abstract
The Maven central warehouse does not support direct upload of jar packages, so it is necessary to publish the jar packages to some designated third-party Maven warehouses, such as the Sonatype OSSRH warehouse, and then the warehouse synchronizes the jar packages to Maven. This paper records the whole publishing and synchronization process in detail.
Register a Sonatype user
Access address: https://issues.sonatype.org/secure/Signup!default.jspa Register the users of sonatype. Sonatype manages the OSSRH warehouse through JIRA (a project and transaction tracking tool produced by Atlassian). <br / >
Create an issue for publishing artifacts
The first step in submitting a component publishing application is to JIRA Dashborad Create an issue on. Click the Create button as follows:
A dialog box will pop up for you to fill in the details of the issue. The most important thing here is the Group Id. generally, the domain name will be brought with you. Don't get it wrong. This is related to publishing other components in the future. This is com.vesoft.
Sonatype has domain name verification. The verification method is as follows:
- Add JIRA number records to your DNS
- Redirect to your Github home page
If you do not have a domain name, please refer to this link: http://central.sonatype.org/pages/choosing-your-coordinates.html Operation by
- Select a GroupId with project hosting information, such as io.github.facebook or com.github.facebook
- Another recommended way is to use free managed security reporting service
- Will https://hackerone.com/central-security-project/reports/new As the security information guarantee url of your project, the rest will be handled by the Sonatype staff.
Wait for issue to approve
Due to the time difference, the audit will take a certain time. After the audit is passed, you will receive an email notification. At the same time, you will see a reply from the Sonatype staff under the corresponding issue. Generally, a comment is added, which is roughly as follows:
Configuration has been prepared, now you can: Deploy snapshot artifacts into repository https://oss.sonatype.org/content/repositories/snapshots Deploy release artifacts into the staging repository https://oss.sonatype.org/service/local/staging/ deploy/maven2 Promote staged artifacts into repository 'Releases' Download snapshot and release artifacts from group https://oss.sonatype.org/content/groups/public Download snapshot, release and staged artifacts from staging group https://oss.sonatype.org/content/groups/staging please comment on this ticket when you promoted your first release, thanks
Use GPG to generate key pair
Generate key pair
> gpg --gen-key
The encryption method will be selected:
- RSA and RSA (default)
- DSA and Elgamal
- DSA (sign only)
- RSA (sign only)
Select the first one by default. After selection, you need to enter the user name and mailbox, and Passphase -- equivalent to the keystore password.
View public key
> gpg --list-keys xxx/.gnupg/pubring.gpg --------------------------------- pub 2048R/xxxx 2019-12-02 uid $YOUR_UID <$YOUR_EMAIL> sub 2048R/**** 2019-12-02
The public key ID here is xxxx, which will be used soon.
Upload public key to PGP key server
gpg --keyserver hkp://keys.gnupg.net:11371 --send-keys xxxx
Check whether the public key is uploaded successfully
> gpg --keyserver hkp://keys.gnupg.net:11371 --recv-keys xxxx gpg: download key 'xxxx', from hkp server keys.gnupg.net gpg: key xxxx: "$your UUID < $your email >" unchanged gpg: total processed quantity: 1 gpg: unchanged: 1
NOTE:
- Fill in the public key ID here according to the actual situation
- Many online tutorials are for pool.sks-key servers.net. I feel that pool.sks-keyservers.net, a keyserver, is not easy to use. If you upload a key, you will often fail to verify it or obtain it. maven supports two key servers http://keys.gnupg.net:11371 and http://pool.sks-keyservers.net:11371
- hkp protocol instead of http protocol is used here
- Many tutorials do not give ports. After testing, port numbers need to be added
The local private key is used to digitally sign the uploaded component, and the user who downloads the component can verify the signature through the uploaded public key -- it needs to verify whether the component is uploaded by himself, because there is the possibility that the component may be tampered with.
Modify Maven configuration file
To modify Maven configuration file, you need to modify setting.xml and pom.xml of the project
Configure setting.xml of Maven
Modify ~ /. m2/setting.xml file
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd"> <servers> ... <server> <id>snapshots</id> <username>$USER_NAME</username> <password>$YOUR_PASSWORD</password> </server> <server> <id>release</id> <username>$USER_NAME</username> <password>$YOUR_PASSWORD</password> </server> </servers> </settings>
Replace the user name, your password for the user name and password registered on the Sonatype. The ID here will be used in pom.xml.
