Release 9.0.2
Be sure to follow the Security Releases guide.
-
Picked into respective
stable
branches from thedev/security
branch.Pick into Stable
9.0 merged merge requests: -
Push ce/9-0-stable
todev
only:git push dev 9-0-stable
-
Push ee/9-0-stable-ee
todev
only:git push dev 9-0-stable-ee
-
Merge ce/9-0-stable
intoee/9-0-stable-ee
following the security process -
Push omnibus-gitlab/9-0-stable
todev
only:git push dev 9-0-stable
-
Push omnibus-gitlab/9-0-stable-ee
todev
only:git push dev 9-0-stable-ee
-
While waiting for tests to be green, now is a good time to start on the blog post, in a private snippet: https://dev.gitlab.org/gitlab/gitlabhq/snippets/149 -
Ensure the blog post discloses as much information about the vulnerability as is responsibly possible. We aim for clarity and transparency, and try to avoid secrecy and ambiguity. -
If the vulnerability was responsibly disclosed to us by a security researcher, ensure they're publicly acknowledged and thank them again privately as well.
-
-
Ensure tests are green on CE -
Ensure tests are green on EE -
Check for any problematic migrations in EE (EE migrations include CE ones), and paste the diff in a snippet: git diff v9.0.1-ee..9-0-stable-ee -- db/migrate
=> No migrations -
Tag the 9.0.2
version using therelease
task:```sh SECURITY=true bundle exec rake "release[9.0.2]" ```
-
Check that EE packages are built, CE packages are built and appears on packages.gitlab.com
: EE / CE -
In #infrastructure
:``` I'm going to deploy `9.0.2` to staging ```
-
Deploy 9.0.2
to staging.gitlab.com -
In #infrastructure
:``` I'm going to deploy `9.0.2` to production ```
-
Deploy 9.0.2
to GitLab.com -
Create the 9.0.2
version on https://version.gitlab.com -
Mark any applicable previous releases as vulnerable on https://version.gitlab.com. -
Check any sensitive information from the confidential security issues, and redact them if needed -
Create the blog post merge request -
Deploy the blog post -
Push ce/9-0-stable
to all remotes -
Push ee/9-0-stable-ee
to all remotes -
Push tags to all remotes -
Make the confidential security issues public -
Tweet (prepare the Tweet text below or paste the tweet URL instead): https://twitter.com/gitlab/status/847269474721976320
-
Coordinate with the Marketing team to send out a security newsletter -
In the 9.0 Regressions issue:
-
Add the following notice: `9.0.2` has been tagged, further fixes will go into `9.0.3` as necessary.
-
Remove notes for the regressions fixed by version 9.0.2
-
-
Cherry-pick the merges from the security
branch intomaster
and push to all remotes. -
Add omnibus-gitlab/9.0.2+ce.0
CHANGELOG.md items toomnibus-gitlab/master
CHANGELOG.md
For references: