Add some process around timed releases (#786)

* Add some process around timed releases * Add comms info (cherry picked from commit 23c6751)
cosmos · Mar 24, 2021 · 57b2355 · 57b2355
1 parent 95b07e6
commit 57b2355
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/RELEASING.md b/RELEASING.md
@@ -48,6 +48,7 @@ Ensure that the same replace line is also used in Gaia's `go.mod` file.
 
 ### Tagging
 
+The following steps are the default for tagging a specific branch commit (usually on a branch labeled `release/vX.X.X`):
 1. Ensure you have checked out the commit you wish to tag
 1. `git pull --tags --dry-run`
 1. `git pull --tags`
@@ -56,11 +57,16 @@ Ensure that the same replace line is also used in Gaia's `go.mod` file.
 1. `git push --tags --dry-run`
 1. `git push --tags`
 
-If a tag needs to be re-created, do the following:
+To re-create a tag:
 1. `git tag -d v4.0.0` to delete a tag locally
 1. `git push --delete origin v4.0.0`, to push the deletion to the remote
 1. Proceed with the above steps to create a tag
 
+To tag and build without a public release (e.g., as part of a timed security release):
+1. Follow the steps above for tagging locally, but do not push the tags to the repository. 
+1. After adding the tag locally, you can build the binary, e.g., `make build-reproducible`.
+1. To finalize the release, push the local tags, create a release based off the newly pushed tag, and attach the binary. 
+
 ### Release notes
 
 Ensure you run the reproducible build in order to generate sha256 hashes and platform binaries; 

diff --git a/SECURITY.md b/SECURITY.md
@@ -45,6 +45,29 @@ Gaia uses the following disclosure process:
 
 This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep Gaia and its partner projects--including but not limited to the Cosmos Hub--as secure as possible.
 
+### Disclosure Communications
+
+Communications to Cosmos Hub Validators will include the following details:
+1. Affected version(s)
+1. New release version
+1. Impact on user funds
+1. For timed releases, a date and time that the new release will be made available
+1. Impact on the hub if upgrades are not completed in a timely manner
+1. Potential actions to take if an adverse condition arises during the security release process
+
+An example notice looks like:
+```
+Dear Cosmos Hub Validators,
+
+A critical security vulnerability has been identified in Gaia v4.0.x. 
+User funds are NOT at risk; however, the vulnerability can result in a chain halt.
+
+This notice is to inform you that on [[**March 1 at 1pm EST/6pm UTC**]], we will be releasing Gaia v4.1.x, which patches the security issue. 
+We ask all validators to upgrade their nodes ASAP.
+
+If the chain halts, validators with sufficient voting power need to upgrade and come online in order for the chain to resume.
+```
+
 ### Example Timeline
 
 The following is an example timeline for the triage and response. The required roles and team members are described in parentheses after each task; however, multiple people can play each role and each person may play multiple roles.