The web framework for perfectionists with deadlines.

文档

How to release Django

这份文档解释了如何发布 Django。

请在进行更改时保持这些说明的最新状态! 这里的重点是描述性的,而不是规范性的,所以请随意简化或进行其他更改,但 相应地更新这份文档!

概况

有三种类型的发布可能需要进行:

  • 安全性发布:揭示和修复漏洞。这通常涉及到两个或三个同时发布的版本,例如 3.2.x、4.0.x,根据时间的安排,可能还包括 4.1.x。

  • 常规版本发布:可以是最终发布(例如 4.1)或错误修复更新(例如 4.1.1)。

  • 预发布版本:例如 4.2 alpha、beta 或 rc。

涉及的步骤的简短版本是:

  1. 如果这是一个安全性发布,请在实际发布前一周预先通知安全性发布列表。

  2. 校对发布说明,查找组织和写作错误。起草一篇博客文章和电子邮件公告。

  3. Update version numbers and create the release artifacts.

  4. Create the new Release in the admin on djangoproject.com.

    1. Set the proper date but ensure the flag is_active is disabled.

    2. Upload the artifacts (tarball, wheel, and checksums).

  5. 验证包的签名,检查它们是否可以安装,并确保最小功能可用。

  6. 将新版本上传到 PyPI。

  7. Enable the is_active flag for each release in the admin on djangoproject.com.

  8. 发布博客文章并发送电子邮件公告。

  9. Update version numbers post-release in stable branch(es).

  10. Add stub release notes for the next patch release in main and backport.

有很多细节,请继续阅读。

Use the checklists app

To generate a checklist compiling the tasks described below as relevant to the specific release(s) you are issuing, use the checklists app in the project admin. This populates a lot of boilerplate you will need for announcements, CVE publication, and hashes for commit messages. By using this app for preparing security issue metadata, your peer releasers can check your entries and consult them again in the future. (Example)

先决条件

在开始之前,你需要准备一些东西。如果这是你第一次发布,你需要与另一位发布者协调,确保所有事项都准备妥当,并写信给 Ops 邮件列表,请求所需的访问权限和许可。

  • 一个安装了以下工具的 Unix 环境(按字母顺序排列):

    • bash

    • git

    • GPG

    • make

    • man

    • 哈希工具(通常在 Linux 上是 md5sumsha1sumsha256sum,在 macOS 上是 md5shasum

    • python

  • 一个 GPG 密钥对。确保此密钥的私钥部分安全存储。公钥部分需要上传到你的 GitHub 账户,以及运行“确认发布”作业的 Jenkins 服务器。

    多个 GPG 密钥

    如果你想使用的密钥不是你的默认签名密钥,你需要在下面显示的每个 GPG 签名命令中添加 -u you@example.com,其中 you@example.com 是与你想要使用的密钥关联的电子邮件地址。

  • A clean Python virtual environment (Python 3.9+) to build artifacts, with these required Python packages installed:

    $ python -m pip install build twine

  • 访问 Django 在 PyPI 上的项目 以上传二进制文件,最好具有在必要时 撤回发布 的额外权限。按照 官方文档 创建一个项目范围的令牌,并按如下方式设置你的 $HOME/.pypirc 文件:

    ~/.pypirc
    [distutils]
  index-servers =
    pypi
    django

[pypi]
  username = __token__
  password = # User-scoped or project-scoped token, to set as the default.

[django]
  repository = https://upload.pypi.org/legacy/
  username = __token__
  password = # A project token.

  • 访问 Django 在 Transifex 上的项目,并具有管理员角色。在 用户设置部分 生成一个 API 令牌,并按如下方式设置你的 $HOME/.transifexrc 文件:

    ~/.transifexrc
    [https://www.transifex.com]
  rest_hostname = https://rest.api.transifex.com
  token = # API token

  • 作为“站点维护者”访问 djangoproject.com 上的 Django 管理界面。

  • Access to create a post in the Django Forum - Announcements category and to send emails to the django-announce mailing list.

