have no _direct_ bearing on whether a release vote >> > passes, >> > > >> only >> > > >> > > > > on whether PMC members vote +1, 0, or -1. A PMC member is >> > allowed >> > > >> to >> > > >> > > > > change their vote based on new information -- for example, if >> > I >> > > >> voted >> > > >> > > > > +1 on a release and then someone reported a serious licensing >> > > >> issue, >> > > >> > > > > then I would revise my vote to -1. >> > > >> > > > > >> > > >> > > > > On the RC0 vote thread, Jacques wrote [1] >> > > >> > > > > >> > > >> > > > > "A release vote should last until we arrive at consensus. >> > When an >> > > >> > > > > issue is potentially identified, those that have voted should >> > be >> > > >> given >> > > >> > > > > ample time to change their vote and others that may have been >> > lazy >> > > >> > > > > consenters should be given time to chime in. There is no >> > maximum >> > > >> > > > > amount of time a vote can be open. Allowing at least 24 hours >> > > >> after an >> > > >> > > > > objection is raised is a pretty minimum expectation unless the >> > > >> > > > > objector removes their objection. >> > > >> > > > > >> > > >> > > > > Note that Apache is more focused on consensus than timing (as >> > > >> opposed >> > > >> > > to >> > > >> > > > > virtually other other organizations in the world)." >> > > >> > > > > >> > > >> > > > > I agree with this and my opinion is that in future releases we >> > > >> should >> > > >> > > > > institute a minimum 24-hour "quiet period" after any community >> > > >> > > > > feedback on a release candidate to allow issues to be examined >> > > >> > > > > further. If someone finds a potential problem, and no negative >> > > >> votes >> > > >> > > > > are cast or changed, then the vote can close. >> > > >> > > > > >> > > >> > > > > As a related matter, it seems clear to me that Apache Arrow >> > should >> > > >> > > > > have more frequent releases. I think this would decrease >> > pressure >> > > >> on >> > > >> > > > > developers and users alike. While we've made strides to >> > improve >> > > >> the >> > > >> > > > > tooling for release management (big thanks to Kou, Yosuke, >> > > >> Krisztian, >> > > >> > > > > and others), there is still quite some labor involved and >> > > >> potential >> > > >> > > > > for issues (e.g. API rate limiting for binary artifacts on >> > > >> Bintray). >> > > >> > > > > >> > > >> > > > > To be able to release more often, two things have to happen: >> > > >> > > > > >> > > >> > > > > * More PMC members must engage with the release management >> > role, >> > > >> > > > > process, and tools >> > > >> > > > > * Continued improvements to release tooling to make the >> > process >> > > >> less >> > > >> > > > > painful for the release manager. For example, it seems we may >> > > >> want to >> > > >> > > > > find a different place than Bintray to host binary artifacts >> > > >> > > > > temporarily during release votes >> > > >> > > > > >> > > >> > > > > Any other ideas for things we can do to improve the process >> > and >> > > >> > > > > cadence of releases? >> > > >> > > > > >> > > >> > > > > Thanks, >> > > >> > > > > Wes >> > > >> > > > > >> > > >> > > > > [1]: >> > > >> > > >> > > >> >> > https://lists.apache.org/thread.html/be6210e97b838494a5516dad6408f479efe4c98aff805000597c0196@%3Cdev.arrow.apache.org%3E >> > > >> > > >> > > >> >> > > > >> >