Configure Maven's pom.xml
<project> ... <!-- More Project Information --> <name>nebula-java</name> <description>Nebula Java Client</description> <url>https://github.com/vesoft-inc/nebula-java</url> <scm> <connection>scm:git:https://github.com/vesoft-inc/nebula</connection> <url>https://github.com/vesoft-inc/nebula</url> <developerConnection>scm:git:https://github.com/vesoft-inc/nebula</developerConnection> </scm> <licenses> <license> <name>Apache License, Version 2.0</name> <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url> <distribution>repo</distribution> <comments>license</comments> </license> </licenses> ... <profiles> <profile> <id>release</id> <build> <plugins> <!-- Source --> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-source-plugin</artifactId> <executions> <execution> <id>attach-sources</id> <goals> <goal>jar</goal> </goals> </execution> </executions> </plugin> <!-- Javadoc --> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-javadoc-plugin</artifactId> <version>3.1.1</version> <configuration> <excludePackageNames>com.facebook.thrift:com.facebook.thrift.*</excludePackageNames> </configuration> <executions> <execution> <id>attach-javadocs</id> <phase>package</phase> <goals> <goal>jar</goal> </goals> <configuration> <doclint>none</doclint> </configuration> </execution> </executions> </plugin> <!-- GPG --> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-gpg-plugin</artifactId> <version>1.6</version> <executions> <execution> <phase>verify</phase> <goals> <goal>sign</goal> </goals> </execution> </executions> </plugin> </plugins> </build> <distributionManagement> <repository> <id>release</id> <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url> </repository> <snapshotRepository> <id>snapshots</id> <url>https://oss.sonatype.org/content/repositories/snapshots/</url> </snapshotRepository> </distributionManagement> </profile> </profiles> ... </project>
- pom.xml must include: name, description, url, licenses, developers, scm and other basic information (the pit stepped by the history of blood and tears)
- In addition to jar, there must be document package and source package to publish Maven. So pom needs to add maven Javadoc plugin and Maven source plugin. Reference example:
com-vesoft-client |-- pom.xml |-- src\ `-- target `-- attach-source-javadoc-1.0-SNAPSHOT.jar `-- attach-source-javadoc-1.0-SNAPSHOT-javadoc.jar `-- attach-source-javadoc-1.0-SNAPSHOT-sources.jar
- Key encryption is required for release build, so pom needs to add Maven GPG plugin
Multi module project configuration
Nebula Java is a multi module project
<modules> <module>client</module> <module>examples</module> </modules>
In order to upload the Client, you need to upload the pom.xml of the parent, otherwise the Client will not find the dependency (the hole stepped by the history of blood and tears), but we do not want to upload the examples module, so we have made the following changes:
- The project information name, description, url, licenses, developers, scm and Maven GPG plugin are placed in the pom.xml file of parent
<project> ... <name>nebula-java</name> <description>Nebula Java Client</description> <url>https://github.com/vesoft-inc/nebula-java</url> <scm> <connection>scm:git:https://github.com/vesoft-inc/nebula</connection> <url>https://github.com/vesoft-inc/nebula</url> <developerConnection>scm:git:https://github.com/vesoft-inc/nebula</developerConnection> </scm> <licenses> <license> <name>Apache License, Version 2.0</name> <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url> <distribution>repo</distribution> <comments>license</comments> </license> </licenses> <developers> <developer> <id>$ID</id> <name>$NAME</name> <email>$EMAIL</email> <organization>vesoft</organization> <roles> <role>architect</role> <role>developer</role> </roles> </developer> </developers> <distributionManagement> <repository> <id>release</id> <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url> </repository> <snapshotRepository> <id>snapshots</id> <url>https://oss.sonatype.org/content/repositories/snapshots/</url> </snapshotRepository> </distributionManagement> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-gpg-plugin</artifactId> <version>1.6</version> <executions> <execution> <phase>verify</phase> <goals> <goal>sign</goal> </goals> </execution> </executions> </plugin> </plugins> </build> </project>
- Add maven Javadoc plugin, Maven source plugin and Maven deploy plugin to pom.xml of Java Client
<plugins> ...... <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-source-plugin</artifactId> <executions> <execution> <id>attach-sources</id> <goals> <goal>jar</goal> </goals> </execution> </executions> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-javadoc-plugin</artifactId> <version>3.1.1</version> <configuration> <excludePackageNames>com.facebook.thrift:com.facebook.thrift.*</excludePackageNames> </configuration> <executions> <execution> <id>attach-javadocs</id> <phase>package</phase> <goals> <goal>jar</goal> </goals> <configuration> <doclint>none</doclint> </configuration> </execution> </executions> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-deploy-plugin</artifactId> <executions> <execution> <id>default-deploy</id> <phase>deploy</phase> </execution> </executions> </plugin> </plugins>
Declare skip deploy in pom.xml of example module
<plugins> ...... <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-deploy-plugin</artifactId> <configuration> <skip>true</skip> </configuration> </plugin> </plugins>
Q: why Maven GPG plugin is put in pom.xm l of parent, while maven Javadoc plugin and Maven source plugin are put in pom.xml of Client
A: because all the uploaded components need to be encrypted, including pom.xml of the parent, they are put in the parent; only the Client needs to upload javadoc and source, so the maven javadoc plugin and Maven source plugin plug-ins are put in the Client.