  • 访问 GitHub 中的 django-security 仓库。除其他事项外,这提供了对预通知分发列表的访问权限(安全发布准备任务所需)。

  • Access to the Django project on Read the Docs.

发布前的任务

在开始发布过程之前,需要处理一些事项。这些工作大约在发布前一周开始;大部分工作可以在实际发布前的任何时间完成。

安全发布前 10 天(或更早)

  1. Reserve one CVE ID per security issue as follows. (Or, if you lack CNA credentials, email cna@djangoproject.com with a request.)

    • Enable virtual environment with cvelib installed.

    • Export user information:

      $ export CVE_USER=<user-email>@djangoproject.com CVE_ORG=DSF

    • Reserve:

      $ cve --interactive reserve <quantity>

  2. 使用 git format-patch 生成相关的(私有)补丁,一个用于 main 分支,一个用于每个正在修补的稳定分支。

安全发布前一周

  1. Send out pre-notification exactly one week before the security release. The template for that email and a list of the recipients are in the private django-security GitHub wiki. BCC the pre-notification recipients, and be sure to include the relevant CVE IDs. Attach all the relevant patches (targeting main and the stable branches), and sign the email text with the key you'll use for the release, with a command like:

    $ gpg --clearsign --digest-algo SHA256 prenotification-email.txt

  2. 通知 django-announce 即将发布的安全版本,使用如下一般消息:

    Notice of upcoming Django security releases (3.2.24, 4.2.10 and 5.0.2)

Django versions 5.0.2, 4.2.10, and 3.2.24 will be released on Tuesday,
February 6th, 2024 around 1500 UTC. They will fix one security defect
with severity "moderate".

For details of severity levels, see:
https://docs.djangoproject.com/en/dev/internals/security/#how-django-discloses-security-issues

  3. Prepare issue metadata: * Severity * Short description * Reporter * Remediator * Reported at * Confirmed at (usually date CVE reserved) * CWE Problem Type * CAPEC Impact Type * CVSS (4.0) Score & Vector

任何发布前几天

  1. As the release approaches, watch Trac to make sure no release blockers are left for the upcoming release. Under exceptional circumstances, such as to meet a pre-determined security release date, a release could still go ahead with an open release blocker. The releaser is trusted with the decision to release with an open release blocker or to postpone the release date of a non-security release if required.

  2. 与其他合并人员核对,确保他们没有为发布而提交的未提交更改。

  3. 校对发布说明,包括查看在线版本以 捕捉任何损坏的链接 或 reST 错误,并确保发布说明包含正确的日期。

  4. 再次确认发布说明中提到了任何已经标记为弃用的 API 的弃用时间表,并且提到了对 Python 版本支持的任何更改。

  5. 再次检查发布说明索引中是否有指向新发布版本说明的链接;这将在 docs/releases/index.txt 中。

  6. If this is a feature release, ensure translations from Transifex have been integrated.

    In addition to having a configured Transifex account, ensure that the tx CLI is available in your PATH. You can then fetch all translations since a given date by running:

    $ python scripts/manage_translations.py fetch -v 1 --since=<some date>

    To determine a good value for --since, check the date of the most recent commit with wording similar to Updated translations from Transifex and use a date a few days prior.

    此命令需要一些时间运行。完成后,仔细检查输出以查找潜在的错误和/或警告。如果有,你需要逐个调试并解决它们。

    最近获取的翻译需要一些手动调整。首先,PO-Revision-Date 值必须手动更新为晚于 POT-Creation-Date。你可以使用类似于以下的命令批量更新所有 .po 文件(与相关稳定分支进行比较):

    $ git diff --name-only stable/5.0.x | grep "\.po"  | xargs sed -ri "s/PO-Revision-Date: [0-9\-]+ /PO-Revision-Date: $(date -I) /g"

    最后,提交更改/添加的文件(.po.mo),并创建一个针对相应发布稳定分支的新 PR(例如 更新 4.2 翻译的 PR)。

    Once merged, forward port the changes into main (example commit).

