opensource/kubo
1
0
Fork 0
mirror of https://github.com/ipfs/kubo.git synced 2025-08-06 11:31:54 +08:00
Code Issues Projects Releases Wiki Activity

doc: document security fix policy

Browse Source 
1. All releases may contain unannounced security fixes.
2. By default, security fixes will not be backported.
This commit is contained in:
Steven Allen
2021-03-18 12:02:36 -07:00
parent 3c81d44510
commit c3b9a3f638
2 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/RELEASE_ISSUE_TEMPLATE.md
View File

@ -4,6 +4,8 @@
We're happy to announce go-ipfs X.Y.Z, bla bla...
As usual, this release includes important fixes, some of which may be critical for security. Unless the fix addresses a bug being exploited in the wild, the fix will _not_ be called out in the release notes. Please make sure to update ASAP. See our [release process](https://github.com/ipfs/go-ipfs/tree/master/docs/releases.md#security-fix-policy) for details.
## 🗺 What's left for release
<List of items with PRs and/or Issues to be considered for this release>

8
docs/releases.md
View File

@ -83,6 +83,14 @@ Patch releases will usually follow a compressed release cycle and should take 2-
Some patch releases, especially ones fixing one or more complex bugs, may undergo the full release process.
## Security Fix Policy
Any release may contain security fixes. Unless the fix addresses a bug being exploited in the wild, the fix will _not_ be called out in the release notes. Please make sure to update ASAP.
By policy, the team will usually wait until about 2 weeks after the final release to announce any fixed security issues. However, depending on the impact and ease of discovery of the issue, the team may wait more or less time. It is important to always update to the latest version ASAP and file issues if you're unable to update for some reason.
Finally, unless a security issue is actively being exploited or a significant number of users are unable to update to the latest version (e.g., due to a difficult migration, breaking changes, etc.), security fixes will _not_ be backported to previous releases.
## Performing a Release
The release is managed by the `Lead Maintainer` for `go-ipfs`. It starts with the opening of an issue containing the content available on the [RELEASE_ISSUE_TEMPLATE](./RELEASE_ISSUE_TEMPLATE.md) not more than **48 hours** after the previous release.