Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/build/cmd/releasebot: check that previous minor release tag is merged into release branch #37120

Open
dmitshur opened this issue Feb 7, 2020 · 1 comment

Comments

@dmitshur
Copy link
Member

@dmitshur dmitshur commented Feb 7, 2020

Issue #34505 was about checking that the security branch (in the private Go repository where the security fix is developed) is merged into the public release branch.

It was meant to add a safety measure to detect a situation where the step of merging the security branch was either forgotten or incomplete by the time the next minor release is made, which would cause the minor release to not include the fix from the previous security release. (Minor releases are sometimes made in very short succession after the preceding security release, and other times after a long amount of time.)

A fix for this was implemented in CL 206437. It checks that non-security releases contain the HEAD commit from the security release branch if such a branch exists.

While discussing this safety measure with @FiloSottile and @katiehockman, Filippo came up with a strategy of checking that minor releases contain the tag of the previous minor release. We expect that to be true for all minor releases. It has some advantages:

  • it will detect a problem even if the security release branches have been deleted (without being merged)
  • it does not need to access the private Go repository for non-security releases, which reduces the risk of accidentally revealing an upcoming security fix

This is the tracking issue for implementing that strategy.

To be able to implement this, we will need to parse the Go version being released, and compute the tag for the previous minor release (e.g., if releasing "go1.13.8", compute "go1.13.7"). The version package may be helpful for this purpose. It may need to be extended to support beta and RC version strings, if those are in scope for this task.

/cc @FiloSottile @katiehockman @cagedmantis @toothrot

@dmitshur dmitshur added this to the Backlog milestone Feb 7, 2020
@dmitshur dmitshur added the Security label Feb 7, 2020
@dmitshur dmitshur self-assigned this Jul 28, 2020
@gopherbot
Copy link

@gopherbot gopherbot commented Jul 28, 2020

Change https://golang.org/cl/245277 mentions this issue: maintner/maintnerd/maintapi/version: support beta and RC release tags

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.