  7. 更新 django-admin 手册页面

    $ cd docs
$ make man
$ man _build/man/django-admin.1  # do a quick sanity check
$ cp _build/man/django-admin.1 man/django-admin.1

    然后提交已更改的手册页面。

  8. 如果这是一个新系列的 "点零" 发布,请从当前稳定分支在 django-docs-translations 存储库中创建一个新分支。例如,发布 Django 4.2 时:

    $ git checkout -b stable/4.2.x origin/stable/4.1.x
$ git push origin stable/4.2.x:stable/4.2.x

  9. 为发布撰写公告博客文章。你可以随时输入它到管理员界面并将其标记为非活动状态。以下是一些示例:示例安全发布公告示例常规发布公告示例预发布公告

A few days before a feature freeze

In preparation for the alpha release, the directory /home/www/www/media/releases/A.B must be created on the djangoproject server.

Before the feature freeze, a branch targeting main must be created to prepare for the next feature release. It should be reviewed and approved a few days before the freeze, allowing it to be merged after the stable branch is cut. The following items should be addressed in this branch:

  1. Update the VERSION tuple in django/__init__.py, incrementing to the next expected release (example commit).

  2. Create a stub release note for the next feature release. Use the stub from the previous feature release or copy the contents from the current version and delete most of the contents leaving only the headings (example commit).

  3. Remove .. versionadded:: and .. versionchanged:: annotations in the documentation from two releases ago, as well as any remaining older annotations. For example, in Django 5.1, notes for 4.2 will be removed (example commit).

  4. Remove features that have reached the end of their deprecation cycle, including their docs and the .. deprecated:: annotation. Each removal should be done in a separate commit for clarity. In the commit message, add a Refs #XXXXX -- prefix linking to the original ticket where the deprecation began if possible. Make sure this gets noted in the removed features section in the release notes (example commit).

  5. Increase the default PBKDF2 iterations in django.contrib.auth.hashers.PBKDF2PasswordHasher by about 20% (pick a round number). Run the tests, and update the 3 failing hasher tests with the new values. Make sure this gets noted in the release notes (example commit).

Concrete examples for past feature release bootstrap branches: 5.2 bootstrap, 5.1 bootstrap, 5.0 bootstrap.

Feature freeze tasks

  1. Remove empty sections from the release notes (example commit).

  2. Build the release notes locally and read them. Make any necessary change to improve flow or fix grammar (example commit).

  3. Create a new stable branch from main. Be sure to fetch and update upstream to latest. For example, when feature freezing Django 5.2:

    $ git fetch upstream
$ git checkout -b stable/5.2.x upstream/main
$ git push upstream -u stable/5.2.x:stable/5.2.x

    At the same time, update the django_next_version variable in docs/conf.py on the stable release branch to point to the new development version. For example, when creating stable/5.2.x, set django_next_version to '6.0' on the new stable branch (example commit).

  4. Create Release entries for the next version in the admin on djangoproject.com. Add one for each milestone (alpha, beta, rc, and final), leaving is active unset to mark them as unreleased. Set target dates per the agreed schedule, and set the LTS flag if applicable. The X.Y roadmap page will be available at /download/X.Y/roadmap/.

    For example, when creating stable/5.2.x, add Release entries for 6.0a1, 6.0b1, 6.0rc1, and 6.0. The 6.0 roadmap can be then reviewed at https://www.djangoproject.com/download/6.0/roadmap/.

  5. Go to the Add document release page in the admin, create a new DocumentRelease object for the English language for the newly created Release object. Do not mark this as default.

  6. Add the new branch to Read the Docs. Since the automatically generated version names ("stable-A.B.x") differ from the version names used in Read the Docs ("A.B.x"), update the Read the Docs config for the version to point to the slug A.B.x and set it as active. See more details.

  7. Create a PR on PyPI proposing the new Trove classifier. For example Framework :: Django :: 5.2.

  8. 更新当前处于活跃开发中的分支,并在 Trac 上的 Django 发布流程 中添加预发布分支。

  9. Update the docs/fixtures/doc_releases.json JSON fixture for djangoproject.com, so people without access to the production DB can still run an up-to-date copy of the docs site (example PR). This will be merged after the final release.

实际发布版本

好的,这是有趣的部分,我们实际上要发布一个版本!如果你要发布 多个版本,请为每个版本重复这些步骤。

  1. 检查 Jenkins 是否为你要发布的版本显示绿色。在它变绿之前,你可能不应该发布版本,并且你应该确保最新的绿色运行包括你要发布的更改。

  2. 清理此版本的发布说明。在 main 中进行这些更改,并向后移植到特定版本发布说明所在的所有分支。

    1. 对于功能发布,删除发布说明顶部的 UNDER DEVELOPMENT 标题,删除 Expected 前缀,并在必要时更新发布日期(示例提交)。

    2. 对于补丁发布,删除所有版本的 Expected 前缀,并在必要时更新发布日期(示例提交)。

  3. 发布总是从发布分支开始,因此你应该确保你在最新的稳定分支上。此外,你应该为每个发布的版本准备一个干净且专用的虚拟环境。例如:

    $ git checkout stable/4.1.x
$ git pull

  4. 如果这是一个安全发布,请从 django-security 合并适当的补丁。根据需要重新基于这些补丁,使每个补丁都成为发布分支上的普通提交,而不是合并提交。为了确保这一点,使用 --ff-only 标志合并它们,例如:

    $ git checkout stable/4.1.x
$ git merge --ff-only security/4.1.x

    (这假设 security/4.1.xdjango-security 存储库中包含下一个 4.1 系列发布所需的安全补丁的分支。)

    如果 git 拒绝使用 --ff-only 合并,请切换到 security-patch 分支,并在你将要合并的分支上重新基于它(git checkout security/4.1.x; git rebase stable/4.1.x),然后切换回来并执行合并操作。确保每个安全修复的提交消息解释了这个提交是一个安全修复,并且会有一个公告随后发布(示例安全提交)。

  5. django/__init__.py 中更新发布版本的版本号。有关 VERSION 的详细信息,请参阅下面的 设置 VERSION 元组的注意事项`_(:commit:`示例提交 <2719a7f8c161233f45d34b624a9df9392c86cc1b>)。

    1. If this is a pre-release package also update the "Development Status" trove classifier in pyproject.toml to reflect this. An rc pre-release should not change the trove classifier (example commit for alpha release, example commit for beta release).

    2. 否则,确保分类器设置为 Development Status :: 5 - Production/Stable

Building the artifacts

Optionally use helper scripts

You can streamline some of the steps below using helper scripts from the scripts folder:

  • Release script example run:

$ PGP_KEY_ID=<key-id> PGP_KEY_URL=<key-url> DEST_FOLDER=~/releases scripts/do_django_release.py

  • Verify the release (after artifacts were uploaded):

$ VERSION=5.2.1 scripts/verify_release.sh

  1. 使用 git tag 标记发布。例如:

    $ git tag --sign --message="Tag 4.1.1" 4.1.1

    你可以通过运行 git tag --verify <tag> 来检查你的工作。

  2. 确保你的代码库是绝对干净的,通过运行 git clean -dfx

  3. Run python -m build to generate the release packages. This will create the release artifacts (tarball and wheel) in a dist/ directory. For Django 5.0 or older, you need to run make -f extras/Makefile instead.

  4. 生成发布包的哈希值:

    $ cd dist
$ md5sum *
$ sha1sum *
$ sha256sum *

  5. 创建一个名为 Django-<<VERSION>>.checksum.txt 的 "checksums" 文件,其中包含哈希值和发布信息。使用以下模板,并插入正确的版本、日期、GPG 密钥 ID(从 gpg --list-keys --keyid-format LONG 获取)、发布管理器的 GitHub 用户名、发布 URL 和哈希值:

    This file contains MD5, SHA1, and SHA256 checksums for the source-code
tarball and wheel files of Django <<VERSION>>, released <<DATE>>.

