doc: first version of security releases process#306
Conversation
| the [cve_management_process](https://github.com/nodejs/security-wg/blob/master/processes/cve_management_process.md). | ||
|
|
||
| * Co-ordinate with the Release team members to line up one | ||
| or more releasers to do the releases on the agreed date. |
There was a problem hiding this comment.
Given nodejs/node#21275 there should probably be an explicit step to notify the Build WG to ensure coverage to mitigate any infrastructure issues around the agreed date.
cc @nodejs/build
There was a problem hiding this comment.
+1 to what @richardlau said, can we also add a line saying that while the release is going out, the releaser must be around in node-build in case issues come up
| * Create a PR to update the Node.js version in the official docker images. | ||
| * Checkout the docker-node repo | ||
| * Run the update.sh script to update versions | ||
| * Update the changed files to **remove** all changes EXCEPT those which |
There was a problem hiding this comment.
@chorrell is working on an update to the script allowing you to pass -s which should make sure to just update the node version.
There was a problem hiding this comment.
@SimenB that's great I was thinking we wanted something to make that easier.
There was a problem hiding this comment.
And it's landed, so this part should probably be updated
| * In the docker-node repository run the | ||
| [generate-stackbrew-library.sh]( https://github.com/nodejs/docker-node/blob/master/generate-stackbrew-library.sh) | ||
| script and replace official-images/library/node with the output generated. | ||
| * Open a PR with the changes to official-images/library/node making sure to |
There was a problem hiding this comment.
title of PR should include [security]
There was a problem hiding this comment.
A right, I missed that this time.
| with a link to the Node.js blog post announcing that releases | ||
| are availble. | ||
|
|
||
| For each CVE listed, the additioanl data must include the following fields |
| ``` | ||
| * Move the CVE from the Pending section to the Announced section along | ||
| with a link to the Node.js blog post announcing that releases | ||
| are availble. |
|
Will leave a bit more time for review and them will incorporate changes so far. |
|
Believe I have addressed all of the comments. Going to land. |
PR-URL: nodejs/security-wg#306 Reviewed-By: Vladimir de Turckheim <[email protected]> Reviewed-By: Liran Tal <[email protected]>
PR-URL: nodejs/security-wg#306 Reviewed-By: Vladimir de Turckheim <[email protected]> Reviewed-By: Liran Tal <[email protected]>
7 participants
No description provided.