Introduction
This page outlines the release process for OpenVPN 2.x. It also works as a release checklist.
External systems involved
- Community Release build infrastructure
- The openvpn.net staging website
- The openvpn.net production website
Build tools
openvpn-build
The scripts used during the various builds are maintained in openvpn-build.
Overview of the various sub-directories:
- release contains scripts to prepare the source tarballs and tag the git repositories. It also has scripts to orchestrate the other parts of the build.
- debian-sbuild contains scripts to build Debian packages for all supported distributions.
- windows-msi contains scripts to build Windows MSI installers.
Pre-release checklist
Notifying external entities
OpenVPN Inc website team
The OpenVPN Inc. website team makes weekly website releases. Any changes to the website should be made to the staging web server first, then released in production. In case of emergency releases an off the cycle website release can be made, but that needs to be coordinated with the website team.
Note that we now maintain our own wiki:Downloads page in Trac to avoid a dependency on the website team for small releases.
OpenVPN Inc marketing
OpenVPN Inc. marketing people should be notified 7 days prior to a new major release is about to be released. At minimum, allow for 48 hours.
Access Server team
OpenVPN Inc. Access server team should be notified prior to a release that affects the Access Server. This means primarily releases with security fixes.
Package maintainers
Downstream package maintainers (Debian, Ubuntu, Red Hat, etc) should be notified about releases with major security fixes. This is easiest to do via the oss-security mailing list.
Release process
Sync repositories
Merge pull requests and rebase your local clones for repositories affected by the release:
- tap-windows6
- openvpnserv2
- openvpn-build
Prepare dependencies
- tap-windows6
- Build
Cross-sign for Windows 7(Note: This is not supported by Microsoft anymore)- Produce signed CAB files for attestation signing
- Send CABs to Microsoft signing services
- Wait 15-30 minutes
- Download signed driver files
- Copy signed driver files to tap-windows6 building/signing computer
- Produce MSM packages
- openvpnserv2
- Build
- Put new version to build.openvpn.net
- Put GPG signature (ASC file) to build.openvpn.net
- openvpn-build
- Update git submodules under src
- In general this will be taken care of by renovate PRs, but openvpn release commit itself is usually only published publicly after the release build.
- You can get the non-public release commit from the repository on buildbot-host.openvpn.in (available only inside Community VPN, remote
buildbot-host.openvpn.in:/var/lib/repos/openvpn).
- Update configuration under release
- The files to update are
varsandvars.infrastructure. There are .example files present to get you started. - Make sure to check whether openvpn-gui has changed and bump version number.
- Make sure to check whether ovpn-dco has changed and bump version number.
- The files to update are
- Update git submodules under src
Package
- openvpn-build
- Make sure community release build machines are up and running
- This currently requires access to the corp-internal terraform repository. This will set up the following build machines:
- community-release-build-amd64.community.openvpn-core.com (Debian amd64 and all builds)
- community-release-build-arm64.community.openvpn-core.com (Debian arm64 builds)
- community-release-win-ossl3.community.openvpn-core.com (Windows MSI builds)
- This currently requires access to the corp-internal terraform repository. This will set up the following build machines:
- Run release/full-release-build.sh
- This uploads source tarball to build.openvpn.net
- Builds Debian packages with debian-sbuild
- Build Windows installers with windows-msi
- Make sure community release build machines are up and running
Smoketest packages
- Windows installer
- Debian packages
Update online documentation
- Copy generated changelog to Trac wiki (currently ChangesInOpenvpn26)
- Copy generated man-page to build.openvpn.net (currently https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html)
Publish packages
All openvpn.net website changes have to go through the usual website release process (staging -> production). This means that package publishing should generally happen at the same time as website releases.
The package release process is the following:
- Push Debian packages to the freight apt repository on build.openvpn.net with freight-add-many.py
- Copy release files to build.openvpn.net
- Copy release files to swupdate S3 bucket (AWS CLI or AWS Console)
- Update community downloads page wiki:Downloads
- Update links to latest release from Puppet
Release announcements
Release announcements should be sent once packages have been published and the openvpn.net website updated:
- Mailing lists
- Forums
- Add security announcement to Trac (as needed)
- Create GitHub release
- Notify Windows package maintainers (winget, chocolatey)
After release
Tag release and push tags to Git for all repositories that changed:
- tap-windows6 (when needed)
- openvpnserv2 (when needed)
- openvpn-gui
- openvpn-build
Misc
- In openvpn-build/windows-msi use PRODUCT_VERSION 2.5.0xx for release/2.5 and 2.5.1xx for release/2.6+. This ensures smooth upgrades.
- Remove GitHub tokens if you pushed to Git from the Windows signing computer