Upload components to OSS
Run in the nebula Java / Directory:
> mvn clean deploy -DpomFile=pom.xml
NOTE: without DpomFile, there will be no parent pom.xml in the uploaded file
Publishing artifacts in OSS
Log in with a Sonatype account https://oss.sonatype.org/#stagingRepositories , you can view the uploaded components in the Staging Repositories. These components are currently placed in the Staging warehouse for fuzzy query and positioning to the newly uploaded components.
At this time, the status of the component is Open, check it, and then click Close. The system will automatically verify whether the component meets the specified requirements (there is only one happy person, and each unhappy person has his own misfortune, and may encounter a variety of non-conforming requirements, Good luck! ヾ(◍°∇°◍)ノ゙)
When the validation is complete, the status changes to Closed.
Finally, click the Release button to Release the component
The page may need to be refreshed to see the latest status.
Notify Sonatype artifacts of successful release
Reply a comment "the component has been published successfully" under the issue of JIRA, inform the staff of Sonatype to approve the component to be published, and the issue will be closed after publishing.
Waiting for component approval
Then, wait...
Search components from central warehouse
It'll be here in about ten minutes https://repo1.maven.org/maven2 Find the newly released component and use it directly in pom.xml
Wait for synchronization to complete about 2 hours, central warehouse (connection: http://search.maven.org/ )You can find it.
Alibaba cloud images are widely used in China. Image synchronization is not real-time. In order to use it in time, you can add the central warehouse image source in the file ~ /. m2/setting.xml, as follows:
<mirrors> ...... <mirror> <id>nexus-mvn</id> <mirrorOf>central</mirrorOf> <name>Nexus Central</name> <url>http://repo1.maven.org/maven2</url> </mirror> </mirrors>
After the first successful release, you don't have to worry about it. You can directly use Group Id to publish components.
Follow up operation
Publishing process of the same Group Id
- according to Above Edit setting.xml and pom.xml,
- Upload and build;
- stay https://oss.sonatype.org/ close and release components;
- After waiting for synchronization to complete (about 2 hours), you can use
Last tip: the released version does not support modification or deletion
Nebula · small theater
Why is the map database named Nebula? Nebula means nebula. It's very big. It's also a beautiful little sister of nebula in Marvel Universe. By the way, the pronunciation of nebula is: [ˈ n ɛ bj ə l ə]
Explanation of nebula in this paper -- ALP 188 and tadpole's tail
Why does this galaxy have such a long tail?
In this amazing view, distant galaxies form a striking background, according to the image data of Hubble's legacy archives. This is the damaged spiral galaxy Arp188, Tadpole Galaxy.
Tadpoles are only 420 million light-years away from the northern constellation of the Dragon (Dracula). Its striking tail, about 280000 light-years old, is characterized by a large, bright blue cluster of stars. There's a story that goes like this: a denser intruder galaxy passes in front of Arp 188 - right to left - and is left behind by their gravity behind a tadpole. In this close encounter, tidal forces pull stars, gas and dust out of the spiral galaxy, forming a spectacular tail. The intruder galaxy itself, estimated to be 300, 000 light-years behind the tadpole, can be seen through the foreground spiral arm in the upper right corner. Tadpole galaxies with the same name as the earth are likely to lose their tails as they grow older, and the clusters on their tails form small satellites of large spiral galaxies.
Source: Hubble Legacy Archive, ESA, NASA;
Photo source | astromy picture of the day | 2018 December 11
appendix
Finally, attach the address of Nebula Graph GitHub: https://github.com/vesoft-inc/nebula , if you have any problems using Nebula Graph, welcome GitHub to contact us or join wechat communication group, please contact wechat: nebula graphbot
