3.4 KiB
3.4 KiB
Prior to the security release
- Read the security process for developers if you are not familiar with it.
- Link to the original issue adding it to the links section
- Run
scripts/security-harness
in the CE, EE, and/or Omnibus to prevent pushing to any remote besidesdev.gitlab.org
- Create an MR targetting
org
master
, prefixing your branch withsecurity-
- Label your MR with the ~security label, prefix the title with
WIP: [master]
- Add a link to the MR to the links section
- Add a link to an EE MR if required
- Make sure the MR remains in-progress and gets approved after the review cycle, but never merged.
- Add a link to this issue on the original security issue.
Backports
- Once the MR is ready to be merged, create MRs targetting the last 3 releases, plus the current RC if between the 7th and 22nd of the month.
- At this point, it might be easy to squash the commits from the MR into one
- You can use the script
bin/secpick
instead of the following steps, to help you cherry-picking. See the secpick documentation - Create the branch
security-X-Y
fromX-Y-stable
if it doesn't exist (and make sure it's up to date with stable) - Create each MR targetting the security branch
security-X-Y
- Add the ~security label and prefix with the version
WIP: [X.Y]
the title of the MR
- Add the ~"Merge into Security" label to all of the MRs.
- Make sure all MRs have a link in the links section
Documentation and final details
- Check the topic on #security to see when the next release is going to happen and add a link to the links section
- Find out the versions affected (the Git history of the files affected may help you with this) and add them to the details section
- Fill in any upgrade notes that users may need to take into account in the details section
- Add Yes/No and further details if needed to the migration and settings columns in the details section
- Add the nickname of the external user who found the issue (and/or HackerOne profile) to the Thanks row in the details section
- Once your
master
MR is merged, comment on the original security issue with a link to that MR indicating the issue is fixed.
Summary
Links
Description | Link |
---|---|
Original issue | #TODO |
Security release issue | #TODO |
master MR |
!TODO |
master MR (EE) |
!TODO |
Backport X.Y MR |
!TODO |
Backport X.Y MR |
!TODO |
Backport X.Y MR |
!TODO |
Backport X.Y MR (EE) |
!TODO |
Backport X.Y MR (EE) |
!TODO |
Backport X.Y MR (EE) |
!TODO |
Details
Description | Details | Further details |
---|---|---|
Versions affected | X.Y | |
Upgrade notes | ||
GitLab Settings updated | Yes/No | |
Migration required | Yes/No | |
Thanks |
/label ~security