Kai Jourdan spotted a rather embarrassing double-free, and Minefield

[u/mdw/putty] / CHECKLST.txt

Checklists for PuTTY administrative procedures
==============================================

Locations of the licence
------------------------

The PuTTY copyright notice and licence are stored in quite a few
places. At the start of a new year, the copyright year needs
updating in all of them; and when someone sends a massive patch,
their name needs adding in all of them too.

The LICENCE file in the main source distribution:

 - putty/LICENCE

The resource files:

 - putty/windows/pageant.rc
    + the copyright date appears twice, once in the About box and
      once in the Licence box. Don't forget to change both!
 - putty/windows/puttygen.rc
    + the copyright date appears twice, once in the About box and
      once in the Licence box. Don't forget to change both!
 - putty/windows/win_res.rc2
    + the copyright date appears twice, once in the About box and
      once in the Licence box. Don't forget to change both!
 - putty/windows/version.rc2
    + the copyright date appears once only.
 - putty/mac/mac_res.r
    + the copyright date appears twice, once in the About box and
      once in the Licence box. Don't forget to change both!
 - putty/mac/macpgen.r
    + the copyright date appears twice, once in the About box and
      once in the Licence box. Don't forget to change both!
 - putty/unix/gtkdlg.c
    + the copyright date appears twice, once in the About box and
      once in the Licence box. Don't forget to change both!

The documentation (both the preamble blurb and the licence appendix):

 - putty/doc/blurb.but
 - putty/doc/licence.but

The website:

 - putty-website/licence.html

Before tagging a release
------------------------

 - First of all, go through the source (including the documentation),
   and the website, and review anything tagged with a comment
   containing the word XXX-REVIEW-BEFORE-RELEASE.
   (Any such comments should state clearly what needs to be done.)

For a long time we got away with never checking the current version
number in at all - all version numbers were passed into the build
system on the compiler command line, and the _only_ place version
numbers showed up in the source files was in the tag information.

Unfortunately, those halcyon days are gone, and we do need the
version number checked in in a couple of places. These must be updated
_before_ tagging a new release.

The file used to generate the Unix snapshot version numbers (which
are <previousrelease>-<date> so that the Debian versioning system
orders them correctly with respect to releases):

 - putty/LATEST.VER

The Windows installer script (_four_ times, on consecutive lines):

 - putty/windows/putty.iss

The Windows resource file (used to generate the binary bit of the
VERSIONINFO resources -- the strings are supplied by the usual means):

 - putty/windows/version.rc2 (BASE_VERSION; NB, _comma_-separated)

The Mac resource file (used to generate the binary bit of the 'vers'
resources):

 - putty/mac/version.r

It might also be worth going through the documentation looking for
version numbers - we have a couple of transcripts showing the help
text from the command-line tools, and it would be nice to ensure the
whole transcripts (certainly including the version numbers) are up
to date. Sometimes these are marked in between releases as `0.XX', so
it's worth grepping for that too.

 - putty/doc/pscp.but
 - putty/doc/plink.but
 - putty/doc/psftp.but (in case it ever acquires a similar thing)

The actual release procedure
----------------------------

This is the procedure I (SGT) currently follow (or _should_ follow
:-) when actually making a release, once I'm happy with the position
of the tag.

 - Double-check that we have removed anything tagged with a comment
   containing the words XXX-REMOVE-BEFORE-RELEASE or
   XXX-REVIEW-BEFORE-RELEASE.

 - Write a release announcement (basically a summary of the changes
   since the last release). Squirrel it away in
   ixion:src/putty/local/announce-<ver> in case it's needed again
   within days of the release going out.

 - On my local machines, check out the release-tagged version of the
   sources. Do this in a _clean_ directory; don't depend on my usual
   source dir.
    + Make sure to run mkfiles.pl _after_ this checkout, just in
      case.

 - Build the source archives now, while the directory is still
   pristine.
    + run ./mksrcarc.sh to build the Windows source zip.
    + run `./mkunxarc.sh X.YZ' to build the Unix tarball.

 - Build the Windows/x86 release binaries. Don't forget to supply
   VER=/DRELEASE=<ver>. Run them, or at least one or two of them, to
   ensure that they really do report their version number correctly,
   and sanity-check the version info reported on the files by Windows.
    + Save the release link maps. Currently I keep these on ixion,
      in src/putty/local/maps-<version>.

