add cve #15
add cve #15
Conversation
| To be added | ||
| As soon as a CVE is identified, create a security advisory on `GitHub <https://github.com/ome/openmicroscopy/security/advisories>`_. | ||
| The work to fix the CVE will be done using the private copy of `ome/openmicroscopy <https://github.com/ome/openmicroscopy/>`_ and the private copies of the Java components. | ||
| The release process needs to eb adjusted in that case. |
There was a problem hiding this comment.
typo eb.
I don't seem to have permissions, or just don't see how to create a security advisory at https://github.com/ome/openmicroscopy/security/advisories but that's probably OK
There was a problem hiding this comment.
maybe just add "...as described below" to avoid confusion.
| @@ -14,19 +14,26 @@ The release process uses GitHub actions, make sure that the actions are active b | |||
| Register CVE | |||
| ^^^^^^^^^^^^ | |||
|
|
|||
| To be added | |||
| As soon as a CVE is identified, create a security advisory on `GitHub <https://github.com/ome/openmicroscopy/security/advisories>`_. | |||
There was a problem hiding this comment.
CVE commonly refers to a list of diclosed vulnerabilities, maybe "As soon as a vulnerability is identified"
Also are there some guidelines on the advisory? Should this be draft?
| @@ -14,19 +14,26 @@ The release process uses GitHub actions, make sure that the actions are active b | |||
| Register CVE | |||
| ^^^^^^^^^^^^ | |||
|
|
|||
| To be added | |||
| As soon as a CVE is identified, create a security advisory on `GitHub <https://github.com/ome/openmicroscopy/security/advisories>`_. | |||
| The work to fix the CVE will be done using the private copy of `ome/openmicroscopy <https://github.com/ome/openmicroscopy/>`_ and the private copies of the Java components. | |||
There was a problem hiding this comment.
What about OMERO.web vulnerabilities? Should these be captured by this document? Are the advisories expected to be drafted on https://github.com/ome/omero-web/security/advisories?
|
|
||
| Release process | ||
| ^^^^^^^^^^^^^^^ | ||
|
|
||
| Source code release | ||
| ------------------- | ||
|
|
||
| To make a new release: | ||
| To make a new public release: |
There was a problem hiding this comment.
What's the difference between a public and a private release? Why would you do one vs another?
| - Merge all contributions on the ``develop`` branch. | ||
| - Ensure that all the dependencies have been bumped via the `update <https://github.com/ome/openmicroscopy/blob/develop/.github/workflows/update.yaml>`_ GitHub action which is run hourly. The action will open a Pull Request that updates the `omero.properties <https://github.com/ome/openmicroscopy/blob/develop/etc/omero.properties>`_ file. Merge the Pull Request. You can also execute locally the script `update_dependencies.sh <https://github.com/ome/openmicroscopy/blob/develop/update_dependencies.sh>`_ manually if you wish. | ||
| - Add an entry to `history.rst <https://github.com/ome/openmicroscopy/blob/develop/history.rst>`_. | ||
|
|
||
| To make a private release: | ||
| - Squash all the commits |
Add how to register CVE