Analysis of the two planned security releases during 16.7
Context
During the 16.7 milestone, the Delivery team piloted two scheduled security releases as a preparation for scheduled planned releases &1125 (closed). The testing gave Delivery a chance to better understand what these new scheduling will look like. The security releases were scheduled to be on 2023-11-30
and 2023-12-13
.
This issue is to analyze the data, experience and feedback received from this experiment, and determine what will be needed to run the same pilot for 16.8
Data
Overview
- The planned releases targeted 16.6, 16.5, and 16.4 versions, including security and bug fixes.
- 22 security issues were automatically processed by release tooling, including 6 high-priority vulnerabilities (severity2)
- 38 bug fixes were included for the targeted versions, including 26 high-severity bug fixes (severity1, severity2)
- 6 high-severity backport requests were addressed for 16.5 and 16.4 versions
- The second planned release month was crucial to address a high-severity bug introduced by a security fix
Security issues
Breakdown by project:
Project | # security issues |
---|---|
GitLab | 19 |
Omnibus | 3 |
Breakdown by severity
Severity | # security issues |
---|---|
severity1 | 0 |
severity2 | 6 |
severity3 | 11 |
severity4 | 5 |
Bug fixes
Breakdown by version
Version | # bug fixes |
---|---|
16.6 | 23 |
16.5 | 6 |
16.4 | 9 |
Total | 38 |
Breakdown by severity
Severity | # Issues |
---|---|
severity1 | 5 |
severity2 | 21 |
severity3 | 5 |
severity4 | 1 |
N/A | 6 |
Breakdown by version and severity
Click to expand
- 16.6
Severity | # Issues |
---|---|
severity1 | 3 |
severity2 | 9 |
severity3 | 5 |
severity4 | 1 |
N/A | 5 |
- 16.5
Severity | # Issues |
---|---|
severity1 | 1 |
severity2 | 6 |
severity3 | 0 |
severity4 | 0 |
N/A | 0 |
- 16.4
Severity | # Issues |
---|---|
severity1 | 1 |
severity2 | 6 |
severity3 | 0 |
severity4 | 0 |
N/A | 2 |
Backport requests
Questions
- How did the two planned security releases feel for release managers?
- How did the two planned security releases feel for engineers?
- How did the two planned security releases feel for AppSec?
- Did we have enough automation for both?
- Did we have security fixes for the second security release?
- If we were to properly adopt two security releases per month, what would be the next steps?
Edited by Mayra Cabrera