 - Run Halibut to build the docs. Define VERSION on the make command
   line to override the version strings, since Subversion revision
   numbers are less meaningful on a tag.
    + change into the doc subdir
    + run `make VERSION="PuTTY release 0.XX" chm', then run `hhc
      putty.hhp' to build the .CHM
    + then run `make mostlyclean' (destroys the hhc input files but
      _not_ the .CHM)
    + then `make VERSION="PuTTY release 0.XX"'

 - Build the binary archive putty.zip: all the .exe files except
   PuTTYtel, and the .hlp, .cnt and .chm files.
    + zip -k putty.zip `ls *.exe | grep -v puttytel` putty.hlp putty.cnt putty.chm

 - Build the docs archive puttydoc.zip: it contains all the HTML
   files output from Halibut.
    + zip puttydoc.zip *.html

 - Build the installer.

 - Sign the release (gpg --detach-sign).
    + Sign the locally built x86 binaries, the locally built x86
      binary zipfile, and the locally built x86 installer, with the
      release keys.
    + The source archive should be signed with the release keys.
    + Don't forget to sign with both DSA and RSA keys for absolutely
      everything.
      for i in <filenames>; do for t in DSA RSA; do gpg --load-extension=idea --detach-sign -u "Releases ($t)" -o $i.$t $i; done; done

 - Begin to pull together the release directory structure.
    + subdir `x86' containing the x86 binaries, x86 binary zip, x86
      installer, and all signatures on the above.
    + top-level dir contains the Windows source zip (plus
      signatures), the Unix source tarball (plus signatures),
      puttydoc.txt, the .hlp, .cnt and .chm files, and puttydoc.zip.

 - Create subdir `htmldoc' in the release directory, which should
   contain exactly the same set of HTML files that went into
   puttydoc.zip.
    + It also needs a copy of sitestyle.css, because the online
      versions of the HTML docs will link to this (although the
      zipped form should be self-contained).

 - Create and sign an md5sums file in the top-level directory.
    + The md5sums files need not list the .DSA and .RSA signatures.
      Easiest thing is to run this command:
      md5sum `\find * -name '*SA' -o -type f -print` > md5sums
    + Sign the md5sums file (gpg --clearsign).
      for t in DSA RSA; do gpg --load-extension=idea --clearsign -u "Releases ($t)" -o md5sums.$t md5sums; done

 - Now double-check by verifying all the signatures on all the
   files, and running md5sum -c on the md5sums file.

 - Now the whole release directory should be present and correct.
   Upload to ixion:www/putty/<ver>.

 - Do final checks on the release directory:
    + verify all the signatures. In each directory:
      for i in *.*SA; do case $i in md5sums*) gpg --verify $i;; *) gpg --verify $i `echo $i | sed 's/\..SA$//'`;; esac; done
    + check the md5sums:
      md5sum -c md5sums

 - Having double-checked the release, copy it from ixion to
   chiark:ftp/putty-<ver> and to the:www/putty/<ver>.

 - Check the permissions! Actually try downloading from the, to make
   sure it really works.

 - Update the HTTP redirects.
    + Update the one at the:www/putty/htaccess which points the
      virtual subdir `latest' at the actual latest release dir. TEST
      THIS ONE - it's quite important.
    + ixion:www/putty/.htaccess has an individual redirect for each
      version number. Add a new one.

 - Update the FTP symlink (chiark:ftp/putty-latest -> putty-<ver>).

 - Update web site.
   + Adjust front page (`the latest version is <ver>').
   + Adjust Download page similarly.
   + Adjust filenames of installer and Unix tarball on links in
     Download page.
   + Adjust header text on Changelog page. (That includes changing
     `are new' in previous version to `were new'!)

 - Update the wishlist. This can be done without touching individual
   items by editing the @releases array in control/bugs2html.

 - Check the Docs page links correctly to the release docs. (It
   should do this automatically, owing to the `latest' HTTP
   redirect.)

 - Check that the web server attaches the right content type to .HLP
   and .CNT files.

 - Run webupdate, so that all the changes on ixion propagate to
   chiark. Important to do this _before_ announcing that the release
   is available.

 - After running webupdate, run update-rsync on chiark and verify
   that the rsync mirror package correctly identifies the new
   version.

 - Announce the release!
    + Mail the announcement to putty-announce.
       * Set a Reply-To on the mail so that people don't keep
	 replying to my personal address.
    + Post it to comp.security.ssh.
    + Mention it in <TDHTT> on mono.

 - Relax (slightly).

After the release
-----------------

The following want doing some time soon after a release has been made:

 - If the release was made from a branch, make sure the version number
   on the _trunk_ is up to date in all the locations listed above, so
   that (e.g.) Unix snapshots come out right.