Release Voting
Cutting an Apache Tez release is a procedural, legal, and cryptographic operation. It is the most formal thing the PMC does. This chapter is the operational manual: the steps, the artifacts, the vote thread, and the failure modes.
The authoritative reference is the ASF Release Distribution Policy. This chapter is the Tez-specific overlay on top of it.
What "Release" Means at Apache
An Apache release has a precise legal meaning. Only source artifacts are official Apache releases. Binary artifacts (jars in Maven Central, Docker images) are convenience artifacts that the PMC may publish but that are not the legal release.
Practical consequence: every vote is a vote on the source release. Binaries derive from it.
Release Artifacts
A Tez release consists of:
| Artifact | Where | Format |
|---|---|---|
| Source tarball | dist.apache.org | apache-tez-X.Y.Z-src.tar.gz |
| ASCII-armored signature | dist.apache.org | apache-tez-X.Y.Z-src.tar.gz.asc |
| SHA-512 checksum | dist.apache.org | apache-tez-X.Y.Z-src.tar.gz.sha512 |
| (Optional) binary tarball | dist.apache.org | apache-tez-X.Y.Z-bin.tar.gz plus .asc and .sha512 |
| Staged Maven jars | repository.apache.org (Nexus) | Standard Maven layout |
| Git tag | apache/tez | release-X.Y.Z-rcN then release-X.Y.Z |
Notes:
- MD5 and SHA-1 are forbidden for release checksums (ASF policy since 2019). Use SHA-512 (preferred) or SHA-256.
- The signature must be ASCII-armored (
.asc), not binary. - The signing key must be in the project KEYS file at
https://downloads.apache.org/tez/KEYSand in your public key on a public keyserver.
Prerequisites — One-Time PMC Setup
Before you can RM (release-manage), once:
# 1. Generate a GPG key (4096-bit RSA).
gpg --full-generate-key
# 2. Submit the public key to keyservers.
gpg --send-keys <KEY_ID>
# 3. Add your key to the Tez KEYS file.
svn co https://dist.apache.org/repos/dist/release/tez tez-dist-release
cd tez-dist-release
(gpg --list-sigs <KEY_ID> && gpg --armor --export <KEY_ID>) >> KEYS
svn commit KEYS -m "Add <Your Name>'s release-signing key"
# 4. Verify it lands at:
# https://downloads.apache.org/tez/KEYS
The Nexus staging access:
# Add ~/.m2/settings.xml entry:
cat >> ~/.m2/settings.xml <<EOF
<settings>
<servers>
<server>
<id>apache.releases.https</id>
<username>YOUR_APACHE_ID</username>
<password>YOUR_APACHE_LDAP_PASSWORD</password>
</server>
</servers>
</settings>
EOF
The Release Cut
Roughly the sequence the release manager runs:
cd ~/tez-src
git fetch origin
# 1. Branch (for X.Y.0 releases) or check out maintenance branch.
git checkout -b branch-0.10.4 origin/master # for a new minor
# or
git checkout branch-0.10 # for a patch release
# 2. Update version.
mvn versions:set -DnewVersion=0.10.4
git commit -am "Setting version to 0.10.4 for release"
git tag release-0.10.4-rc1
git push origin branch-0.10.4
git push origin release-0.10.4-rc1
# 3. Build everything; tests must pass.
mvn clean install
mvn apache-rat:check
# 4. Build source tarball.
mvn clean package -Pdist,docs,src -DskipTests
ls tez-dist/target/ # apache-tez-0.10.4-src.tar.gz
# 5. Sign and checksum.
gpg --armor --output apache-tez-0.10.4-src.tar.gz.asc \
--detach-sign apache-tez-0.10.4-src.tar.gz
sha512sum apache-tez-0.10.4-src.tar.gz > apache-tez-0.10.4-src.tar.gz.sha512
# 6. Stage to dist.apache.org/dev.
svn co https://dist.apache.org/repos/dist/dev/tez tez-dev
mkdir tez-dev/tez-0.10.4-RC1
cp apache-tez-0.10.4-src.tar.gz* tez-dev/tez-0.10.4-RC1/
cd tez-dev
svn add tez-0.10.4-RC1
svn commit -m "Apache Tez 0.10.4 RC1"
