1 # HOW TO MAKE A RELEASE
3 This file documents how to make an OpenSSL release. Please fix any errors
4 you find while doing, or just after, your next release!
6 Releases are done by one person, with a second person acting as the reviewer
11 - [Prerequisites](#prerequisites)
12 - [Software](#software)
13 - [Repositories](#repositories)
14 - [PGP / GnuPG key](#pgp-gnupg-key)
15 - [SSH access](#check-your-access)
16 - [A method for reviewing](#a-way-to-reviewing)
17 - [Pre-publishing tasks](#pre-publishing-tasks)
18 - [Freeze the source repository](#freeze-the-source-repository) [the day before release]
19 - [Prepare your repository checkouts](#prepare-your-repository-checkouts)
20 - [Make sure that the openssl source is up to date](#make-sure-that-the-openssl-source-is-up-to-date)
21 - [Generate the tarball and announcement text](#generating-the-tarball-and-announcement-text)
22 - [OpenSSL 3.0 and on](#openssl-3.0-and-on)
23 - [OpenSSL before 3.0](#openssl-before-3.0)
24 - [Update the website locally](#update-the-website-locally) [do not push]
25 - [Publish the release](#publish-the-release)
26 - [Post-publishing tasks](#post-publishing-tasks)
27 - [Check the website](#check-the-website)
28 - [Send the announcement mail](#send-the-announcement-mail)
29 - [Send out the Security Advisory](#send-out-the-security-advisory)
30 - [Unfreeze the source repository](#unfreeze-the-source-repository)
31 - [Security fixes](#security-fixes)
32 - [Keep in touch](#keep-in-touch)
39 Apart from the basic operating system utilities, you must have the following
40 programs in you `$PATH`:
47 (note: this may not be a complete list)
51 You must have access to the following repositories:
53 - `openssl-git@git.openssl.org:openssl.git`
55 This is the usual main source repository
57 - `openssl-git@git.openssl.org:openssl-web.git`
59 This is the website repository
61 - `openssl-git@git.openssl.org:tools.git`
63 This contains certain common tools
67 You must have a PGP / GnuPG key, and its fingerprint should be present in
68 the file `doc/fingerprints.txt` in the source of the immediately prior
73 To perform a release, you must have appropriate access to OpenSSL's
74 development host, dev.openssl.org. To test this, try to log in with ssh:
78 You must also check that you can perform tasks as the user 'openssl' on
79 dev.openssl.org. When you have successfully logged in, test your access to
84 ## A method for reviewing
86 For reviewing to take place, the release person and the reviewer need a way
87 to share changes that are being applied. Most commonly, that's done as PRs
88 (for normal releases) or security advisories (for undisclosed security
89 fixes) through Github.
91 Security advisories are created using the Github Security tab, and will
92 generate a private repository, to which you can add collaborators (the
93 reviewer, for instance), and use it to fix the issue via pull requests.
94 For more information, please read Github's [creating a security advisory],
95 including the "Next Steps" at the end of that page.
97 [creating a security advisory]:
98 <https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/creating-a-security-advisory>
100 The release person and the reviewer are allowed to use other means to share
101 the commits to be reviewed if they desire.
103 The release person and the reviewer must have a conversation to confirm or
104 figure out how the review shall be done.
106 # Pre-publishing tasks
108 Some of the actions in this section need to be repeated for each OpenSSL
111 ## Freeze the source repository
113 The day before the release, freeze the main repository. This locks out
114 everyone but the named user, who is doing the release, from doing any
115 pushes. Someone other than the person doing the release should run the
116 command. For example:
118 ssh openssl-git@git.openssl.org freeze openssl NAME
120 ## Prepare your repository checkouts
122 You will need to checkout at least three working trees:
124 - one for the website
126 git clone openssl-git@git.openssl.org:openssl-web.git website
128 - one for extra tools
130 git clone openssl-git@git.openssl.org:tools.git tools
132 The resulting directory will be referred to as `$TOOLS`
134 - At least one for openssl source
136 git clone openssl-git@git.openssl.org:openssl.git
138 If you're doing multiple releases in one go, there are many ways to deal
139 with it. One possibility, available since git 2.5, is to use `git
143 git worktree add ../openssl-1.1.1 OpenSSL_1_1_1-stable)
145 ## Make sure that the openssl source is up to date
147 The person doing the release and the reviewer should both sanity-check the
148 source to be released at this point. Checks to consider include building
149 and verifying that make test passes on multiple plaforms - Linux, Windows,
152 *NOTE: the files CHANGES and NEWS are called CHANGES.md and NEWS.md in
153 OpenSSL versions from version 3.0 and on*
155 For each source checkout, make sure that the CHANGES and NEWS files have
156 been updated and reviewed.
