[Koha-devel] Workflow improvement suggestions for security releases

Wed Oct 6 17:28:39 CEST 2021

Hello devs,

As you must know we had two hard months, several very bad bugs hit us.

The release team had to coordinate and it was not an easy task.
We noticed some flaws in the workflow and I would like to suggest some
improvements to discuss.
The main problematic issue is to backport patch series to different
stable branches.

1. LTS
I think it's time to have a Long Term Support release. We noticed that
some people are still using very old versions, having a version that
is maintained several years could help them.
We could backport critical security bugs only. 4 (5?) years would be great.

2. Communication
Once the issues have been reported and fixed, I've alerted the first
cycle of people around me. Their job was to alert a second cycle.
Should we have a list of people we trust? Ask the (general) mailing
list who wants to be in the loop? That means adding them to the
security group on bugzilla (or at least adding them when the bug has a
fix) and CC them when private discussions take place.

3. Synchronisation
Release maintainers are spread around the world (and timezones suck).
Getting feedback can take time, several days (like: "try", "don't
work", "try again", it's 3 days!).
Then when you plan to release on Wednesday, and things are only ready
on Thursday you need to wait until Monday as part of the world is
still enjoying the weekend!
I don't have a solution for that, apart from the Monday postpone or...
more anticipation.
Same problem for the time of the release, I've picked 12 UTC as the
"most convenient" slot for a release, but it won't (ofc) fit
everybody's needs. My point was that if we communicated enough
beforehand (but not publicly) it should not be a problem.
Let me know if you have ideas to improve that!

4. Infrastructure improvement
We don't have CI/Jenkins for the security repository. We need one!
That must be a top priority of the next cycle. We need to help RMaints
and make the security release process easier and less stressful.

5. Apply patches
We need a script to apply the patches on the different branches,
automatically. That's an easy bit to develop and it will help us a
lot.

6. More visibility on the status of the patches
RM and RMaints must put their progress on the bug report itself. A
comment "Will be pushed, RM had a look at this" or "Backported for..."
should be added.
That must be added to the "Release process" wiki page.

Let us know if you have any questions or remarks.

Cheers,
Jonathan