Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: include security release proposal tutorial #43695

Closed

Conversation

RafaelGSS
Copy link
Member

While creating the next proposal. I missed a document containing a tutorial and as mentioned in the nodejs/Release#758 meeting, looks reasonable to have a section covering that.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Jul 5, 2022
@mhdawson
Copy link
Member

mhdawson commented Jul 5, 2022

I think a reference in the section that says * [ ] The releaser(s) run the release process to completion. to the new section would make sense.

doc/contributing/security-release-process.md Outdated Show resolved Hide resolved
doc/contributing/security-release-process.md Outdated Show resolved Hide resolved
doc/contributing/security-release-process.md Outdated Show resolved Hide resolved
doc/contributing/security-release-process.md Outdated Show resolved Hide resolved
doc/contributing/security-release-process.md Outdated Show resolved Hide resolved
doc/contributing/security-release-process.md Outdated Show resolved Hide resolved
doc/contributing/security-release-process.md Outdated Show resolved Hide resolved
@@ -190,6 +190,131 @@ out a better way, forward the email you receive to
[Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards).
If necessary add the next rotation of the steward rotation.

***

## Creating proposal
Copy link
Member

@BethGriggs BethGriggs Jul 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still thinking this content should be in releases.md, with a reference in this file to follow the security release steps. I think maintaining the actual mechanics of release creation in two separate files will be make it more likely for them to become out-of-sync.

We also already have some of the security-specific information in releases.md (such as in https://github.com/nodejs/node/blob/main/doc/contributing/releases.md#5-create-release-commit), so at the moment this would duplicate it.

The actual steps look good though and useful to add though - thanks for writing them down!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BethGriggs I was kind of thinking the same thing but was happy to defer to what the release team thinks is best. I think having this closer to the other doc for creating releases makes sense to me, and then having a link in this doc to point to that section.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, this document points to the releases.md as a reference too. I've felt a very bad experience when the document tells you to go to another document and then back to the original one. For instance, this document contains:


2. Create a new branch for the release

Then as usual, create the proposal branch:

$ git checkout -b vXX.X.X-proposal

Which could be easily changed to

2. Create a new branch for the release

See: https://github.com/nodejs/node/blob/main/doc/contributing/releases.md#2-create-a-new-branch-for-the-release


However, IMHO it makes the experience very bad and subjective to mistakes, for instance, I'll follow the releases.md in a security release, which might eventually leak sensitive information.

The major problem I see in having two documents is to keep them synced. But, I don't see the releases.md changing too much making the sync hard.

@RafaelGSS RafaelGSS force-pushed the doc/include-security-release-steps branch from 755a035 to d979d54 Compare July 11, 2022 13:56
Copy link
Member

@BethGriggs BethGriggs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel pretty strongly that this should be in releases.md and not in security-release-process.md. We already have steps in releases.md which cover security specifics, and I think we just need to highlight the ones that are missing (which you've covered in this PR).

Another reason I think this shouldn't be in security-release-process.md is because at the moment that document contains just the instructions for the security steward - the security steward doesn't need to care about the mechanics of the release process.

@BethGriggs
Copy link
Member

ping @nodejs/releasers

@RafaelGSS
Copy link
Member Author

I feel pretty strongly that this should be in releases.md and not in security-release-process.md. We already have steps in releases.md which cover security specifics, and I think we just need to highlight the ones that are missing (which you've covered in this PR).

Another reason I think this shouldn't be in security-release-process.md is because at the moment that document contains just the instructions for the security steward - the security steward doesn't need to care about the mechanics of the release process.

Let me give a shot moving the content to the releases.md

@RafaelGSS
Copy link
Member Author

Closed in favor of #43835

@RafaelGSS RafaelGSS closed this Jul 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
doc Issues and PRs related to the documentations.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants