On Nov 1, 2014 8:52 PM, "Mark A. Hershberger" <[email protected]> wrote: > > > After some discussion in September, Quim created T480 in Phabricator[1]. > Markus polished up the "Security Release" section of the Release > checklist[2] and we agreed to use it as the process for security > releases from now on. > > Footnotes: > [1] https://phabricator.wikimedia.org/T480 > > [2] https://www.mediawiki.org/wiki/Release_checklist#Security_Release_.28minor_version_release.29 > > -- > Mark A. Hershberger > NicheWork LLC > 717-271-1084 > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
What about marking the bugs as public? That is a step that is often missed and should be done just prior to sending release announcement. From the list: " Check for vulnerabilities" That could use clarification - does it mean check which branches need to be patched? does it mean verify that the exploit doesnt work on newly patched branches? Or perhaps it could refer to some automated testing tool? Given we want to minimize time between vulnrability being public and release, id reccomend adding a step of run unit tests locally in case they fail, before making jenkins do it publically. --bawolff _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
