[Security] Client Unpacking Chart that Contains Malicious Content (Helm == 2.11.0)
Prior to the security release
- Read the security process for developers if you are not familiar with it.
- Link to the original issue adding it to the links section
scripts/security-harnessin the CE, EE, and/or Omnibus to prevent pushing to any remote besides
Create an MR targetting
master, prefixing your branch with
Label your MR with the security label, prefix the title with
- Add a link to the MR to the links section
- Add a link to an EE MR if required
- Make sure the MR remains in-progress and gets approved after the review cycle, but never merged.
- Add a link to this issue on the original security issue.
Once the MR is ready to be merged, create MRs targetting the last 3 releases, plus the current RC if between the 7th and 22nd of the month.
- At this point, it might be easy to squash the commits from the MR into one
- You can use the script
bin/secpickinstead of the following steps, to help you cherry-picking. See the secpick documentation
Create the branch
X-Y-stableif it doesn't exist (and make sure it's up to date with stable)
Create each MR targetting the security branch
Add the security label and prefix with the version
WIP: [X.Y]the title of the MR
- Add the ~"Merge into Security" label to all of the MRs.
- Make sure all MRs have a link in the links section
Documentation and final details
- Check the topic on #security to see when the next release is going to happen and add a link to the links section
- Find out the versions affected (the Git history of the files affected may help you with this) and add them to the details section
- Fill in any upgrade notes that users may need to take into account in the details section
- Add Yes/No and further details if needed to the migration and settings columns in the details section
- Add the nickname of the external user who found the issue (and/or HackerOne profile) to the Thanks row in the details section
masterMR is merged, comment on the original security issue with a link to that MR indicating the issue is fixed.
|Security release issue||#TODO|
|GitLab Settings updated||Yes/No|