Tommy's Blog

I’m late to the party with this post–it’s kind of funny that I’m late, or maybe just sad, as you’ll see–and anyone who cares has already seen the information in a dozen other places, but today we released the Entity Framework Beta 3 and the Entity Framework Tools CTP 2. You might expect to hear about the new features, but Danny Simmons has already done a far better job than I could. Maybe I could tell you about breaking changes since Beta 2. But Jeff Derstadt gets the honors there. Maybe there’s a big picture I could paint, but the press release takes care of that.

Since I’m not breaking any news, and I have nothing obvious to add, you might wonder why I bother. I should have something better for those dedicated handful of you who are still here after all this time. So I’ll tell you a story about how we take a finished software product and get it up on the Web for people to download.

I said that we released the Entity Framework Beta 3–and I’m going to talk about just the runtime since I am in the Data Programmability Runtime team and it makes the story easier to tell–but, to take a very narrow view of what it means to “release the software,” we didn’t do anything: I did. I pushed the button that made the Entity Framework live on the Microsoft.com Download Center.

This release process started a few weeks ago before all the bugs were closed and all the tests were finished. Everything that we release to the public has to meet a bunch of criteria that have nothing to do with the functionality of the product. Some of the requirements are driven by Microsoft’s legal division, LCA. They require things like geopolitical approval (this focuses on the text and graphics in the product–it’s tougher than you think since something that’s innocuous in one country is sometimes illegal in another), an appropriate EULA, and proper diligence around any third-party code, among a lot of other things. There are a set of tools that must be run against the source code and the compiled binaries. Some of these are part of a final security check and others validate compliance with Microsoft policies.

There are a lot of tools to run, a lot of boxes to check, and a lot of people to round up to sign off on things. And, remember, none of this has anything to do with the testing and bug fixing that goes into the product itself.

There is an internal tool called the Download Management Tool that allows you to build the “download details page”: the page you see when I point to the Entity Framework Runtime Beta 3 that has the overview, the requirements, the instructions, and the actual link to the setup programs themselves. The DMT is a pretty slick tool, but there are a lot of boxes to check and fields to fill out. And, of course, someone has to write the text that goes into that overview, the requirements, and the installation instructions, and verifies the links in the text and a number of other things that I’m forgetting right now.

When you first set up a release in the DMT, it reserves a destination URL on the live site for that release. This helps people who need to prepare documentation, press releases, blog posts, email announcement messages, and even magazine articles. But those Download Center URLs are long and we might need to do something that would change the URL, so there’s another tool called the Forward Link tool, or FWLink. If you have spent much time with the Microsoft Web sites, I’m sure you have seen them, They look like http://go.microsoft.com/fwlink/?LinkId=104981. They exist to redirect requests. So you can reserve these FWLinks early in the process before their destinations even exist, then use them in all the documentation and only point them to the correct location once that page or that file is online. We have them not just for the download, but for the readme, the documentation, the samples, and even the ADO.NET forum. Among others. When there are so many, it’s tough to keep track of all of them, so that’s one more checklist I have to maintain.

Once all the policies have been met, all the FWlinks are set up, the download details pages written, and the readme compiled, written, edited, and reviewed, it’s time to start the final packaging of the product. Of course, that’s after all the tests are passing and the team has signed off on the product.

The final packaging starts with digital signing. Digital signatures are a security measure so that customers can be sure the code they’re running actually came from Microsoft and hasn’t been changed somewhere along the way. We have a two-pass process: we first sign the binaries that make up the product itself, then we insert those signed binaries into the setup program and we sign that. Microsoft takes its digital certificates seriously and any signing requires at least three people with the appropriate permissions: one person to submit the “job” and two people to approve it. We can do it all over the network now using our smart cards. A few years ago we had to take our product code to another building on CDs or floppies where release services would sign the bits and write them back to removable media. It’s definitely better now.

Once things are signed, the team does a final verification to be sure that there were no mistakes in the act of reassembling and signing the setup. I then take the signed, verified package and post it to the Download Center. This is done in “undiscoverable” mode: there is no details page, just the executable available at a hidden URL. The test team does one more verification from this URL and, once they sign off, the release is ready to go live.

There is a whole host of other activity that happens in parallel and involves marketing and public relations who put together material for press releases, coordinate with partners, with the media, and a whole host of other activities. The UE team has to post the documentation. The MSDN Web site team has to update the developer centers. We all agree on a day and time when we will make everything available to the public and that’s when I press the button and release the product.

P.S. I forgot to tell you about gathering the samples and posting them on CodePlex. Maybe some other time.