opendev/gerrit
Code Issues Proposed changes
Files
0f15c891953eae7273f22ca0b722e0c309515ca3
gerrit/Documentation/dev-processes.txt
Edwin Kempin 2fef5a62ec Document process for handling security vulnerabilities 
Dealing with security vulnerabilities is important and has high priority
for us. The process to deal with security vulnerabilities should be
clearly documented to avoid mistakes during handling security
vulnerabilities.

Bug: Issue 11619
Signed-off-by: Edwin Kempin <ekempin@google.com>
Change-Id: Id9b53469f87d78cf6e6cd97c1f050d9e7fe093ae
2019-10-04 10:01:44 +02:00

356 lines
17 KiB
Plaintext
Raw Blame History

= Gerrit Code Review - Development Processes
[[project-governance]]
[[steering-committee]]
== Project Governance / Engineering Steering Committee
The Gerrit project has an engineering steering committee (ESC) that is
in charge of:
* Gerrit core (the `gerrit` project) and the core plugins
* defining the project vision and the project scope
* maintaining a roadmap, a release plan and a prioritized backlog
* ensuring timely design reviews
* ensuring that new features are compatible with the project vision and
are well aligned with other features (give feedback on new
link:dev-design-docs.html[design docs] within 14 calendar days)
* approving/rejecting link:dev-design-docs.html[designs], vetoing new
features
* assigning link:dev-roles.html#mentor[mentors] for approved features
* accepting new plugins as core plugins
* making changes to the project governance process and the
link:dev-contributing.html#contribution-processes[contribution
processes]
The steering committee has 5 members:
* 3 Googlers that are appointed by Google
* 2 non-Google maintainers, elected by non-Google maintainers for the
period of 1 year (see link:#steering-committee-election[below])
Refer to the project homepage for the link:https://www.gerritcodereview.com/members.html#engineering-steering-committee[
list of current committee members].
The steering committee should act in the interest of the Gerrit project
and the whole Gerrit community.
For decisions, consensus between steering committee members and all
other maintainers is desired. If consensus cannot be reached, decisions
can also be made by simple majority in the steering committee (should
be applied only in exceptional situations).
The steering committee is empowered to overrule positive/negative votes
from individual maintainers, but should do so only in exceptional
situations after attempts to reach consensus have failed.
As an integral part of the Gerrit community, the steering committee is
committed to transparency and to answering incoming requests in a
timely manner.
[[steering-committee-election]]
=== Election of non-Google steering committee members
The election of the non-Google steering committee members happens once
a year in May. Non-Google link:dev-roles.html#maintainer[maintainers]
can nominate themselves by posting an informal application on the
non-public maintainers mailing list by end of April (deadline for 2019
is Mon 13th of May). By applying to be steering committee member, the
candidate confirms to be able to dedicate the time that is needed to
fulfill this role (also see
link:dev-roles.html#steering-committee-member[steering committee
member]).
Each non-Google maintainer can vote for 2 candidates. The voting
happens by posting on the maintainer mailing list. The voting period is
14 calendar days from the nomination deadline (except for 2019, where
the initial steering committee should be confirmed during the Munich
hackathon, the voting period goes from 14th May to 16th May).
Google maintainers do not take part in this vote, because Google
already has dedicated seats in the steering committee (see section
link:steering-committee[steering committee]).
[[contribution-process]]
== Contribution Process
See link:dev-contributing.html[here].
[[design-doc-review]]
== Design Doc Review
See link:dev-design-docs.html#review[here].
[[versioning]]
== Semantic versioning
Gerrit follows a light link:https://semver.org/[semantic versioning scheme] MAJOR.MINOR[.PATCH[.HOTFIX]]
format:
* MAJOR is incremented when there are substantial incompatible changes and/or
new features in Gerrit.
* MINOR is incremented when there are changes that are typically backward compatible
with the earlier minor version. Features can be removed following the
link:#deprecating-features[feature deprecation process]. Dependencies can be upgraded
according to the link:dev-processes.html#upgrading-libraries[libraries upgrade policy].
* PATCH is incremented when there are backward-compatible bug fixes in Gerrit or its
dependencies. When PATCH is zero, it can be omitted.
* HOTFIX is present only when immediately after a patch release, some urgent
fixes in the code or the packaging format are required but do not justify a
new patch release.
For every MAJOR.MINOR release there is an associated stable branch that follows well defined
link:#dev-in-stable-branches[rules of development].
Within a stable branch, there are multiple MAJOR.MINOR.PATCH tags created associated to the
bug-fix releases of that stable release.
Examples:
* Gerrit v3.0.0 contains breaking incompatible changes in the functionality because
the ReviewDb storage has been totally removed.
* Gerrit v2.15 contains brand-new features like NoteDb, however, still supports the existing
ReviewDb storage for changes and thus is considered a minor release.
* Gerrit v2.14.20 is the 20th patch-release of the stable Gerrit v2.14.* and thus does not contain
new features but only bug-fixes.
