Commit 580049c04bdd9de73e4d37d7be641fd9ae7a9985
1 parent
f51c21b6
Exists in
master
and in
4 other branches
Separate procedures for both releases.
Showing
4 changed files
with
150 additions
and
79 deletions
Show diff stats
CONTRIBUTING.md
| ... | ... | @@ -13,6 +13,10 @@ If you want to know how the GitLab team handles contributions have a look at [th |
| 13 | 13 | |
| 14 | 14 | By submitting code as an individual you agree to the [individual contributor license agreement](doc/legal/individual_contributor_license_agreement.md). By submitting code as an entity you agree to the [corporate contributor license agreement](doc/legal/corporate_contributor_license_agreement.md). |
| 15 | 15 | |
| 16 | +## Security vulnerability disclosure | |
| 17 | + | |
| 18 | +Please report suspected security vulnerabilities in private to support@gitlab.com, also see the [disclosure section on the GitLab.com website](http://www.gitlab.com/disclosure/). Please do NOT create publicly viewable issues for suspected security vulnerabilities. | |
| 19 | + | |
| 16 | 20 | ## Closing policy for issues and pull requests |
| 17 | 21 | |
| 18 | 22 | GitLab is a popular open source project and the capacity to deal with issues and pull requests is limited. Out of respect for our volunteers, issues and pull requests not in line with the guidelines listed in this document may be closed without notice. |
| ... | ... | @@ -78,6 +82,3 @@ We will accept pull requests if: |
| 78 | 82 | * It is a single commit (please use `git rebase -i` to squash commits) |
| 79 | 83 | |
| 80 | 84 | For examples of feedback on pull requests please look at already [closed pull requests](https://github.com/gitlabhq/gitlabhq/pulls?direction=desc&page=1&sort=created&state=closed). |
| 81 | - | |
| 82 | -## Security vulnerabilities | |
| 83 | -Please report security vulnerabilities in private to support@gitlab.com; also see http://www.gitlab.com/disclosure/. Do NOT create GitHub issues for security vulnerabilities. | ... | ... |
doc/make_release.md
| ... | ... | @@ -1,76 +0,0 @@ |
| 1 | -# Things to do when creating new release | |
| 2 | -NOTE: This is a guide for GitLab developers. If you are trying to install GitLab see the latest stable [installation guide](install/installation.md) and if you are trying to upgrade, see the [upgrade guides](update). | |
| 3 | - | |
| 4 | -## Install guide up to date? | |
| 5 | - | |
| 6 | -* References correct GitLab branch `x-x-stable` and correct GitLab shell tag? | |
| 7 | - | |
| 8 | -## Make upgrade guide | |
| 9 | - | |
| 10 | -### From x.x to x.x | |
| 11 | - | |
| 12 | -#### 0. Any major changes? Database updates? Web server change? File structure changes? | |
| 13 | - | |
| 14 | -#### 1. Make backup | |
| 15 | - | |
| 16 | -#### 2. Stop server | |
| 17 | - | |
| 18 | -#### 3. Do users need to update dependencies like `git`? | |
| 19 | - | |
| 20 | -#### 4. Get latest code | |
| 21 | - | |
| 22 | -#### 5. Does GitLab shell need to be updated? | |
| 23 | - | |
| 24 | -#### 6. Install libs, migrations, etc. | |
| 25 | - | |
| 26 | -#### 7. Any config files updated since last release? | |
| 27 | - | |
| 28 | -Check if any of these changed since last release (~22nd of last month depending on when last release branch was created): | |
| 29 | - | |
| 30 | -* https://github.com/gitlabhq/gitlabhq/commits/master/lib/support/nginx/gitlab | |
| 31 | -* https://github.com/gitlabhq/gitlab-shell/commits/master/config.yml.example | |
| 32 | -* https://github.com/gitlabhq/gitlabhq/commits/master/config/gitlab.yml.example | |
| 33 | -* https://github.com/gitlabhq/gitlabhq/commits/master/config/unicorn.rb.example | |
| 34 | -* https://github.com/gitlabhq/gitlabhq/commits/master/config/database.yml.mysql | |
| 35 | -* https://github.com/gitlabhq/gitlabhq/commits/master/config/database.yml.postgresql | |
| 36 | - | |
| 37 | -#### 8. Need to update init script? | |
| 38 | - | |
| 39 | -Check if changed since last release (~22nd of last month depending on when last release branch was created): https://github.com/gitlabhq/gitlabhq/commits/master/lib/support/init.d/gitlab | |
| 40 | - | |
| 41 | -#### 9. Start application | |
| 42 | - | |
| 43 | -#### 10. Check application status | |
| 44 | - | |
| 45 | -## Make sure the code quality indicatiors are good | |
| 46 | - | |
| 47 | -* [](http://ci.gitlab.org/projects/1?ref=master) on ci.gitlab.org (master branch) | |
| 48 | - | |
| 49 | -* [](https://travis-ci.org/gitlabhq/gitlabhq) on travis-ci.org (master branch) | |
| 50 | - | |
| 51 | -* [](https://codeclimate.com/github/gitlabhq/gitlabhq) | |
| 52 | - | |
| 53 | -* [](https://gemnasium.com/gitlabhq/gitlabhq) this button can be yellow (small updates are available) but must not be red (a security fix or an important update is available) | |
| 54 | - | |
| 55 | -* [](https://coveralls.io/r/gitlabhq/gitlabhq) | |
| 56 | - | |
| 57 | -## Make a release branch | |
| 58 | - | |
| 59 | -After making the release branch new commits are cherry-picked from master. When the release gets closer we get more selective what is cherry-picked. | |
| 60 | - | |
| 61 | -* 5 days before release: feature freeze | |
| 62 | -* 3 days before release: UI freeze | |
| 63 | -* 1 day before release: code freeze | |
| 64 | - | |
| 65 | -# Write a blog post | |
| 66 | - | |
| 67 | -* Mention what GitLab is on the second line: GitLab is open source software to collaborate on code. | |
| 68 | -* Select and thank the the Most Valuable Person (MVP) of this release. | |
| 69 | -* Note if there are security fixes: This release fixes an important security issue and we advise everyone to upgrade as soon as possible. | |
| 70 | - | |
| 71 | -## Last actions | |
| 72 | - | |
| 73 | -1. Update VERSION and CHANGELOG | |
| 74 | -1. Create a git tag vX.X.X | |
| 75 | -1. Publish the blog post | |
| 76 | -1. Tweet about the release |
| ... | ... | @@ -0,0 +1,76 @@ |
| 1 | +# Things to do when creating new monthly minor or major release | |
| 2 | +NOTE: This is a guide for GitLab developers. If you are trying to install GitLab see the latest stable [installation guide](install/installation.md) and if you are trying to upgrade, see the [upgrade guides](update). | |
| 3 | + | |
| 4 | +## Install guide up to date? | |
| 5 | + | |
| 6 | +* References correct GitLab branch `x-x-stable` and correct GitLab shell tag? | |
| 7 | + | |
| 8 | +## Make upgrade guide | |
| 9 | + | |
| 10 | +### From x.x to x.x | |
| 11 | + | |
| 12 | +#### 0. Any major changes? Database updates? Web server change? File structure changes? | |
| 13 | + | |
| 14 | +#### 1. Make backup | |
| 15 | + | |
| 16 | +#### 2. Stop server | |
| 17 | + | |
| 18 | +#### 3. Do users need to update dependencies like `git`? | |
| 19 | + | |
| 20 | +#### 4. Get latest code | |
| 21 | + | |
| 22 | +#### 5. Does GitLab shell need to be updated? | |
| 23 | + | |
| 24 | +#### 6. Install libs, migrations, etc. | |
| 25 | + | |
| 26 | +#### 7. Any config files updated since last release? | |
