This document is an extracted version of LMS/Studio Security Fix Process. Please consult this documentation for details and explanations, This document will only provide steps by step procedure and doesn't discuss technical details.
- Ensure that the
edx-platform-private:security-release
branch is up-to-date.- If the branch is out-of-date and not tracking
edx-platform:master
closely (as will likely be the case):- In GoCD, trigger the
edxapp_private_public_merge_sync
pipeline manually and ensure it completes successfully.
- In GoCD, trigger the
- If the branch is out-of-date and not tracking
- Clone edx-platform-private repo locally (Pull the latest changes if you have cloned the repo already).
- git clone git@github.com:edx/edx-platform-private.git
- Create a branch off
edx-platform-private:security-release
(repo:branch)git checkout -t origin/security-release
git checkout -b <branch_name>
- Add the security fix commits to your branch.
- Push the branch.
- git push --set-upstream origin <branch_name>
- Create a pull request using
edx-platform-private:security-release
as its base branch with the following template in the PR description.This is a security fix. Please read important process notices below. **NOTE:** Once the PR is marked as approved it will be deployed to production. DO NOT approve until you are ready for the patch to go! **NOTE:** Do NOT merge the PR after approval! Although there can be multiple reviewers, only one developer should approve the PR using the "Review changes"→ "Approve" → "Submit review" flow but should not merge it! Private Deployment: - [x] Squash changes. - [x] Approved and deployed to Production. After Private Deployment: - [ ] Send notification with patches. - [ ] Wait 48 hours. Once Deployment can be made Public: - [ ] Merge PR - A PR will automatically be created on public repo.
- Request reviews of your PR from one developer but do not merge it!!
- The developer should approve the PR using the "Review changes"→ "Approve" → "Submit review" flow
- NOTE: Once the PR is marked as approved it will be deployed to production. DO NOT approve until you are ready for the patch to go!
- Code Deployment.
- Deployed to Staging
- The next edxapp release pipeline deploys to the stage environment will include the approved private PR commits.
- Please verify your changes on stage.
- If you are unsure if Stage currently has your changes (), visit this page for more information >> /wiki/spaces/RELEASES/pages/182780356
- Deployed to Production
- When the stage release candidate is advanced to production, the production release will include the approved private PR commits.
- Please verify your changes in production.
- If you are unsure if Prod currently has your changes, visit this page for more information >> /wiki/spaces/RELEASES/pages/182780356
- Deployed to Staging
- Send email notification with patches, for more details LMS/Studio Security Fix Process
- Wait for 48 hours after the email notification
- Make the private fix public
- Merge the private PR into its base branch,
edx-platform-private:security-release
. NOTE: Do NOT rebase the PR - or the PR's branch!- The bot creates a pull request against master in edx-platform.
- The tests will run against your PR
- The automation will merge the pull request automatically after the tests pass.
- Merge the private PR into its base branch,
- Send out general notifications as documented in Security Disclosure Reporting and Resolution.
- After the fix has been made public, the patch has to be applied on the latest upcoming open edX release.
- At the time of writing this document, that next release is Ironwood. Contact Ned Batchelder if you are not sure about the current release.
- The open Edx branch is present on the edx-platform, with format release.master. e.g. ironwood.master.
- Create a branch off that open edX branch and apply the patch.
- Push your branch & create a PR against the release.master branch. Wait for the tests to pass.
- If there are any failures, you will have to fix them.
- Get your PR reviewed from Ned.
- Merge the PR after getting the approval.
Feel free to ask any question if you come across and make these steps even simpler.