[[dev-in-stable-branches]]
== Development in stable branches
As their name suggests stable branches are intended to be stable. This means that generally
only bug-fixes should be done on stable branches, however this is not strictly enforced and
exceptions may apply:
* When a stable branch is initially created to prepare a new release the Gerrit community
discusses on the mailing list if there are pending features which should still make it into the
release. Those features are blocking the release and should be implemented on the stable
branch before the first release candidate is created.
* To stabilize the code before doing a major release several release candidates are created. Once
the first release candidate was done no more features should be accepted on the stable branch.
If more features are found to be required they should be discussed with the steering committee
and should only be allowed if the risk of breaking things is considered to be low.
* Once a major release is done only bug-fixes and documentation updates should be done on the
stable branch. These updates will be included in the next minor release.
* For minor releases new features could be acceptable if the following conditions are met:
** they are result of a new feature introduced through a merge of an earlier stable branch
** they are justified for completing, extending or fixing an existing feature
** does not involve API, user-interface changes or data migrations
** is backward compatible with all existing features
** the parts of the code in common with existing features are properly covered by end-to-end tests
** is important to the Gerrit community and no Gerrit maintainers have raised objections.
* In cases of doubt or conflicting opinions on new features, it's the responsibility of the
steering committee to evaluate the risk of new features and make a decision based on these
rules and opinions from the Gerrit community.
* The older a stable branch is the more stable it should be. This means old stable branches
should only receive bug-fixes that are either important or low risk. Security fixes, including
security updates for third party dependencies, are always considered as important and hence can
always be done on stable branches.
Examples:
* Gerrit v3.0.0-rc1 and v3.0.0-rc2 may contain new features and API changes without notice,
even if they are both cut on the same stable-3.0 branch.
* Gerrit v2.14.8 introduced the support for ElasticSearch as a new feature. This was an exception
agreed amongst the Gerrit maintainers, did not touch the Lucene indexing code-base, was supported
by container-based E2E tests and represents a completion of an high-level feature.
[[backporting]]
== Backporting to stable branches
From time to time bug fix releases are made for existing stable branches.
Developers concerned with stable branches are encouraged to backport or push fixes to these
branches, even if no new release is planned. Backporting features is only possible in compliance
with the rules link:#dev-in-stable-branches[above].
Fixes that are known to be needed for a particular release should be pushed for review on that
release's stable branch. They will then be included into the master branch when the stable branch
is merged back.
[[security-issues]]
== Dealing with Security Issues
If a security vulnerability in Gerrit is discovered, we place an link:#embargo[
embargo] on it until a fixed release or mitigation is available. Fixing the
issue is usually pursued with high priority (depends on the severity of the
security vulnerability). The embargo is lifted and the vulnerability is
disclosed to the community as soon as a fix release or another mitigation is
available.
[[report-security-issue]]
=== How to report a security vulnerability?
To report a security vulnerability file a
link:https://bugs.chromium.org/p/gerrit/issues/entry?template=Security+Issue[
security issue] in the Gerrit issue tracker. The visibility of issues that are
created with the `Security Issue` template is automatically restricted to
Gerrit maintainers and a few long-term contributors. This means as a reporter
you may not be able to see the issue once it is created. Security issues are
created on the `ESC` component so that they will be discussed at the next
meeting of the link:#steering-committee[Engineering Steering Committee] which
takes place biweekly.
If an existing issue is found to be a security vulnerability it should be
turned into a security issue by:
. Setting the component to `ESC`
. Adding the labels `Security` and `NonPublic`
In case of doubt, or if an issue cannot wait until the next ESC meeting,
contact the link:#steering-committee[Engineering Steering Committee] directly
by sending them an mailto:gerritcodereview-esc@googlegroups.com[email].
If needed, the ESC will contact the reporter for additional details.
[[embargo]]
=== The Embargo
Once an issue has been identified as security vulnerability, we keep it under
embargo until a fixed release or a mitigation is available. This means that the
issue is not discussed publicly, but only on issues with restricted visibility
(see link:#report-security-issue[above]) and at the mailing lists of the ESC,
community managers and Gerrit maintainers. Since the `repo-discuss` mailing
list is public, security issues must not be discussed on this mailing list
while the embargo is in place.
The reason for keeping an embargo is to prevent attackers from taking advantage
of a vulnerability while no fixed releases are available yet, and Gerrit
administrators cannot make their systems secure.
Once a fix release or mitigation is available, the embargo is lifted and the
community is informed about the security vulnerability with the advise to
address the security vulnerability immediately (either by upgrading to a fixed
release or applying the mitigation). The information about the security
vulnerability is disclosed via the
link:https://groups.google.com/d/forum/repo-discuss[repo-discuss] mailing list.
[[handle-security-issue]]
=== Handling of the Security Vulnerability
. Engineering Steering Committee evaluates the security vulnerability:
+
The ESC discusses the security vulnerability and which actions should be taken
to address it. One person, usually one of the Gerrit maintainers, should be
appointed to drive and coordinate the investigation and the fix of the security
vulnerability. This coordinator doesn't need to do all the work alone, but is
responsible that the security vulnerability is getting fixed in a timely
manner.
+
If the security vulnerability affects multiple or older releases the ESC should
decide which of the releases should be fixed. For critical security issue we
also consider fixing old releases that are otherwise not receiving any
bug-fixes anymore.
+
It's also possible that the ESC decides that an issue is not a security issue
and the embargo is lifted immediately.
. Implementation of the security fix:
+
To keep the embargo intact, security fixes cannot be developed and reviewed in
the public `gerrit` repository. In particular it's not secure to use private
changes for implementing and reviewing security fixes (see general notes about
link:intro-user.html[security-fixes]).
+
Instead security fixes should be implemented and reviewed in the non-public
link:https://gerrit-review.googlesource.com/admin/repos/gerrit-security-fixes[
gerrit-security-fixes] repository which is only accessible by Gerrit
maintainers and Gerrit community members that work on security fixes.
+
The change that fixes the security vulnerability should contain an integration
test that verifies that the security vulnerability is no longer present.
+
Review and approval of the security fixes must be done by the Gerrit
maintainers. Verifications must be done manually since the Gerrit CI doesn't
build and test changes of the `gerrit-security-fixes` repository (and it
shouldn't because everything on the CI server is public which would break
the embargo).
+
Once a security fix is ready and submitted, it should be cherry-picked to all
branches that should be fixed.
. Creation of fixed releases and announcement of the security vulnerability:
+
A release manager should create new bug fix releases for all fixed branches.
+
The new releases should be tested against the security vulnerability to
double-check that the release was built from the correct source that contains
the fix for the security vulnerability.
+
Before publishing the fixed releases, an announcement to the Gerrit community
should be prepared. The announcement should clearly describe the security
vulnerability, which releases are affected and which releases contain the fix.
The announcement should recommend to upgrade to fixed releases immediately.
+
Once all releases are ready and tested and the announcement is prepared, the
releases should be all published at the same time. Immediately after that, the
announcement should be sent out to the
link:https://groups.google.com/d/forum/repo-discuss[repo-discuss] mailing list.
+
This ends the embargo and any issue that discusses the security vulnerability
should be made public.
. Follow-Up
+
The ESC should discuss if there are any learnings from the security
vulnerability and define action items to follow up in the
link:https://bugs.chromium.org/p/gerrit[issue tracker].
[[upgrading-libraries]]
== Upgrading Libraries
Changes that add new libraries or upgrade existing libraries require an approval on the
`Library-Compliance` label. For an approval the following things are checked:
* The library has a license that is suitable for use within Gerrit.
* If the library is used within Google, the version of the library must be compatible with the
version that is used at Google.
Only maintainers from Google can vote on the `Library-Compliance` label.
Gerrit's library dependencies should only be upgraded if the new version contains
something we need in Gerrit. This includes new features, API changes as well as bug
or security fixes.
An exception to this rule is that right after a new Gerrit release was branched
off, all libraries should be upgraded to the latest version to prevent Gerrit
from falling behind. Doing those upgrades should conclude at the latest two
months after the branch was cut. This should happen on the master branch to ensure
that they are vetted long enough before they go into a release and we can be sure
that the update doesn't introduce a regression.
[[deprecating-features]]
== Deprecating features
Gerrit should be as stable as possible and we aim to add only features that last.
However, sometimes we are required to deprecate and remove features to be able
to move forward with the project and keep the code-base clean. The following process
should serve as a guideline on how to deprecate functionality in Gerrit. Its purpose
is that we have a structured process for deprecation that users, administrators and
developers can agree and rely on.
General process:
* Make sure that the feature (e.g. a field on the API) is not needed anymore or blocks
further development or improvement. If in doubt, consult the mailing list.
* If you can provide a schema migration that moves users to a comparable feature, do
so and stop here.
* Mark the feature as deprecated in the documentation and release notes.
* If possible, mark the feature deprecated in any user-visible interface. For example,
if you are deprecating a Git push option, add a message to the Git response if
the user provided the option informing them about deprecation.
* Annotate the code with `@Deprecated` and `@RemoveAfter(x.xx)` if applicable.
Alternatively, use `// DEPRECATED, remove after x.xx` (where x.xx is the version
number that has to be branched off before removing the feature)
* Gate the feature behind a config that is off by default (forcing admins to turn
the deprecated feature on explicitly).
* After the next release was branched off, remove any code that backed the feature.
You can optionally consult the mailing list to ask if there are users of the feature you
wish to deprecate. If there are no major users, you can remove the feature without
following this process and without the grace period of one release.
GERRIT
------
Part of link:index.html[Gerrit Code Review]
SEARCHBOX
---------
View Git Blame Copy Permalink