Streamline/automate MW tarball security release process
Open, HighPublic

Description

MW security releases are difficult, and Chad wants to automate/streamline the process. This task is to document the current required tasks, identify the pain points, and then fix them.

I think the general steps for a security release are something like...:

  • Decide upon a date and send out the pre-release announcement email
  • Give early access in Phab to some people
  • Create a list of patches/tasks that should be backported with help from security team
  • Create backports of all those patches for the supported branches
  • Update release notes and version number
  • Stage patches and git clones...somewhere.
  • Run make-release
  • Do some kind of testing???
  • gpg sign tarballs and upload to releases.wm.o
  • Send announcement to mailing lists
  • Submit patches to Gerrit and wait for CI to merge them (or just force merge)
  • Publish signed git tags.
Legoktm created this task.Jan 27 2017, 2:24 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 27 2017, 2:24 AM
greg renamed this task from Make Chad's job easier to Streamline/automate MW tarball security release process.Jan 27 2017, 3:05 AM
Joe added a subscriber: Joe.Jan 27 2017, 11:30 AM
Anomie added a subscriber: Anomie.Jan 27 2017, 3:38 PM
Tgr added a subscriber: Tgr.Jan 27 2017, 7:28 PM
Tgr added a comment.Jan 27 2017, 7:32 PM

While we are at it, it would also be nice to have documentation about how security updates are handled for non-tarball WMF-deployed extensions, and for non-WMF-deployed extensions.

Paladox added a subscriber: Paladox.Mar 9 2017, 7:16 PM
[11:48:07] <RainbowSprinkles> So what I really want to do (and I haven't) is rewrite make-release in python instead of that ugly-ass PHP its in now, written in a way that it can be run daily on N branches and spit out tarballs.
[11:48:24] <RainbowSprinkles> *Also* taking a hidden directory of patches and spitting out some hidden tarballs
[11:48:39] <RainbowSprinkles> So we can constantly be *generating* the next security release, aware of conflicts, and only have to decide on a date and sign shit
[11:49:06] <RainbowSprinkles> So basically, "generate list of patches" will be "what patches has security dropped in the build pipeline?"
demon triaged this task as High priority.Fri, Jan 12, 10:49 PM