| 27 | + | |
| 28 | +Check if any of these changed since last release (~22nd of last month depending on when last release branch was created): | |
| 29 | + | |
| 30 | +* https://github.com/gitlabhq/gitlabhq/commits/master/lib/support/nginx/gitlab | |
| 31 | +* https://github.com/gitlabhq/gitlab-shell/commits/master/config.yml.example | |
| 32 | +* https://github.com/gitlabhq/gitlabhq/commits/master/config/gitlab.yml.example | |
| 33 | +* https://github.com/gitlabhq/gitlabhq/commits/master/config/unicorn.rb.example | |
| 34 | +* https://github.com/gitlabhq/gitlabhq/commits/master/config/database.yml.mysql | |
| 35 | +* https://github.com/gitlabhq/gitlabhq/commits/master/config/database.yml.postgresql | |
| 36 | + | |
| 37 | +#### 8. Need to update init script? | |
| 38 | + | |
| 39 | +Check if changed since last release (~22nd of last month depending on when last release branch was created): https://github.com/gitlabhq/gitlabhq/commits/master/lib/support/init.d/gitlab | |
| 40 | + | |
| 41 | +#### 9. Start application | |
| 42 | + | |
| 43 | +#### 10. Check application status | |
| 44 | + | |
| 45 | +## Make sure the code quality indicatiors are good | |
| 46 | + | |
| 47 | +* [](http://ci.gitlab.org/projects/1?ref=master) on ci.gitlab.org (master branch) | |
| 48 | + | |
| 49 | +* [](https://travis-ci.org/gitlabhq/gitlabhq) on travis-ci.org (master branch) | |
| 50 | + | |
| 51 | +* [](https://codeclimate.com/github/gitlabhq/gitlabhq) | |
| 52 | + | |
| 53 | +* [](https://gemnasium.com/gitlabhq/gitlabhq) this button can be yellow (small updates are available) but must not be red (a security fix or an important update is available) | |
| 54 | + | |
| 55 | +* [](https://coveralls.io/r/gitlabhq/gitlabhq) | |
| 56 | + | |
| 57 | +## Make a release branch | |
| 58 | + | |
| 59 | +After making the release branch new commits are cherry-picked from master. When the release gets closer we get more selective what is cherry-picked. | |
| 60 | + | |
| 61 | +* 5 days before release: feature freeze | |
| 62 | +* 3 days before release: UI freeze | |
| 63 | +* 1 day before release: code freeze | |
| 64 | + | |
| 65 | +# Write a blog post | |
| 66 | + | |
| 67 | +* Mention what GitLab is on the second line: GitLab is open source software to collaborate on code. | |
| 68 | +* Select and thank the the Most Valuable Person (MVP) of this release. | |
| 69 | +* Note if there are security fixes: This release fixes an important security issue and we advise everyone to upgrade as soon as possible. | |
| 70 | + | |
| 71 | +## Last actions | |
| 72 | + | |
| 73 | +1. Update VERSION and CHANGELOG | |
| 74 | +1. Create a git tag vX.X.X | |
| 75 | +1. Publish the blog post | |
| 76 | +1. Tweet about the release | ... | ... |
| ... | ... | @@ -0,0 +1,70 @@ |
| 1 | +# Things to do when doing an out-of-bound security release | |
| 2 | +NOTE: This is a guide for GitLab developers. If you are trying to install GitLab see the latest stable [installation guide](install/installation.md) and if you are trying to upgrade, see the [upgrade guides](update). | |
| 3 | + | |
| 4 | +## When to do a security release | |
| 5 | + | |
| 6 | +Do a security release when there is a critical issue that needs to be adresses before the next monthly release. Otherwise include it in the monthly release and note there was a security fix in the release announcement. | |
| 7 | + | |
| 8 | +## Security vulnerability disclosure | |
| 9 | + | |
| 10 | +Please report suspected security vulnerabilities in private to support@gitlab.com, also see the [disclosure section on the GitLab.com website](http://www.gitlab.com/disclosure/). Please do NOT create publicly viewable issues for suspected security vulnerabilities. | |
| 11 | + | |
| 12 | +## Release Procedure | |
| 13 | + | |
| 14 | +1. Verify that the issue can be repoduced | |
| 15 | +1. Acknowledge the issue to the researcher that disclosed it | |
| 16 | +1. Fix the issue on a feature branch, do this on the private dev.gitlab.org server and update the VERSION and CHANGELOG | |
| 17 | +1. Consider creating and testing workarounds | |
| 18 | +1. Create feature branches for the blog posts on GitLab.org and GitLab.com and link them from the code branch | |
| 19 | +1. Merge the code feature branch | |
| 20 | +1. Create a git tag vX.X.X for CE and another one for EE | |
| 21 | +1. Push the code and the tags to all the CE and EE repositories | |
| 22 | +1. Merge and publish the blog posts | |
| 23 | +1. Send tweets about the release from @gitlabhq and @git_lab | |
| 24 | +1. Send out an email to the subscribers mailing list on MailChimp | |
| 25 | +1. Send out an email to [the community google mailing list](https://groups.google.com/forum/#!forum/gitlabhq) | |
| 26 | +1. Send out an email to [the GitLab newsletter list](http://gitlab.us5.list-manage.com/subscribe?u=498dccd07cf3e9482bee33ba4&id=98a9a4992c) | |
| 27 | +1. Post a signed copy of our announcement to [oss-security](http://www.openwall.com/lists/oss-security/) and request a CVE number | |
| 28 | +1. Add the security researcher to the [Security Researcher Acknowledgments list](http://www.gitlab.com/vulnerability-acknowledgements/) | |
| 29 | +1. Thank the security researcher in an email for their cooperation | |
| 30 | +1. Update the blogposts when we receive a CVE number | |
| 31 | + | |
| 32 | +## Blog post template | |
| 33 | + | |
| 34 | +XXX Security Advisory for GitLab | |
| 35 | + | |
| 36 | +A recently discovered critical vulnerability in GitLab allows [unauthenticated API access|remote code execution|unauthorized access to repositories|XXX|PICKSOMETHING]. All users should update GitLab and gitlab-shell immediately. | |
| 37 | + | |
| 38 | +### Version affected | |
| 39 | + | |
| 40 | +GitLab Community Edition XXX and lower | |
| 41 | +GitLab Enterprise Edition XXX and lower | |
| 42 | + | |
| 43 | +### Fixed versions | |
| 44 | + | |
| 45 | +GitLab Community Edition XXX and up | |
| 46 | +GitLab Enterprise Edition XXX and up | |
| 47 | + | |
| 48 | +### Impact | |
| 49 | + | |
| 50 | +On GitLab installations which use MySQL as their database backend it is possible for an attacker to assume the identity of any existing GitLab user in certain API calls. This attack can be performed by [unauthenticated|authenticated|XXX|PICKSOMETHING] users. | |
| 51 | + | |
| 52 | +### Workarounds | |
| 53 | + | |
| 54 | +If you are unable to upgrade you should apply the following patch and restart GitLab. | |
| 55 | + | |
| 56 | +XXX | |
| 57 | + | |
| 58 | +### Credit | |
| 59 | + | |
| 60 | +We want to thank XXX of XXX for the reponsible disclosure of this vulnerability. | |
| 61 | + | |
| 62 | +## Email template | |
| 63 | + | |
| 64 | +We just announced a security advisory for GitLab at XXX | |
| 65 | + | |
| 66 | +Please contact us at support@gitlab.com if you have any questions. | |
| 67 | + | |
| 68 | +## Tweet template | |
| 69 | + | |
| 70 | +We just announced a security advisory for GitLab at XXX | ... | ... |