To use this file, you will need a working install of PGP or other
compatible public-key encryption software. You will also need to have
the Django release manager's public key in your keyring. This key has
the ID ``XXXXXXXXXXXXXXXX`` and can be imported from the MIT
keyserver, for example, if using the open-source GNU Privacy Guard
implementation of PGP:

    gpg --keyserver pgp.mit.edu --recv-key XXXXXXXXXXXXXXXX

or via the GitHub API:

    curl https://github.com/<<RELEASE MANAGER GITHUB USERNAME>>.gpg | gpg --import -

Once the key is imported, verify this file:

    gpg --verify <<THIS FILENAME>>

Once you have verified this file, you can use normal MD5, SHA1, or SHA256
checksumming applications to generate the checksums of the Django
package and compare them to the checksums listed below.

Release packages
================

https://www.djangoproject.com/download/<<VERSION>>/tarball/
https://www.djangoproject.com/download/<<VERSION>>/wheel/

MD5 checksums
=============

<<MD5SUM>>  <<RELEASE TAR.GZ FILENAME>>
<<MD5SUM>>  <<RELEASE WHL FILENAME>>

SHA1 checksums
==============

<<SHA1SUM>>  <<RELEASE TAR.GZ FILENAME>>
<<SHA1SUM>>  <<RELEASE WHL FILENAME>>

SHA256 checksums
================

<<SHA256SUM>>  <<RELEASE TAR.GZ FILENAME>>
<<SHA256SUM>>  <<RELEASE WHL FILENAME>>

  6. 签名 "checksum" 文件(gpg --clearsign --digest-algo SHA256 Django-<version>.checksum.txt)。这将生成一个已签名的文档,Django-<version>.checksum.txt.asc,你可以使用 gpg --verify Django-<version>.checksum.txt.asc 来验证它。

将发布版本提供给公众

现在,你准备好将发布版本发布出去了。为了做到这一点:

  1. Create a new Release entry in the djangoproject.com's admin. If this is a security release, this should be done 15 minutes before the announced release time, no sooner:

    版本

    Must match the version number as defined in the tarball (django-<version>.tar.gz). For example: "5.2", "4.1.1", or "4.2rc1".

    Is active

    Set to False until the release is fully published (last step).

    LTS

    Enable if the release is part of an LTS branch.

    Dates

    Set the release date to today. This release will not be published until is_active is enabled.

    Artifacts

    Upload the tarball (django-<version>.tar.gz), wheel (django-<version>-py3-none-any.whl), and checksum (django-<version>.checksum.txt.asc) files created earlier.

  2. Test that the release packages install correctly using pip. Here's one simple method (this just tests that the binaries are available, that they install correctly, and that migrations and the development server start, but it'll catch silly mistakes): https://code.djangoproject.com/wiki/ReleaseTestNewVersion.

  3. 在 Jenkins 上运行 confirm-release 构建,以验证 checksum 文件(例如,对于 https://media.djangoproject.com/pgp/Django-4.2rc1.checksum.txt,使用 4.2rc1)。

  4. Upload the release packages to PyPI:

    $ twine upload --repository django dist/*

  5. Update the newly created Release in the admin in djangoproject.com and enable the is_active flag.

  6. 推送你的工作和新标签:

    $ git push
$ git push --tags

  7. 发布公告发布的博客文章。

  8. 对于新版本发布(例如 4.1、4.2),通过将 docs.djangoproject.com 数据库中适当的 DocumentRelease 对象上的 is_default 标志设置为 True 来更新文档的默认稳定版本(这将自动将其设置为 False,对于所有其他版本);你可以使用站点的管理员界面来完成这个操作。

    为每种语言创建新的 DocumentRelease 对象,这些语言在之前的发布中有条目。通过从 django-docs-translations 仓库 的当前稳定分支运行命令 manage_translations.py robots_txt 生成的结果,更新 djangoproject.com 的 robots.docs.txt 文件。例如,当发布 Django 4.2 时:

    $ git checkout stable/4.2.x
$ git pull
$ python manage_translations.py robots_txt

  9. Post the release announcement to the django-announce mailing list and the Django Forum. This should include a link to the announcement blog post.

