Skip to content

Proposal: Establish a GitLab security release pre-announcement mailing list

Problem

It would be great to get notice of upcoming vulnerabilities before their specific content is known to the world so that maintenance windows could be planned in advance.

It seems we can expect routine security updates to follow on the heels of monthly patch releases somewhere near the end of a month. That said, it's obviously not possible to predict critical releases, and there's a pretty wide range even for those not marked critical. (Looking back at notices, I see examples running from the 25th to the 6th of the month).

Context

We operate a large open GitLab CE instance intended to provide code review and CI for the Wikimedia technical community's software projects, including MediaWiki, the Wikimedia production environment, and related systems and tools.

We've asked contacts at GitLab about this directly and not received a response. Please let me know if there's another venue in which I should be making this suggestion.

Proposal

The Jenkins project offers a useful model here:

Can I Plan Maintenance Windows?

For most security advisories, we send a "pre-announcement" to the jenkinsci-advisories Google group. Depending on advisory content, these are typically sent a few days in advance, sometimes up to a week.

These pre-announcements will only specify whether Jenkins (core) and/or plugins are affected. Affected plugins, if any, are not identified, but the announcement provides some information that allows Jenkins administrators to estimate whether they’re affected, and how important it is to schedule an immediate update:

  • The popularity of the most popular included plugins, and the highest severity of issues affecting these plugins.

  • The highest severity of included issues, and the popularity of the most popular plugin in this group.

See the jenkinsci-advisories list archive for examples of past pre-announcements.

Some advisories are published without a pre-announcement. Reasons include: The advisory wasn’t planned more than a day or two in advance; or its content couldn’t be finalized until just before publication.

In practice, notices look something like this, received on the 12th with the subject "Jenkins plugins security advisory pre-announcement":

The Jenkins project will publish a security advisory for Jenkins plugins on Tuesday, May 17. The highest severity is 'High'. The most popular included plugin is installed on more than 75% of known instances.

This affects only Jenkins plugins, there will be no corresponding security update for Jenkins itself