3.8 KiB
3.8 KiB
Prior to starting the security release work
- Read the security process for developers if you are not familiar with it.
- Mark this issue as related to the Security Release tracking issue. You can find it on the topic of the
#releasesSlack channel. - Run
scripts/security-harnessin your local repository to prevent accidentally pushing to any remote besidesgitlab.com/gitlab-org/security. - Fill out the Links section:
- Next to Issue on GitLab, add a link to the
gitlab-org/gitlabissue that describes the security vulnerability. - Next to Security Release tracking issue, add a link to the security release issue that will include this security issue.
- Next to Issue on GitLab, add a link to the
Development
- Create a new branch prefixing it with
security-. - Create a merge request targeting
masterongitlab.com/gitlab-org/securityand use the Security Release merge request template. - Follow the same code review process: Assign to a reviewer, then to a maintainer.
After your merge request has being approved according to our approval guidelines, you're ready to prepare the backports
Backports
- Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches
- At this point, it might be easy to squash the commits from the MR into one
- You can use the script
bin/secpickinstead of the following steps, to help you cherry-picking. See the secpick documentation
- Create each MR targeting the stable branch
X-Y-stable, using the Security Release merge request template.- Every merge request will have its own set of TODOs, so make sure to complete those.
- On the "Related merge requests" section, ensure all MRs are linked to this issue.
- This section should only list the merge requests created for this issue: One targeting
masterand the 3 backports.
- This section should only list the merge requests created for this issue: One targeting
Documentation and final details
- Ensure the Links section is completed.
- Find out the versions affected (the Git history of the files affected may help you with this) and add them to the details section
- Fill in any upgrade notes that users may need to take into account in the details section
- Add Yes/No and further details if needed to the migration and settings columns in the details section
- Add the nickname of the external user who found the issue (and/or HackerOne profile) to the Thanks row in the details section
- Once your
masterMR is merged, comment on the original security issue with a link to that MR indicating the issue is fixed.
Summary
Links
| Description | Link |
|---|---|
| Issue on GitLab | #TODO |
| Security Release tracking issue | #TODO |
Details
| Description | Details | Further details |
|---|---|---|
| Versions affected | X.Y | |
| Upgrade notes | ||
| GitLab Settings updated | Yes/No | |
| Migration required | Yes/No | |
| Thanks |
/label ~security