  10. If this is a security release, publish the CVE metadata. (The checklist app generates JSON for this.):

    $ cve publish <cve-number> --cve-json-file <path-to-file>

  11. If this is a security release, send a separate email to oss-security@lists.openwall.com. Provide "Django" plus the CVE IDs in the subject line. The message body should include the vulnerability details, for example, the announcement blog post text. Include a link to the announcement blog post.

发布后

你差不多完成了!现在剩下要做的只有:

  1. If this is not a pre-release, update the VERSION tuple in django/__init__.py again, incrementing to whatever the next expected release will be. For example, after releasing 4.1.1, update VERSION to VERSION = (4, 1, 2, 'alpha', 0) (example commit).

  2. If this was an alpha release:

    1. Add the feature release version in Trac's versions list.

    2. Create a new security branch from the freshly cut stable branch. Be sure to fetch and update upstream to latest. For example, after the 5.2 alpha release:

      $ git fetch upstream
$ git checkout -b security/5.2.x upstream/stable/5.2.x
$ git push origin -u security/5.2.x:security/5.2.x

  3. 如果这是一个最终发布:

    1. Update the default_version setting in the code.djangoproject.com's trac.ini file (example PR).

    2. 更新当前稳定分支并删除 Trac 上 Django 发布过程 中的预发布分支。

    3. 更新 djangoproject.com 的下载页面(示例 PR)。

    4. Process the older versions that will reach End-Of-Mainstream and/or End-Of-Life support when this final release is published:

      1. Ensure that the EOL versions are mentioned in the blog post. Example.

      2. Create a tag for the EOL stable branch and delete the stable branch. Inspect and use the scripts/archive_eol_stable_branches.py helper.

  4. 如果这是一个安全发布,请更新 安全问题档案,提供解决问题的详细信息。

  5. If this was a pre-release, the translation catalogs need to be updated:

    1. Make a new branch from the recently released stable branch:

      $ git checkout stable/A.B.x
$ git checkout -b update-translations-catalog-A.B.x

    2. Ensure that the release's dedicated virtual environment is enabled and run the following:

      $ cd django
$ django-admin makemessages -l en --domain=djangojs --domain=django
processing locale en

    3. Make a pull request against the corresponding stable branch and merge once approved.

    4. Forward port the updated source translations to the main branch (example commit).

  6. If this was an rc pre-release, call for translations for the upcoming release in the Django Forum - Internationalization category.

关于设置 VERSION 元组的注意事项

Django 的版本报告受控于 django/__init__.py 中的 VERSION 元组。这是一个包含五个元素的元组,其元素分别是:

  1. 主要版本。

  2. 次要版本。

  3. 微版本。

  4. 状态 -- 可以是 "alpha"、"beta"、"rc" 或 "final" 中的一个。

  5. 系列号,用于按顺序运行的 alpha/beta/RC 包(例如,"beta 1"、"beta 2" 等)。

对于最终发布,状态始终为 "final",系列号始终为 0。状态为 "alpha" 的系列号为 0 将被报告为 "pre-alpha"。

一些示例:

  • (4, 1, 1, "final", 0) → "4.1.1"

  • (4, 2, 0, "alpha", 0) → "4.2 pre-alpha"

  • (4, 2, 0, "beta", 1) → "4.2 beta 1"

Back to Top

附加信息

Support Django!

Support Django!

内容

获取帮助

常见问题
尝试查看 FAQ — 它包括了很多常见问题的答案
索引, 模块索引, or 目录
查找特定信息时比较容易
Django Discord Server
Join the Django Discord Community.
Official Django Forum
Join the community on the Django Forum.
Ticket tracker
在我们的 `ticket tracker`_ 中报告 Django 或 Django 文档的 Bug。

离线(Django 6.0): HTML | PDF | ePub
Read the Docs 提供。

Diamond and Platinum Members