-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add cve #15
base: master
Are you sure you want to change the base?
add cve #15
Conversation
To be added | ||
As soon as a CVE is identified, create a security advisory on `GitHub <https://github.com/ome/openmicroscopy/security/advisories>`_. | ||
The work to fix the CVE will be done using the private copy of `ome/openmicroscopy <https://github.com/ome/openmicroscopy/>`_ and the private copies of the Java components. | ||
The release process needs to eb adjusted in that case. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo eb
.
I don't seem to have permissions, or just don't see how to create a security advisory at https://github.com/ome/openmicroscopy/security/advisories but that's probably OK
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe just add "...as described below" to avoid confusion.
@@ -14,19 +14,26 @@ The release process uses GitHub actions, make sure that the actions are active b | |||
Register CVE | |||
^^^^^^^^^^^^ | |||
|
|||
To be added | |||
As soon as a CVE is identified, create a security advisory on `GitHub <https://github.com/ome/openmicroscopy/security/advisories>`_. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CVE commonly refers to a list of diclosed vulnerabilities, maybe "As soon as a vulnerability is identified"
Also are there some guidelines on the advisory? Should this be draft?
@@ -14,19 +14,26 @@ The release process uses GitHub actions, make sure that the actions are active b | |||
Register CVE | |||
^^^^^^^^^^^^ | |||
|
|||
To be added | |||
As soon as a CVE is identified, create a security advisory on `GitHub <https://github.com/ome/openmicroscopy/security/advisories>`_. | |||
The work to fix the CVE will be done using the private copy of `ome/openmicroscopy <https://github.com/ome/openmicroscopy/>`_ and the private copies of the Java components. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about OMERO.web vulnerabilities? Should these be captured by this document? Are the advisories expected to be drafted on https://github.com/ome/omero-web/security/advisories?
|
||
Release process | ||
^^^^^^^^^^^^^^^ | ||
|
||
Source code release | ||
------------------- | ||
|
||
To make a new release: | ||
To make a new public release: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the difference between a public and a private release? Why would you do one vs another?
- Merge all contributions on the ``develop`` branch. | ||
- Ensure that all the dependencies have been bumped via the `update <https://github.com/ome/openmicroscopy/blob/develop/.github/workflows/update.yaml>`_ GitHub action which is run hourly. The action will open a Pull Request that updates the `omero.properties <https://github.com/ome/openmicroscopy/blob/develop/etc/omero.properties>`_ file. Merge the Pull Request. You can also execute locally the script `update_dependencies.sh <https://github.com/ome/openmicroscopy/blob/develop/update_dependencies.sh>`_ manually if you wish. | ||
- Add an entry to `history.rst <https://github.com/ome/openmicroscopy/blob/develop/history.rst>`_. | ||
|
||
To make a private release: | ||
- Squash all the commits |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which commits?
Add how to register CVE