security-release-process.md - OpenGrok cross reference for /third_party/node/doc/contributing/security-release-process.md

Lines Matching +full:post +full:- +full:release
1 # Security release process
3 The security release process covers the steps required to plan/implement a
4 security release. This document is copied into the description of the Next
5 Security Release and used to track progress on the release. It contains _**TEXT
6 LIKE THIS**_ which will be replaced during the release process with the
9 ## Security release stewards
11 For each security release, a security steward will take ownership for
17 [security steward on/off boarding](security-steward-on-off-boarding.md).
20 [README.md](https://github.com/nodejs/node#security-release-stewards).
22 | Company      | Person          | Release Date |
23 | ------------ | --------------- | ------------ |
24 | NearForm     | Matteo          | 2021-Oct-12  |
25 | Datadog      | Bryan           | 2022-Jan-10  |
26 | RH and IBM   | Joe             | 2022-Mar-18  |
27 | NearForm     | Matteo / Rafael | 2022-Jul-07  |
28 | Datadog      | Vladimir        | 2022-Sep-23  |
29 | NodeSource   | Juan            | 2022-Nov-04  |
30 | RH and IBM   | Michael         | 2023-Feb-16  |
31 | NearForm     | Rafael          | 2023-Jun-20  |
32 | NearForm     | Rafael          | 2023-Aug-09  |
41 * [ ] Open an [issue](https://github.com/nodejs-private/node-private) titled
42   `Next Security Release`, and put this checklist in the description.
49 * [ ] PR release announcements in [private](https://github.com/nodejs-private/nodejs.org-private):
56   * [ ] pre-release: _**LINK TO PR**_
57   * [ ] post-release: _**LINK TO PR**_
59     * Use the "summary" feature in HackerOne to sync post-release content
62       security release blog page:
67 * [ ] Get agreement on the planned date for the release: _**RELEASE DATE**_
69 * [ ] Get release team volunteers for all affected lines:
73 ## Announcement (one week in advance of the planned release)
75 * [ ] Check that all vulnerabilities are ready for release integration:
76   * PRs against all affected release lines or cherry-pick clean
85       CVE and the post release announcement.
90   * Described in the pre/post announcements
92 * [ ] Pre-release announcement to nodejs.org blog: _**LINK TO BLOG**_
93   (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to
96   If the security release will only contain an OpenSSL update consider
97   adding the following to the pre-release announcement:
100   Since this security release will only include updates for OpenSSL, if you're using
107 * [ ] Pre-release announcement [email][]: _**LINK TO EMAIL**_
108   * Subject: `Node.js security updates for all active release lines, Month Year`
111 …The Node.js project will release new versions of all supported release lines on or shortly after D…
112   For more information see: https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
117 * [ ] CC `oss-security@lists.openwall.com` on pre-release
121 `oss-security@lists.openwall.com` as a CC.
123 * [ ] Send a message to `#nodejs-social` in OpenJS Foundation slack
126   Security release pre-alert:
128   We will release new versions of <add versions> release lines on or shortly
131   - # high severity issues
132   - # moderate severity issues
134   https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
138   steward working on the security release do not tweet or publicise the release
140   seen tweets sent out before the release and associated announcements are
141   complete which may confuse those waiting for the release and also takes
146 * [ ] Notify [docker-node][] of upcoming security release date: _**LINK**_
150 …As per the Node.js security release process this is the FYI that there is going to be a security r…
153 * [ ] Notify build-wg of upcoming security release date by opening an issue
158 …As per security release process this is a heads up that there will be security releases Day Month …
161 ## Release day
163 * [ ] [Lock CI](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#before-the-release)
165 * [ ] The releaser(s) run the release process to completion.
167 * [ ] [Unlock CI](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#after-the-release)
169 * [ ] Post-release announcement to Nodejs.org blog: _**LINK TO BLOG POST**_
170   * (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to
173 * [ ] Post-release announcement in reply [email][]: _**LINK TO EMAIL**_
174   * CC: `oss-security@lists.openwall.com`
175   * Subject: `Node.js security updates for all active release lines, Month Year`
178   The Node.js project has now released new versions of all supported release lines.
179   For more information see: https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
184   Security release:
188   https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
191 * [ ] Comment in [docker-node][] issue that release is ready for integration.
192   The docker-node team will build and release docker image updates.
199       links to the release blogs in the "Public Reference" section)
201 * [ ] PR machine-readable JSON descriptions of the vulnerabilities to the
202   [core](https://github.com/nodejs/security-wg/tree/HEAD/vuln/core)
205 …[json](https://github.com/nodejs/security-wg/blob/0d82062d917cb9ddab88f910559469b2b13812bf/vuln/co…
213 * [ ] PR in that you stewarded the release in
214 …[Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-rel…
221 When a CVE is reported as fixed in a security release and it turns out that the
239 [docker-node]: https://github.com/nodejs/docker-node/issues
240 [email]: https://groups.google.com/forum/#!forum/nodejs-sec