On Nov 1, 2014 8:52 PM, "Mark A. Hershberger" <mah(a)nichework.com> wrote:
After some discussion in September, Quim created T480 in Phabricator[1].
Markus polished up the "Security Release" section of the Release
checklist[2] and we agreed to use it as the process for security
releases from now on.
Footnotes:
[1]
https://phabricator.wikimedia.org/T480
[2]
https://www.mediawiki.org/wiki/Release_checklist#Security_Release_.28minor_…
--
Mark A. Hershberger
NicheWork LLC
717-271-1084
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
What about marking the bugs as public? That is a step that is often missed
and should be done just prior to sending release announcement.
From the list:
" Check for
vulnerabilities"
That could use clarification - does it mean check which branches need to be
patched? does it mean verify that the exploit doesnt work on newly patched
branches? Or perhaps it could refer to some automated testing tool?
Given we want to minimize time between vulnrability being public and
release, id reccomend adding a step of run unit tests locally in case they
fail, before making jenkins do it publically.
--bawolff