Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Dev
2.4.49 release report
stefan at eissing
Sep 19, 2021, 2:08 AM
Post #1 of 2 (275 views)
Permalink
Compiling the release experience.

Apache httpd 2.4.49 was released on September 15/16 20201.
There were changes to the release process and some resulting
hickups, but it went through.

New in the release process were:
- a switch from always incrementing version numbers to
release candidate numberings.
- adaptations of our process to the general apache security
CVE handling from cveprocess.apache.org

The switch away from incrementing version numbers before
a release voting led in the past to confusions to our users
and extra work on our part. Users, for example, overlooked
CHANGES reported on unreleased versions. CVEs were reported
on versions the users never saw.

With the new release candidate numbers, we can keep the next
release number stable (whatever source revision will be selected).
We can now communicate "this will be fixed in 2.4.50" and this
will be the version that users get.

The CVE handling via cveprocess.apache.org is seen as an
overall improvements to the process. However, lacking an
API usable for automation, it still involves manual steps
which we would like to automate more.

For example, since we cannot download CVE JSON data, release
and "readiness" scripts could not do a full status check. This
led to missing fields being unnoticed during release. As
a result, vulnerability pages became 404s on our site and
we needed manual intervention to get it right.

We will adjust our processes to have a minimum of manual
steps here and check data completeness before release. We hope
that mid-term, the cveprocess site can offer non-browser access
to features. Maybe apache infra can be of help. This should
be beneficial to all apache projects.

Then we had some things fumbled by our new release manager (myself):
- the RMs PGP key was kept in the KEYS file, but not registered
in the directories and as its apache committers pgp key. This
led to irritations for folks that verified our tarballs.
- The general announcement emails did not go through for
announce@apache.org, moderators did not see it. The issue,
as it turned out later, was that the RM was not subscribed to
that list with his apache email id. The list silently dropped
the mails.
- A twitter announcement for @apache_httpd was not generated.
We need to handshake with the holder of that handle on how to
get this out in the future.

This should serve as a record for things to improve in the next
release - while memory of this one is still fresh. Please add to
this anything I might have missed or additional things you like
us to tackle in the next release.

Thanks,
Stefan
Re: 2.4.49 release report [ In reply to ]
dferradal at apache
Sep 19, 2021, 12:38 PM
Post #2 of 2 (274 views)
Permalink
...And congratulations on a job well done!

El dom, 19 sept 2021 a las 11:09, stefan@eissing.org
(<stefan@eissing.org>) escribió:
>
> Compiling the release experience.
>
> Apache httpd 2.4.49 was released on September 15/16 20201.
> There were changes to the release process and some resulting
> hickups, but it went through.
>
> New in the release process were:
> - a switch from always incrementing version numbers to
> release candidate numberings.
> - adaptations of our process to the general apache security
> CVE handling from cveprocess.apache.org
>
> The switch away from incrementing version numbers before
> a release voting led in the past to confusions to our users
> and extra work on our part. Users, for example, overlooked
> CHANGES reported on unreleased versions. CVEs were reported
> on versions the users never saw.
>
> With the new release candidate numbers, we can keep the next
> release number stable (whatever source revision will be selected).
> We can now communicate "this will be fixed in 2.4.50" and this
> will be the version that users get.
>
> The CVE handling via cveprocess.apache.org is seen as an
> overall improvements to the process. However, lacking an
> API usable for automation, it still involves manual steps
> which we would like to automate more.
>
> For example, since we cannot download CVE JSON data, release
> and "readiness" scripts could not do a full status check. This
> led to missing fields being unnoticed during release. As
> a result, vulnerability pages became 404s on our site and
> we needed manual intervention to get it right.
>
> We will adjust our processes to have a minimum of manual
> steps here and check data completeness before release. We hope
> that mid-term, the cveprocess site can offer non-browser access
> to features. Maybe apache infra can be of help. This should
> be beneficial to all apache projects.
>
> Then we had some things fumbled by our new release manager (myself):
> - the RMs PGP key was kept in the KEYS file, but not registered
> in the directories and as its apache committers pgp key. This
> led to irritations for folks that verified our tarballs.
> - The general announcement emails did not go through for
> announce@apache.org, moderators did not see it. The issue,
> as it turned out later, was that the RM was not subscribed to
> that list with his apache email id. The list silently dropped
> the mails.
> - A twitter announcement for @apache_httpd was not generated.
> We need to handshake with the holder of that handle on how to
> get this out in the future.
>
> This should serve as a record for things to improve in the next
> release - while memory of this one is still fresh. Please add to
> this anything I might have missed or additional things you like
> us to tackle in the next release.
>
> Thanks,
> Stefan
>
>


--
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal