From 8d58af86d05d6fef1fb430e1c2b0c892b09a695f Mon Sep 17 00:00:00 2001 From: Shahan Khatchadourian Date: Tue, 23 Mar 2021 11:58:57 -0400 Subject: [PATCH 1/2] Add some process around timed releases --- RELEASING.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/RELEASING.md b/RELEASING.md index 26f697279b..397bf9922b 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -48,6 +48,7 @@ Ensure that the same replace line is also used in Gaia's `go.mod` file. ### Tagging +The following steps are the default for tagging a specific branch commit (usually on a branch labeled `release/vX.X.X`): 1. Ensure you have checked out the commit you wish to tag 1. `git pull --tags --dry-run` 1. `git pull --tags` @@ -56,11 +57,16 @@ Ensure that the same replace line is also used in Gaia's `go.mod` file. 1. `git push --tags --dry-run` 1. `git push --tags` -If a tag needs to be re-created, do the following: +To re-create a tag: 1. `git tag -d v4.0.0` to delete a tag locally 1. `git push --delete origin v4.0.0`, to push the deletion to the remote 1. Proceed with the above steps to create a tag +To tag and build without a public release (e.g., as part of a timed security release): +1. Follow the steps above for tagging locally, but do not push the tags to the repository. +1. After adding the tag locally, you can build the binary, e.g., `make build-reproducible`. +1. To finalize the release, push the local tags, create a release based off the newly pushed tag, and attach the binary. + ### Release notes Ensure you run the reproducible build in order to generate sha256 hashes and platform binaries; From d2666317db25fa6e1f65456aa4caf34c67f1c03c Mon Sep 17 00:00:00 2001 From: Shahan Khatchadourian Date: Tue, 23 Mar 2021 12:47:26 -0400 Subject: [PATCH 2/2] Add comms info --- SECURITY.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 17b98ea50a..d77cb81cfd 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -45,6 +45,29 @@ Gaia uses the following disclosure process: This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep Gaia and its partner projects--including but not limited to the Cosmos Hub--as secure as possible. +### Disclosure Communications + +Communications to Cosmos Hub Validators will include the following details: +1. Affected version(s) +1. New release version +1. Impact on user funds +1. For timed releases, a date and time that the new release will be made available +1. Impact on the hub if upgrades are not completed in a timely manner +1. Potential actions to take if an adverse condition arises during the security release process + +An example notice looks like: +``` +Dear Cosmos Hub Validators, + +A critical security vulnerability has been identified in Gaia v4.0.x. +User funds are NOT at risk; however, the vulnerability can result in a chain halt. + +This notice is to inform you that on [[**March 1 at 1pm EST/6pm UTC**]], we will be releasing Gaia v4.1.x, which patches the security issue. +We ask all validators to upgrade their nodes ASAP. + +If the chain halts, validators with sufficient voting power need to upgrade and come online in order for the chain to resume. +``` + ### Example Timeline The following is an example timeline for the triage and response. The required roles and team members are described in parentheses after each task; however, multiple people can play each role and each person may play multiple roles.