Announcement: Security merge requests approval process is changing
Who should read this?
If you are an engineer working on a security fix for GitLab ensure you get acquainted with the content of this announcement.
What is changing?
Starting with the %13.2 Security Release:
- Security merge requests will need to be reviewed and approved based on our Approval guidelines (as usual).
- Security merge requests targeting
master
will need to be reviewed and approved by an AppSec team member.
How does the AppSec review process look like?
AppSec engineers will verify the security vulnerability has been remediated by using the Docker image generated from the package-and-qa
build.
After they have ensured the vulnerability has been fixed, they will approve the security merge request.
What is the consequence of not taking any action?
Security merge requests targeting master
with no approval from AppSec, along with the backports associated, will not be considered for the Security Release.
Why is this change necessary?
When a security release starts the auto-deploy tasks are paused, this means deployments to GitLab.com are also suspended until the Security Release finishes. To guarantee a continuous deployment to GitLab.com, it's in our best interest to finish the Security Release in a timely manner.
Before this change security fixes were deployed and validated in staging. This approach has been problematic:
- Security releases involve numerous security fixes, making the validation of all of them in staging time-consuming.
- When a security fix is deployed to staging, we occassionally encounter that it does not remediate the security vulnerability or potentially introduces a regression, which causes further delay as we rush to create another fix as quickly as possible.
Moving the validation of security fixes before the merge request is merged reduces the blocking nature of Security Releases. For more information see #839 (closed)
What action do I need to take?
If you have open security issues and/or security merge requests make sure you're using the latest security issue template and merge request template and follow the steps there.
What about the backports, do they also require AppSec approval?
Backports only require maintainer approval. Only the security merge request targeting master
needs to be approved by AppSec
What about the other components of the GitLab ecosystem?
Security merge requests approval for Omnibus, Gitaly, and GitLab Pages stays the same.
If you have any other questions, please submit it to this issue.