[OPEN-ILS-DEV] Cutting releases

Bill Erickson berick at esilibrary.com
Thu Jan 17 13:23:37 EST 2013 

On Thu, Jan 17, 2013 at 11:26 AM, Bill Erickson <berick at esilibrary.com>wrote:

>
> On Thu, Jan 17, 2013 at 11:00 AM, Lebbeous Fogle-Weekley <
> lebbeous at esilibrary.com> wrote:
>
>> On Wed, Jan 16, 2013 at 11:43 PM, Dan Scott <dan at coffeecode.net> wrote:
>>
>>>
>>> [...]
>
>>
>> I thought the outcome of one of the last meetings was that we were going
>>> to adopt a more open security process, one that would enable community
>>> members to contribute towards testing?
>>>
>>>
>> Security releases seem to invoke our lizard brains, and we just act to
>> get these releases out fast.  We need to change that, and if we concretized
>> those ideas from the recent meeting, let's bring that document out front
>> and center to remind ourselves.
>>
>
> And more importantly to remind the community.  It occurred to me (after
> the fact) that we didn't do this yesterday because there was no way to
> explain to people why we were exposing sensitive security information
> without simultaneously providing a packaged fix.  Naturally, there is a lot
> of apprehension about this.  Let's get it into the doc [1] before next time
> so we can go forth with impunity.
>
> [1] http://evergreen-ils.org/dokuwiki/doku.php?id=dev:security
>
>
I updated the doc to reflect what I think we're all saying.  Below are the
sections I changed.

--------
How are security releases tested?

When a fix for the security release is available, including instructions
for how to apply the fix to an existing Evergreen installation, the
Launchpad bug will be made public. An announcement will be made to the
community regarding the nature of the issue, including a call for testers.
Testers should note their success/failures directly in the Launchpad ticket.


How are security fixes released?

After testing, the code will be merged to the relevant public Evergreen
branches (origin/master, origin/rel_2_3, …) and the Launchpad entries will
be marked as Fix Committed. From here, the process proceeds the same as a
regular non-security release, though every effort will be made to cut the
releases in a timely fashion.
-------

I didn't get into what constitutes sufficient testing.  I'm assuming that's
a more general topic that should live elsewhere.  Comments welcome.

-b

-- 
Bill Erickson
| Senior Software Developer
| phone: 877-OPEN-ILS (673-6457)
| email: berick at esilibrary.com
| web: http://esilibrary.com
| Equinox Software, Inc. / Your Library's Guide to Open Source
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://libmail.georgialibraries.org/pipermail/open-ils-dev/attachments/20130117/dc866c82/attachment.htm>

More information about the Open-ils-dev mailing list