mirrors/nodejs
mirrors/nodejs
0
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-11-29 23:16:30 +01:00
Code Issues Releases Activity
2361b5c041
nodejs/doc/guides/security-release-process.md
Nick Schonning 7183d70273 doc: add angle brackets around implicit links 
PR-URL: https://github.com/nodejs/node/pull/32676
Reviewed-By: Rich Trott <rtrott@gmail.com>
2020-04-23 21:48:17 -07:00

3.7 KiB
Raw Blame History

Security Release Process

The security release process covers the steps required to plan/implement a security release. This document is copied into the description of the Next Security Release, and used to track progress on the release. It contains TEXT LIKE THIS which will be replaced during the release process with the information described.

Planning

  • Open an issue titled Next Security Release, and put this checklist in the description.

  • Get agreement on the list of vulnerabilities to be addressed:

    • H1 REPORT LINK: DESCRIPTION (CVE or H1 CVE request link)
      • v10.x, v12.x: LINK to PR URL
    • ...

  • PR release announcements in private:

    • (Use previous PRs as templates, don't forget to update the site banner, and the date in the slug so that it will move to the top of the blog list.)
    • pre-release: LINK TO PR
    • post-release: LINK TO PR

  • Get agreement on the planned date for the release: RELEASE DATE

  • Get release team volunteers for all affected lines:

    • v12.x: NAME of RELEASER(S)
    • ... other lines, if multiple releasers

Announcement (one week in advance of the planned release)

  • Check that all vulnerabilities are ready for release integration:

    • PRs against all affected release lines or cherry-pick clean
    • Approved
    • Pass make test
    • Have CVEs
    • Described in the pre/post announcements

  • Pre-release announcement email: LINK TO EMAIL (Get access from existing manager: Ben Noordhuis, Rod Vagg, Michael Dawson)

  • Pre-release announcement to nodejs.org blog: LINK TO BLOG (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to nodejs/nodejs.org)

  • Request releaser(s) to start integrating the PRs to be released.

  • Notify docker-node of upcoming security release date: LINK

  • Notify build-wg of upcoming security release date by opening an issue in nodejs/build to request WG members are available to fix any CI issues.

Release day

  • Lock CI

  • The releaser(s) run the release process to completion.

  • Unlock CI

  • Post-release announcement in reply email: LINK TO EMAIL

  • Post-release announcement to Nodejs.org blog: LINK TO BLOG POST

    • (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to nodejs/nodejs.org)

  • Email "Rachel Romoff" <rromoff@linuxfoundation.org> to tweet an announcement, or if you are on twitter you can just direct message the @nodejs handle.

  • Comment in docker-node issue that release is ready for integration. The docker-node team will build and release docker image updates.

  • For every H1 report resolved:

    • Close as Resolved
    • Request Disclosure
    • Request publication of H1 CVE requests
      • (Check that the "Version Fixed" field in the CVE is correct, and provide links to the release blogs in the "Public Reference" section)

  • PR machine-readable JSON descriptions of the vulnerabilities to the core vulnerability DB. LINK TO PR

  • Close this issue

  • Make sure the PRs for the vulnerabilities are closed.