158 The NEWS file should contain a summary of any changes for the release;
159 for a security release, it's often simply a list of the CVEs addressed.
160 You should also update NEWS.md in the master branch to include details of
161 all releases. Only update the bullet points - do not change the release
162 date, keep it as **under development**.
164 Add any security fixes to the tree and commit them.
166 Make sure that the copyrights are updated. This script will update the
167 copyright markers and commit the changes (where $TOOLS stands for the
168 openssl-tools.git checkout directory):
170 $TOOLS/release-tools/do-copyright-year
172 Obtain approval for these commits from the reviewer and add the reviewed-by
175 *Do* send the auto-generated commits to the reviewer and await their
178 *Do not push* changes to the main source repo at this stage.
179 (the main source repo being `openssl-git@git.openssl.org:openssl.git`)
181 ## Generate the tarball and announcement text
183 *The changes in this section should be made in your clone of the openssl
186 The method to generate a release tarball and announcement text has changed
187 with OpenSSL 3.0, so while we continue to make pre-3.0 OpenSSL releases,
188 there are two methods to be aware of.
190 Both methods will leave a handful of files, most importantly the release
191 tarball. When they are done, they display a set of instructions on how to
192 perform the publishing tasks, *please take note of them*.
194 After having run the release script, verify that its results are sensible.
195 Check the commits that were added, using for example `git log`. Check the
196 signed announcement .asc file. Check that the tarball length and hashes
197 match in the .md5, .sha1, .sha256, and review the announcment file.
199 *Do* send the auto-generated commits to the reviewer and await their
202 *Do not push* changes to the main source repo at this stage.
203 (the main source repo being `openssl-git@git.openssl.org:openssl.git`)
205 ### OpenSSL 3.0 and on
207 The release generating script is in the OpenSSL source checkout, and is
208 generally called like this:
210 dev/release.sh --reviewer=NAME
212 This script has a multitude of other options that are useful for specific
213 cases, and is also self-documented:
215 - To get a quick usage reminder:
217 dev/release.sh --help
221 dev/release.sh --manual
223 ### OpenSSL before 3.0
225 The release generating script is in the tools checkout, represented here
226 with $TOOLS, and is generally called like this:
228 $TOOLS/release-tools/mkrelease.pl --reviewer=NAME
230 The manual for that script is found in `$TOOLS/release-tools/MKRELEASE.md`
232 ## Update the website locally
234 *The changes in this section should be made in your clone of the openssl
237 Update the news/newsflash.txt file. This normally is one or two lines.
238 Just copy and paste existing announcements making minor changes for the date
239 and version number as necessary. If there is an advisory then ensure you
240 include a link to it.
242 Update the news/vulnerabilities.xml file if appropriate.
244 If there is a Security Advisory then copy it into the news/secadv directory.
246 *Do* send the commits to the reviewer and await their approval.
248 Commit your changes, but *do not push* them to the website repo at this stage.
249 (the website repo being `openssl-git@git.openssl.org:openssl-web.git`)
251 # Publish the release
253 *BE CAREFUL* This section makes everything visible and is therefore largely
254 irreversible. If you are performing a dry run then DO NOT perform any steps
257 Check that the release has been uploaded properly. The release tarballs and
258 associated files should be in ~openssl/dist/new. They should be owned by
259 the openssl userid and world-readable.
261 Copy the tarballs to appropriate directories. This can be done using the
262 do-release.pl script. See $TOOLS/release-tools/DO-RELEASE.md for a
263 description of the options. For example:
265 sudo -u openssl perl ~openssl/do-release.pl --copy --move
267 This will copy the relevant files to the website and move them from
268 `~openssl/dist/new` to `~openssl/dist/old` so they will not seen by a
269 subsequent release. Alternatively if you want to perform one release at a
270 time or copy/move the files manually, see below.
272 The do-release.pl script will display the commands you will need to issue to
273 send the announcement emails later. Keep a note of those commands for
276 Verify that the tarballs are available via FTP:
278 ftp://ftp.openssl.org/source/
280 And that they are ready for the website:
282 ls /var/www/openssl/source
284 *For OpenSSL 3.0 and on*, push your local changes to the main source repo as
285 instructed by `dev/release.sh`. You may want to sanity check the pushes by
286 inserting the `-n` (dry-run) option.
288 *For OpenSSL before 3.0*, simply push your local changes to the main source
289 repo, and please do remember to push the release tags as well. You may want to
290 sanity check the pushes by inserting the `-n` (dry-run) option. You must specify
291 the repository / remote and tag to be pushed:
293 git push <repository> <tagname>
295 ## Updating the website
297 Push the website changes you made earlier to the OpenSSL website repo. When
298 you do this, the website will get updated and a script to flush the Akamai
299 CDN cache will be run. You can look at things on www-origin.openssl.org;
300 the CDN-hosted www.openssl.org should only be a few minutes delayed.
302 # Post-publishing tasks
306 Verify that the release notes, which are built from the CHANGES.md file
307 in the release, have been updated. This is done automatically by the
308 commit-hook, but if you see a problem, try the following steps on
312 sudo -u openssl -H make relupd
313 sudo -u openssl -H ./bin/purge-one-hour
315 Wait for a while for the Akamai flush to work (normally within a few minutes).
316 Have a look at the website and news announcement at:
318 - <https://www.openssl.org/>
319 - <https://www.openssl.org/news/>
321 Check the download page has updated properly:
323 - <https://www.openssl.org/source/>
325 Check the notes look sensible at:
327 - <https://www.openssl.org/news/newslog.html>
329 Also check the notes here:
331 - <https://www.openssl.org/news/openssl-1.0.2-notes.html>
332 - <https://www.openssl.org/news/openssl-1.1.0-notes.html>
333 - <https://www.openssl.org/news/openssl-1.1.1-notes.html>
335 ## Send the announcement mail
337 Send out the announcements. Generic release announcement messages will be
338 created automatically by the build script and the commands you need to use
339 to send them were displayed when you executed do-release.pl above.
340 These are sent to openssl-users, openssl-project, and openssl-announce. They
341 should be sent from the account of the person that owns the key used for signing
342 the release announcement. Ensure that mutt is configured correctly - send a test
343 email first if necessary.
345 If do-release.pl was used with `--move` be sure to move the announcement
346 text files away from the staging directory after they have been sent. This
347 is done as follows (with VERSION replaced with the version of OpenSSL to
350 REPLYTO="openssl@openssl.org" mutt -s "OpenSSL version VERSION published" \
351 openssl-project openssl-users openssl-announce \
352 < /home/openssl/dist/new/openssl-VERSION.txt.asc
354 mv ~openssl/dist/new/openssl-VERSION.txt.asc ~openssl/dist/old
356 ## Send out the Security Advisory
358 *The secadv file mentioned in this section is the Security Advisory
359 that you copied into the web repo, up in the section
360 [Update the website locally](#update-the-website-locally)*
362 *This section is only applicable if this is a security release*
364 Start with signing the Security Advisory as yourself:
366 gpg --clearsign secadv_FILENAME.txt
368 Then copy the result to the temporary directory on dev.openssl.org:
370 scp secadv_FILENAME.txt.asc dev.openssl.org:/tmp
372 To finish, log in on dev.openssl.org and send the signed Security
373 Advisory by email as the user that signed the advisory, and then remove it:
375 REPLYTO="openssl@openssl.org" mutt -s "OpenSSL Security Advisory" \
376 openssl-project openssl-users openssl-announce \
377 </tmp/secadv_FILENAME.txt.asc
378 rm /tmp/secadv_FILENAME.txt.asc
380 Approve the openssl-announce email. Go to
381 <https://mta.openssl.org/mailman/admindb/openssl-announce>
382 and approve the messages.
384 Check the mailing list messages have arrived.
386 ## Unfreeze the source repository.
388 ssh openssl-git@git.openssl.org unfreeze openssl
392 If this release includes security fixes with a CVE then you should inform
393 MITRE about them. See the instructions at the top of cvepool.txt in omc.
395 Close the github advisory without pushing to github and remove the private
396 github fork if there was one.
400 Check mailing lists over the next few hours for reports of any success or
401 failure. If necessary fix these and in the worst case make another