Page MenuHomePhabricator

Streamline/automate MW tarball security release process
Open, HighPublic


MW security releases are difficult, and Chad wants to automate/streamline the process. This task is to document the current required tasks, identify the pain points, and then fix them.

I think the general steps for a security release are something like...:

  • Decide upon a date and send out the pre-release announcement email
  • Give early access in Phab to some people
  • Create a list of patches/tasks that should be backported with help from security team
  • Create backports of all those patches for the supported branches
  • Update release notes and version number
  • Stage patches and git clones...somewhere.
  • Run make-release
  • Do some kind of testing???
  • gpg sign tarballs and upload to releases.wm.o
  • Send announcement to mailing lists
  • Submit patches to Gerrit and wait for CI to merge them (or just force merge)
  • Publish signed git tags.

Event Timeline

greg renamed this task from Make Chad's job easier to Streamline/automate MW tarball security release process.Jan 27 2017, 3:05 AM

While we are at it, it would also be nice to have documentation about how security updates are handled for non-tarball WMF-deployed extensions, and for non-WMF-deployed extensions.

[11:48:07] <RainbowSprinkles> So what I really want to do (and I haven't) is rewrite make-release in python instead of that ugly-ass PHP its in now, written in a way that it can be run daily on N branches and spit out tarballs.
[11:48:24] <RainbowSprinkles> *Also* taking a hidden directory of patches and spitting out some hidden tarballs
[11:48:39] <RainbowSprinkles> So we can constantly be *generating* the next security release, aware of conflicts, and only have to decide on a date and sign shit
[11:49:06] <RainbowSprinkles> So basically, "generate list of patches" will be "what patches has security dropped in the build pipeline?"