# 7. Stage Maven artifacts.
mvn clean deploy -Papache-release -DskipTests
# Then on https://repository.apache.org, log in, find your
# staging repo (orgapachetez-NNNN), "Close" it.
The exact Maven profiles differ across Tez versions; check
~/tez-src/RELEASING.txt and the release notes for the prior release for the recipe in
use.
The [VOTE] Email
After staging, you send the vote. The template:
Subject: [VOTE] Apache Tez 0.10.4 RC1
Hi all,
I'd like to call a vote on releasing Apache Tez 0.10.4 RC1.
Notable changes since 0.10.3:
- TEZ-NNNN: <one line>
- TEZ-MMMM: <one line>
- <N> additional fixes; see CHANGES.txt for the full list.
Source release:
https://dist.apache.org/repos/dist/dev/tez/tez-0.10.4-RC1/
The release was signed with key:
<KEY_ID> <fingerprint>
KEYS file:
https://downloads.apache.org/tez/KEYS
Git tag: release-0.10.4-rc1
Git commit: <full 40-char sha>
Staging repository for Maven:
https://repository.apache.org/content/repositories/orgapachetez-NNNN/
The vote will be open for 72 hours.
Please verify and vote:
[ ] +1 Release this package
[ ] 0 No opinion
[ ] -1 Do not release this package because ...
Verification steps (https://www.apache.org/info/verification.html):
- Download src.tar.gz, .asc, .sha512.
- Verify SHA512: sha512sum -c apache-tez-0.10.4-src.tar.gz.sha512
- Verify signature:
gpg --import KEYS
gpg --verify apache-tez-0.10.4-src.tar.gz.asc apache-tez-0.10.4-src.tar.gz
- Untar; check LICENSE, NOTICE, DISCLAIMER.
- Build: mvn clean install -DskipTests
My +1.
Thanks,
<First Last>
Send to dev@tez.apache.org. Subject [VOTE] Apache Tez 0.10.4 RC1.
What Voters Verify
A binding +1 is not just trust. It carries a check. PMC voters typically:
| Check | Command / location |
|---|---|
| Source artifact downloads | wget from dist.apache.org/repos/dist/dev/tez/... |
| Signature is valid and from a Tez committer | gpg --verify against KEYS file |
| SHA-512 matches | sha512sum -c |
LICENSE is correct and current | Read it |
NOTICE reflects bundled third-party | Read it; cross-check against LICENSE |
DISCLAIMER present if incubating (not for Tez since 2014) | Check |
| No binary files in source tree | find apache-tez-X.Y.Z-src -type f -name '*.jar' -o -name '*.class' |
| Apache RAT clean | mvn apache-rat:check |
| Builds clean | mvn clean install -DskipTests |
| Tests pass (optional but valued) | mvn test |
A voter who finds anything wrong with the source tarball can -1. Common -1 reasons:
| Reason | Severity |
|---|---|
| Missing or broken signature | Vetoes (must respin) |
| MD5 / SHA-1 only | Vetoes |
| Binary files in source tree | Vetoes |
| Missing or wrong LICENSE | Vetoes |
| Missing or wrong NOTICE | Vetoes |
| GPL or category-X dep | Vetoes |
| RAT failure | Vetoes |
| Apache headers missing | Vetoes |
| Failed unit tests of significance | Usually vetoes |
| Build failure | Vetoes |
| Documentation issue | Often non-blocking, opinion |
Vote Pass Criteria
The release passes if, after the 72-hour minimum:
- At least 3 binding
+1votes from PMC members. - More
+1than-1total (binding and non-binding). - No unaddressed binding
-1.
