3.6 KiB
3.6 KiB
Prior to starting the security release work
- Read the security process for developers if you are not familiar with it.
- Link this issue in the Security Release issue on GitLab.com. You can find this issue in the topic of the
#releaseschannel. - Add a link to the confidential
gitlab-org/gitlabissue describing the vulnerability next to Original issue in the links table. - Add a link to the confidential
gitlab-org/gitlabSecurity release issue next to Security release issue in the links table. - Run
scripts/security-harnessin your local repository to prevent accidentally pushing to any remote besidesgitlab.com/gitlab-org/security.
Development
- Create a new branch prefixing it with
security-. - Create a merge request targeting
masterongitlab.com/gitlab-org/securityand use the Security Release merge request template. - Follow the same code review process: Assign to a reviewer, then to a maintainer.
After your merge request has being approved according to our approval guidelines, you're ready to prepare the backports
Backports
- Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches
- At this point, it might be easy to squash the commits from the MR into one
- You can use the script
bin/secpickinstead of the following steps, to help you cherry-picking. See the secpick documentation
- Create each MR targeting the stable branch
X-Y-stable, using the Security Release merge request template.- Every merge request will have its own set of TODOs, so make sure to complete those.
- Make sure all MRs are linked in the Links section
Documentation and final details
- Ensure the Links section is completed.
- Find out the versions affected (the Git history of the files affected may help you with this) and add them to the details section
- Fill in any upgrade notes that users may need to take into account in the details section
- Add Yes/No and further details if needed to the migration and settings columns in the details section
- Add the nickname of the external user who found the issue (and/or HackerOne profile) to the Thanks row in the details section
- Once your
masterMR is merged, comment on the original security issue with a link to that MR indicating the issue is fixed.
Summary
Links
| Description | Link |
|---|---|
| Original issue | #TODO |
| Security release issue | #TODO |
master MR |
!TODO |
Backport X.Y MR |
!TODO |
Backport X.Y MR |
!TODO |
Backport X.Y MR |
!TODO |
Details
| Description | Details | Further details |
|---|---|---|
| Versions affected | X.Y | |
| Upgrade notes | ||
| GitLab Settings updated | Yes/No | |
| Migration required | Yes/No | |
| Thanks |
/label ~security