This blog was originally published on Apache.org by: Dave Fisher, Apache Software Foundation, VP Tooling
The Apache Software Foundation (The ASF) established the VP, Tooling office last year tasked with developing software tooling to improve critical operations. We contracted a small team of developers early this year thanks to generous seed funding from our sponsor, Alpha-Omega.
The Tooling team’s core project is the Apache Trusted Releases (ATR) platform, which has the goal of enhancing the Apache release process to comply with upcoming regulatory requirements. Our release policies are well defined and include certain governance protocols. These include GPG signatures, checksums, and public governance via mailing lists.
The new ATR platform in development has been tested and successfully demonstrates release process improvements. The framework’s status is now a MVP (Minimum Viable Product). The team presented a demo of the ATR platform at Community Over Code in September, and the new features that provide checks, vote automation, and artifact renaming were well received.
The new platform includes:
- A web application to handle the full release process.
- A client that allows a Release Manager to manage a release from the machine where the artifacts were built.
- GitHub Actions that allow projects with reproducible builds to start a release from their CI/CD workflows. We use OIDC in our authentication scheme.
We are formalizing the release process around the following phases:
- Compose. In this phase the artifacts for a release candidate are assembled in the ATR and immediately have a number of asynchronous checks applied. These checks include signature, checksum, license, notice, and source headers. Checks will be expanded as new requirements are added. A key benefit here will be that Release Managers get quick feedback about policy errors prior to calling a vote.
- Vote. In this phase the ATR can automate the release vote process by sending the VOTE email and tabulating the votes. This saves effort and will eventually allow automation of our 72-hour process.
- Finish. In this phase a release is made ready to announce by making various adjustments to remove “RC” tags from artifact filenames and re-arranging the directory structure. We provide tracking of distributions to various channels like Maven Central and PyPi.
We have started an Alpha2 of the platform and this is open to all ASF projects, including Incubating projects. Apache projects already involved in this Alpha include Airflow, Arrow, Grails, Logging, Maven, and Tomcat,
| We are ready to work with every Apache project. Let us know your project and join Alpha2! Please subscribe to dev@tooling.apache.org for discussions. |
While this Alpha proceeds we will be preparing the Beta, which includes the following goals:
- ASF projects will be able to use the ATR to make releases.
- SBOMs produced during the build will be tracked and checked during the Compose phase.
- Integration of a new Nexus 3 version of repository.apache.org in order to support Maven Central distributions.
- Release attestation will be generated during the Finish phase.
- Release Catalog allowing discovery of ASF releases.
| We would like feedback from downstream users to assure that SBOMs, attestations, and Catalog services meet our users’ needs. Please subscribe to users@tooling.apache.org for discussions! |
The ATR platform is being developed in public repositories and ASF committers have platform access within their roles on their various projects.
The Tooling team welcomes feedback from the community. The ATR website is available for comment:
- App: https://release-test.apache.org
- Tutorial: https://release-test.apache.org/tutorial
- Open API: https://release-test.apache.org/api/docs
- Feature comparison: https://release-test.apache.org/about
Source code repositories are public and include documentation. New Issues and PRs are welcome.
- Website: https://github.com/apache/tooling-trusted-releases
- Client: https://github.com/apache/tooling-releases-client
- Github Actions: https://github.com/apache/tooling-actions
- Examples: https://github.com/apache/tooling-asf-example/
We have two mailing lists:
- dev@tooling.apache.org. You can subscribe by sending an email to dev-subscribe@tooling.apache.org
- users@tooling.apache.org. You can subscribe by sending an email to users-subscribe@tooling.apache.org
| ASF members, committers, and the general public are welcome to contribute. Please subscribe to dev@tooling.apache.org for discussions! |
The Apache Trusted Releases platform is the first of several projects in the pipeline for the ASF Tooling initiative, including security capabilities that meet the EU’s Cyber Resilience Act (CRA) and the US’s CISA recommendations.
| Products developed under the Tooling initiative are separate from the tools and budget overseen by the ASF Infrastructure team. For more information on sponsoring the ASF Tooling Initiative, visit https://www.apache.org/foundation/initiatives. |
Author Bio
Dave Fisher is the Vice President of Tooling at the Apache Software Foundation (The ASF), where he plays a pivotal role in shaping the infrastructure that supports one of the world’s most influential open source ecosystems. A long-time ASF Member and contributor, Dave brings decades of experience building automated systems that are resilient, scalable, and designed to “just work.”
With a career defined by hands-on engineering, strategic leadership, and deep community engagement, Dave has consistently delivered robust software platforms and enterprise-grade solutions. He is widely recognized as a subject-matter expert in open source development and tooling, with a passion for mentoring teams and driving innovation across disciplines.
