Release Checklist

  • ensure local copy is on main, up-to-date:
    • git checkout main
    • git pull
  • double-check version updated, sadly in a few places:
    • Makefile
    • txtorcon/_metadata.py
  • run all tests, on all configurations
    • “detox”
  • ensure long_description will render properly:
    • python setup.py check -r -s
    • tox -e readme_render

  • “make pep8” should run cleanly (ideally)

  • update docs/releases.rst to reflect upcoming reality
    • blindly make links to the signatures
    • update heading, date
  • on both signing-machine and build-machine shells:
    • export VERSION=22.0.0
  • (if on signing machine) “make dist” and “make dist-sigs”
    • creates: dist/txtorcon-${VERSION}.tar.gz.asc dist/txtorcon-${VERSION}-py2.py3-none-any.whl.asc
    • add the signatures to “signatures/” cp dist/txtorcon-${VERSION}.tar.gz.asc dist/txtorcon-${VERSION}-py2.py3-none-any.whl.asc signatures/
    • add ALL FOUR files to dist/ (OR fix twine commands)

  • (if not on signing machine) do “make dist” * scp dist/txtorcon-${VERSION}.tar.gz dist/txtorcon-${VERSION}-py2-none-any.whl signingmachine: * sign both, with .asc detached signatures

    • gpg –no-version –detach-sign –armor –local-user meejah@meejah.ca txtorcon-${VERSION}-py2-none-any.whl
    • gpg –no-version –detach-sign –armor –local-user meejah@meejah.ca txtorcon-${VERSION}.tar.gz
    • copy signatures back to build machine, in dist/
    • double-check that they validate::
      gpg –verify dist/txtorcon-${VERSION}-py2.py3-none-any.whl.asc gpg –verify dist/txtorcon-${VERSION}.tar.gz.asc
  • generate sha256sum for each::

    sha256sum dist/txtorcon-${VERSION}.tar.gz dist/txtorcon-${VERSION}-py2.py3-none-any.whl

  • copy signature files to <root of dist>/signatures and commit them along with the above changes for versions, etc.

  • draft email to tor-dev (and probably twisted-python):
  • copy release announcement to signing machine, update code
    • (from dev machine: “git push pangea”)
    • git checkout main
    • git pull
  • create signed tag

  • copy dist/* files + signatures to hidden-service machine

  • copy them to the HTML build directory! (docs/_build/html/)

  • git pull and build docs there
    • FIXME: why aren’t all the dist files copied as part of doc build (only .tar.gz)
  • download both distributions + signatures from hidden-service
    • verify sigs
    • verify sha256sums versus announcement text
    • verify tag (git tag –verify v${VERSION}) on machine other than signing-machine
    • run: ./scripts/download-release-onion.sh ${VERSION}
  • upload release
    • to PyPI: “make release” (which uses twine so this isn’t the same step as “sign the release”)
      • make sure BOTH the .tar.gz and .tar.gz.asc (ditto for .whl) are in the dist/ directory first!!)
      • ls dist/txtorcon-${VERSION}*
      • note this depends on a ~/.pypirc file with [server-login] section containing “username:” and “password:”
    • git push origin main
    • git push origin v${VERSION}
    • to github: use web-upload interface to upload the 4 files (both dists, both signature)
  • make announcement
    • post to tor-dev@ the clear-signed release announcement
    • post to twisted-python@ the clear-signed release announcement
    • tweet as @txtorcon
    • tell #tor-dev??