[Koha-devel] Workflow improvement suggestions for security releases

Thu Oct 7 13:15:43 CEST 2021

>
> 1. LTS
> I think it's time to have a Long Term Support release. We noticed that
> some people are still using very old versions, having a version that
> is maintained several years could help them.
> We could backport critical security bugs only. 4 (5?) years would be great.
>

This has been proposed in the past. The general consensus at the time was
that we as a community want to encourage libraries to stay on the latest
versions of Koha and not to hang back on older versions.
I'm not necessarily opposed,  but such a role will require quite a
commitment.

> 2. Communication
> Once the issues have been reported and fixed, I've alerted the first
> cycle of people around me. Their job was to alert a second cycle.
> Should we have a list of people we trust? Ask the (general) mailing
> list who wants to be in the loop? That means adding them to the
> security group on bugzilla (or at least adding them when the bug has a
> fix) and CC them when private discussions take place.
>

Sounds good!

> 3. Synchronisation
> Release maintainers are spread around the world (and timezones suck).
> Getting feedback can take time, several days (like: "try", "don't
> work", "try again", it's 3 days!).
> Then when you plan to release on Wednesday, and things are only ready
> on Thursday you need to wait until Monday as part of the world is
> still enjoying the weekend!
> I don't have a solution for that, apart from the Monday postpone or...
> more anticipation.
> Same problem for the time of the release, I've picked 12 UTC as the
> "most convenient" slot for a release, but it won't (ofc) fit
> everybody's needs. My point was that if we communicated enough
> beforehand (but not publicly) it should not be a problem.
> Let me know if you have ideas to improve that!
>

We can already schedule our news posts in advance. Perhaps rmaints should
have a non-public area on the ftp server where we could put our tarballs
and such, and a cronjob that would automatically move them to the public
folder and update the symlinks at 12 UTC every day ( if there are files to
move ). I'm not sure how to synchronize the community apt server into this,
but I imagine it could be done. If we get into the habit of scheduling
everything for release at 12 UTC, security release or not, we can probably
get pretty good at it, ironing out the kinks before we have another
security release to deal with.

> 4. Infrastructure improvement
> We don't have CI/Jenkins for the security repository. We need one!
> That must be a top priority of the next cycle. We need to help RMaints
> and make the security release process easier and less stressful.
>

Agreed!

> 5. Apply patches
> We need a script to apply the patches on the different branches,
> automatically. That's an easy bit to develop and it will help us a
> lot.
>

I'm not sure what you mean? Do you mean something that would apply a bug's
patch set to say master, stable and oldstable and report on the bug if it
doesn't apply to one? Or script in qa-test-tools to do that? Something else
entirely?

> 6. More visibility on the status of the patches
> RM and RMaints must put their progress on the bug report itself. A
> comment "Will be pushed, RM had a look at this" or "Backported for..."
> should be added.
> That must be added to the "Release process" wiki page.
>

Sounds good!

Kyle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20211007/57bef723/attachment.htm>