If criteria fail:
- Extend the vote by 24–48 hours and ask explicitly for more attention.
- Or cancel and roll RC2 with the fixes.
Closing the Vote
The release manager closes:
Subject: [VOTE][RESULT] Apache Tez 0.10.4 RC1
Hi all,
The vote on Apache Tez 0.10.4 RC1 has passed.
Binding +1: <names of PMC voters>
Non-binding +1: <names>
0: <names>
-1: <names with reasons, if any>
Proceeding with the release steps.
Thanks to everyone who voted.
<First>
If the vote fails:
Subject: [VOTE][RESULT] Apache Tez 0.10.4 RC1
The vote did not pass. Issues raised:
- <issue from voter>
- <issue from voter>
Rolling RC2 with these fixes. Expect a new [VOTE] thread within
<N> days.
<First>
Promoting the Release
After the vote passes:
# 1. Move source from dev to release.
svn mv \
https://dist.apache.org/repos/dist/dev/tez/tez-0.10.4-RC1 \
https://dist.apache.org/repos/dist/release/tez/0.10.4 \
-m "Releasing Apache Tez 0.10.4"
# 2. Promote Nexus staging repo to release (one-click in Nexus UI).
# 3. Tag the final release.
cd ~/tez-src
git tag release-0.10.4 release-0.10.4-rc1
git push origin release-0.10.4
# 4. Wait 24h for mirrors.
# 5. Update the Tez website with download links.
# 6. Send ANNOUNCE.
The announce email goes to announce@apache.org (BCC), dev@tez.apache.org,
user@tez.apache.org, and your usual ASF lists for downstream projects (e.g.
dev@hive.apache.org):
Subject: [ANNOUNCE] Apache Tez 0.10.4 released
The Apache Tez community is pleased to announce the release of
Apache Tez 0.10.4.
Apache Tez is an application framework that allows for a complex
directed acyclic graph of tasks for processing data. It is built
atop Apache Hadoop YARN.
Highlights:
- <user-facing change>
- <user-facing change>
Download: https://tez.apache.org/releases/0.10.4/
Release notes: https://tez.apache.org/releases/0.10.4/release-notes.html
Thanks to everyone who contributed.
The Apache Tez team
RC Iteration Patterns
A first RC almost never passes. Typical RC count for a minor release:
| Release type | Typical RCs |
|---|---|
| Patch (0.10.X) | 1–2 |
| Minor (0.10.0, 0.11.0) | 2–4 |
| Major (1.0.0 if it happened) | 4+ |
Each RC means: cancel vote, fix issues, re-tag (release-X.Y.Z-rcN+1), respin tarball,
re-sign, re-stage Nexus (new staging repo), re-send [VOTE]. Plan for 1–3 weeks per
release cycle.
Common Failure Modes
| Failure | Recovery |
|---|---|
| Signature key not in KEYS file | Stop, update KEYS, restart vote |
| RAT failure on a new file | Add Apache header, respin |
| Forgot to update CHANGES.txt | Update, respin |
Stray .class or .jar in src tree | Clean, respin |
| Missing LICENSE entry for new bundled dep | Add LICENSE entry + NOTICE if needed, respin |
| Vote got fewer than 3 binding +1 in 72h | Extend with explicit ping to PMC |
| -1 on the source artifact for a legitimate issue | Respin |
| Maven staging mistake | Drop staging repo in Nexus, re-stage |
Validation Artifacts
After this chapter you should have:
- A GPG key generated and added to the project KEYS file (if you are PMC).
- A
~/tez-notes/release-checklist.mdwith the seven RM steps. - The
[VOTE]and[VOTE][RESULT]templates saved. - The discipline to never vote
+1on an RC you haven't checked at least signature + LICENSE + a build. - The phone number for ASF Infra Slack handy in case Nexus or
dist.apache.orgmisbehaves.
The next chapter — PMC Responsibilities — covers the rest of what PMC membership entails, beyond releases.