Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

This document is an extracted version of LMS/Studio Security Fix Process. Please consult this documentation for details and explanations, This document will only provide steps by step procedure and doesn't discuss technical details. 


  1. Ensure that the edx-platform-private:security-release branch is up-to-date.
    1. If the branch is out-of-date and not tracking edx-platform:master closely (as will likely be the case):
      1. In GoCD, trigger the edxapp_private_public_merge_sync pipeline manually and ensure it completes successfully.
  2. Clone edx-platform-private repo locally (Pull the latest changes if you have cloned the repo already).
    1. git clone git@github.com:edx/edx-platform-private.git
  3. Create a branch off edx-platform-private:security-release (repo:branch)
    1. git checkout -t origin/security-release
    2. git checkout -b <branch_name>
  4. Add the security fix commits to your branch.
  5. Push the branch.
    1. git push --set-upstream origin <branch_name>
  6. Create a pull request using edx-platform-private:security-release as its base branch with the following template in the PR description. 
    This is a security fix.  Please read important process notices below.

**NOTE:** Once the PR is marked as approved it will be deployed to production.  DO NOT approve until you are ready for the patch to go!
**NOTE:** Do NOT merge the PR after approval!

Although there can be multiple reviewers, only one developer should approve the PR using the "Review changes"→ "Approve" → "Submit review" flow but should not merge it!

Private Deployment:
- [x] Squash changes.
- [x] Approved and deployed to Production.

After Private Deployment:
- [ ] Send notification with patches.
- [ ] Wait 48 hours.

Once Deployment can be made Public:
- [ ] Merge PR
- A PR will automatically be created on public repo.
  7. Request reviews of your PR from one developer but do not merge it!!
    1. The developer should approve the PR using the "Review changes"→ "Approve" → "Submit review" flow
    2. NOTE: Once the PR is marked as approved it will be deployed to production.  DO NOT approve until you are ready for the patch to go!
  8. Code Deployment.
    1. Deployed to Staging
      1. The next edxapp release pipeline deploys to the stage environment will include the approved private PR commits.
      2. Please verify your changes on stage. 
      3. If you are unsure if Stage currently has your changes (), visit this page for more information >> /wiki/spaces/RELEASES/pages/182780356
    2. Deployed to Production
      1. When the stage release candidate is advanced to production, the production release will include the approved private PR commits.
      2. Please verify your changes in production.
      3. If you are unsure if Prod currently has your changes, visit this page for more information >> /wiki/spaces/RELEASES/pages/182780356
  9. Send email notification with patches, for more details LMS/Studio Security Fix Process
  10. Wait for 48 hours after the email notification 
  11. Make the private fix public
    1. Merge the private PR into its base branch, edx-platform-private:security-release.  NOTE: Do NOT rebase the PR - or the PR's branch!
      1. The bot creates a pull request against master in edx-platform.
      2. The tests will run against your PR
      3. The automation will merge the pull request automatically after the tests pass.
  12. Send out general notifications as documented in Security Disclosure Reporting and Resolution.


Feel free to ask any question if you come across and make these steps even simpler.  


  • No labels