Page MenuHomePhabricator
Create Task
Maniphest T156445

Streamline/automate MW tarball security release process
Open, HighPublic
Actions

Description

MW security releases are difficult, and Chad wants to automate/streamline the process. This task is to document the current required tasks, identify the pain points, and then fix them.

I think the general steps for a security release are something like...:

  • Decide upon a date and send out the pre-release announcement email
  • Give early access in Phab to some people
  • Create a list of patches/tasks that should be backported with help from security team
  • Create backports of all those patches for the supported branches
  • Update release notes and version number
  • Stage patches and git clones...somewhere.
  • Run make-release
  • Do some kind of testing???
  • gpg sign tarballs and upload to releases.wm.o
  • Send announcement to mailing lists
  • Submit patches to Gerrit and wait for CI to merge them (or just force merge)
  • Publish signed git tags.

Related Objects
Search...

Event Timeline

Legoktm created this task.Jan 27 2017, 2:24 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 27 2017, 2:24 AM
greg renamed this task from Make Chad's job easier to Streamline/automate MW tarball security release process.Jan 27 2017, 3:05 AM
Jdforrester-WMF subscribed.Jan 27 2017, 3:34 AM
Joe subscribed.Jan 27 2017, 11:30 AM
Anomie subscribed.Jan 27 2017, 3:38 PM
mmodell subscribed.Jan 27 2017, 4:24 PM
Tgr subscribed.Jan 27 2017, 7:28 PM
Tgr added a comment.Jan 27 2017, 7:32 PM

While we are at it, it would also be nice to have documentation about how security updates are handled for non-tarball WMF-deployed extensions, and for non-WMF-deployed extensions.

Smalyshev subscribed.Jan 28 2017, 1:35 AM
KartikMistry subscribed.Jan 30 2017, 4:02 AM
Paladox subscribed.Mar 9 2017, 7:16 PM
Legoktm added a comment.Mar 9 2017, 8:12 PM
[11:48:07] <RainbowSprinkles> So what I really want to do (and I haven't) is rewrite make-release in python instead of that ugly-ass PHP its in now, written in a way that it can be run daily on N branches and spit out tarballs.
[11:48:24] <RainbowSprinkles> *Also* taking a hidden directory of patches and spitting out some hidden tarballs
[11:48:39] <RainbowSprinkles> So we can constantly be *generating* the next security release, aware of conflicts, and only have to decide on a date and sign shit
[11:49:06] <RainbowSprinkles> So basically, "generate list of patches" will be "what patches has security dropped in the build pipeline?"
tstarling mentioned this in T162572: MW 1.23.16 is not compatible with PHP 5.3.Apr 10 2017, 2:06 AM
demon moved this task from INBOX to In-progress on the Release-Engineering-Team board.May 15 2017, 3:05 PM
greg moved this task from In-progress to Kanban on the Release-Engineering-Team board.May 16 2017, 4:00 PM
greg edited projects, added Release-Engineering-Team (Kanban); removed Release-Engineering-Team.
thcipriani removed a project: Release-Engineering-Team (Kanban).May 17 2017, 1:40 PM
thcipriani added a project: Release-Engineering-Team.
greg moved this task from INBOX to Epics (ARCHIVED) on the Release-Engineering-Team board.May 17 2017, 2:13 PM
demon triaged this task as High priority.Jan 12 2018, 10:49 PM
Legoktm mentioned this in T196602: Streamline MW security release process.Jul 12 2018, 4:28 AM
chasemp edited projects, added acl*security; removed Security-Team.Sep 4 2018, 4:07 PM
Krinkle awarded a token.Sep 20 2018, 11:35 PM
sbassett subscribed.Sep 21 2018, 2:36 PM
thcipriani mentioned this in T207346: Decide where to store jobs for releases-jenkins.Nov 1 2018, 5:55 PM
greg added a parent task: T196515: Automate the Train.Dec 4 2018, 5:27 PM
mmodell added a subtask: T211655: Document the process for tagging, signing and preparing a tarball release..Dec 11 2018, 4:34 PM
greg mentioned this in T208529: Install docker on releases-jenkins.Dec 20 2018, 8:51 PM
mmodell closed subtask T211655: Document the process for tagging, signing and preparing a tarball release. as Resolved.Jan 24 2019, 6:41 PM
Phabricator_maintenance edited projects, added Release-Engineering-Team-TODO; removed Release-Engineering-Team.Jun 12 2019, 11:39 PM
Phabricator_maintenance moved this task from Should be empty (use Release-Engineering-Team) to Epics on the Release-Engineering-Team-TODO board.Jun 12 2019, 11:41 PM
greg added a project: Release-Engineering-Team.Jun 21 2019, 10:35 PM
greg edited projects, added Release-Engineering-Team (Deployment services); removed Release-Engineering-Team.Aug 1 2019, 11:17 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
thcipriani removed a parent task: T196515: Automate the Train.Feb 13 2020, 6:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:05 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:01 PM
Dzahn closed subtask T208529: Install docker on releases-jenkins as Resolved.Jan 22 2021, 6:57 PM
taavi subscribed.Jan 22 2021, 7:00 PM
thcipriani removed a project: Release-Engineering-Team (Deployment services).Apr 20 2021, 1:10 AM
thcipriani edited projects, added Release-Engineering-Team (thcipriani-workboard-fiddling); removed Release-Engineering-Team-TODO.Apr 20 2021, 3:42 AM
thcipriani moved this task from thcipriani-workboard-fiddling to Seen (ARCHIVE) on the Release-Engineering-Team board.Apr 20 2021, 3:58 AM
thcipriani edited projects, added Release-Engineering-Team; removed Release-Engineering-Team (thcipriani-workboard-fiddling).
thcipriani edited projects, added Release-Engineering-Team (Seen); removed Release-Engineering-Team.Apr 20 2021, 3:23 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL