-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automate security release process #860
Comments
@RafaelGSS There's already a |
In the context of that tool and this initiative, it may be worth exploring extending it to encourage a standard structure/template for the security release 'Notable changes' entries too. Example:
At times we have just referenced the post-release blog post, but it's probably useful to always include details of the CVEs in the changelogs. I am guessing it will not be easy to automate the population of all of the CVE details (as I don't think they are available in a structured format at the point of preparing the release*). But, I still think it'd be useful to have a default template/structure placeholder agreed so our security release changelogs can start to detail the vulnerabilities in a consistent format. Structure to be discussed/agreed, but even something like:
*At a minimum, we should be able to determine and populate the unique CVE IDs from the |
The most error prone step is generating CVEs with all the correct metadata associated. I think we should change how we do it, avoid filling the details twice. Ideally, we should have a process that allows those to be reviewed in a PR, and not with a one-man step. |
@mcollina I wonder if there as an API for H1. If so maybe that could be used to automated based on a PR. |
I couldn't find it. Can we ask them to add one for us? The need to automate this step might get us back to issuing our CVEs instead of relying on H1 to do it for us. |
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made. |
Update: nodejs/node-core-utils#665 |
The last security release was created using the nodejs/node-core-utils#665 automation. It's missing two features:
|
Since the OSSF Funding was approved for this work, I'll summarize the work in progress, and the remaining steps to this action, so whoever takes this task will be able to help me in this journey. First of all, there are 3 fronts in this work:
All those can be delivered in parallel, however, I recommend working on the last step (3. Automating release promotion) in the end. Security Release Stewards automationThis is a work in progress and the first pull request created was: Generally speaking, there are 4 major steps for a security release steward:
Furthermore in https://github.com/nodejs/node/blob/main/doc/contributing/security-release-process.md. The pull request mentioned addresses only the first step. We still need to work on the next ones. Security Release proposal automationThis is a work in progress and the first pull request created was:
The pull request merged has some limitations that need to be worked on:
More information can be found in the PR itself Automating release promotionCurrently, we follow the step 10 until step 15 and all the releases are signed by the releaser local machine. We're investigating other approaches like SigStore and SLSA, so might be worth it looking to the following issues: That said, this work is about promoting and signing releases remotely in a Node.js specific machine, so reducing the work by the releasers + endorsing security practices since all the next releases will be signed by a unique trust machine. This work will need to align with @nodejs/releasers and @nodejs/build team. |
PR-URL: #53877 Refs: nodejs/security-wg#860 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
PR-URL: #53877 Refs: nodejs/security-wg#860 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
PR-URL: #53877 Refs: nodejs/security-wg#860 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
PR-URL: #53877 Refs: nodejs/security-wg#860 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off. |
This will enable us to automate release proposal creation: nodejs/security-wg#860
This will enable us to automate release proposal creation: nodejs/security-wg#860
This will enable us to automate release proposal creation: nodejs/security-wg#860
* feat: add --yes option to git node release This will enable us to automate release proposal creation: nodejs/security-wg#860 Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: #55690 Refs: nodejs/security-wg#860 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: nodejs#55690 Refs: nodejs/security-wg#860 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: #55690 Refs: nodejs/security-wg#860 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: #55690 Refs: nodejs/security-wg#860 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off. |
This is one of the initiatives we agree on for 2023. We all know how hard and time-consuming is to perform a security release. However, some of the 42 steps can be easily handled by automation. This initiative aims to improve this process using the well-known CLI (
git node
).I'm tempted to have a
git node release --security
that starts all the processes described in https://github.com/nodejs/node/blob/main/doc/contributing/security-release-process.md#planning.cc: @nodejs/security-wg @nodejs/releasers
The text was updated successfully, but these errors were encountered: