wiki:Openvpn2ReleaseProcess

Introduction

This page outlines the release process for OpenVPN 2.x. It also works as a release checklist.

External systems involved

  • Microsoft Partner Portal
    • For attestation signing Windows drivers
  • Windows signing computer
    • For Authenticode signing drivers meant for Windows 7/8
    • For building Windows drivers such as tap-windows6
  • The openvpn.net staging website
  • The openvpn.net production website

Build tools

openvpn-vagrant

The openvpn-vagrant repository contains VirtualBox/Vagrant setup that can help with the release, see below.

openvpn-release-scripts

Many release preparations can be automated with openvpn-release-scripts.

sbuild_wrapper

Ubuntu and Debian packages are built with sbuild_wrapper. It is available as a VirtualBox / Vagrant VM ("sbuild") in openvpn-vagrant.

openvpn-build

Windows installer are built with openvpn-build. The easiest way is to use the build system is to use the VirtualBox / Vagrant VM from openvpn-vagrant:

  • msibuilder: for OpenVPN 2.6 (OpenSSL 3)
  • msibuilder25: for OpenVPN 2.5 (OpenSSL 1.1.1x)

Pre-release checklist

Notifying external entities

OpenVPN Inc website team

The OpenVPN Inc. website team makes weekly website releases. Any changes to the website should be made to the staging web server first, then released in production. In case of emergency releases an off the cycle website release can be made, but that needs to be coordinated with the website team.

OpenVPN Inc marketing

OpenVPN Inc. marketing people should be notified 7 days prior to a new major release is about to be released. At minimum, allow for 48 hours.

Access Server team

OpenVPN Inc. Access server team should be notified prior to a release that affects the Access Server. This means primarily releases with security fixes.

Package maintainers

Downstream package maintainers (Debian, Ubuntu, Red Hat, etc) should be notified about releases with major security fixes. This is easiest to do via the oss-security mailing list.

Release process

Sync repositories

Merge pull requests and rebase your local clones for repositories affected by the release:

  • tap-windows6
  • openvpnserv2
  • openvpn-build
  • openvpn-gui

Prepare dependencies

  • tap-windows6
    • Build
    • Cross-sign for Windows 7
    • Produce signed CAB files for attestation signing
    • Send CABs to Microsoft signing services
    • Wait 15-30 minutes
    • Download signed driver files
    • Copy signed driver files to tap-windows6 building/signing computer
    • Produce MSM packages
  • openvpnserv2
    • Build
    • Put new version to build.openvpn.net
    • Put GPG signature (ASC file) to build.openvpn.net
  • openvpn-gui
  • sbuild-wrapper
    • Generate changelog with openvpn-release-scripts
    • Update version.conf
    • Add changelogs to the Git repository
    • Build tarballs
    • Publish tar.gz on build.openvpn.net

Package

  • Build Windows installers with openvpn-build/windows-msi
  • Build Debian packages

Smoketest packages

  • Windows installer
  • Debian packages

Update online documentation

Publish packages

All openvpn.net website changes have to go through the usual website release process (staging -> production). This means that package publishing should generally happen at the same time as website releases.

The package release process is the following:

  • Push Debian packages to the freight apt repository on build.openvpn.net with freight-add-many.py
  • Copy release files to build.openvpn.net with openvpn-release-scripts
  • Copy release files to swupdate S3 bucket (AWS CLI or AWS Console)
  • Update community downloads page (need to do this via "corp-vpn")
  • Update links to latest release from Puppet

Release announcements

Release announcements should be sent once packages have been published and the openvpn.net website updated:

  • Mailing lists (attach changelog)
  • Forums
  • Add security announcement to Trac (as needed)

After release

Tag release and push tags to Git for all repositories that changed:

  • tap-windows6 (when needed)
  • openvpnserv2 (when needed)
  • openvpn-gui
  • openvpn-build
  • sbuild-wrapper

Misc

  • In openvpn-build/windows-msi use PRODUCT_VERSION 2.5.0xx for release/2.5 and 2.5.1xx for release/2.6+. This ensures smooth upgrades.
  • Remove GitHub tokens if you pushed to Git from the Windows signing computer
Last modified 4 weeks ago Last modified on 10/27/22 14:59:35