This is an old revision of the document!
Table of Contents
How the Evergreen Project Handles Security-related Bugs
This document is a work in progress as of 17-Dec-2012
How do I report a security-related issue in Evergreen?
You can report a security-related issue in Evergreen via the bug tracking system at https://bugs.launchpad.net/evergreen – be sure to check the box labeled "This bug is a security vulnerability".
NOTE: If you are an active Evergreen "bug wrangler" or similar, you may instead have an option to change "This bug contains information that is:" from "Public" to "Private Security".
Who can see the details of a security bug?
While a security-related bug is in progress, the original submitter and the Launchpad team "Evergreen Security" are the only ones who can see the details of the bug. The current roster of individuals in the "Evergreen Security" launchpad team can be viewed here: https://launchpad.net/~evergreen-security
After a security bug has been evaluated and either fixed or found to be invalid, the full details of the bug will be publicly visible. Please avoid placing information in a security bug report which should not be made public in this manner.
What happens after I report a security-related issue in Evergreen?
After a security bug is reported in Launchpad, notification is sent to the members of the "Evergreen Security" Launchpad team.
Your bug report will be evaluated, and you may be contacted by the security team and asked to provide additional details.
The security team will work to develop a fix and/or workaround as appropriate.
Communication during the bug fixing process takes place within the Launchpad bug tracking system and/or via e-mail over the Evergreen security team mailing list.
How are security releases tested?
When a fix for the security release is available, including instructions for how to apply the fix to an existing Evergreen installation, the Launchpad bug will be made public. An announcement will be made to the community regarding the nature of the issue and will include a call for testers. After testing, the code will be merged to the relevant public Evergreen branches (origin/master, origin/rel_2_3, …) and the bugs will be marked as Fix Committed.
From here, the release process proceeds the same as a regular non-security release.
How are security fixes released?
After testing, the code will be merged to the relevant public Evergreen branches (origin/master, origin/rel_2_3, …) and the Launchpad entries will be marked as Fix Committed. From here, the release process proceeds the same as a regular non-security release.
How are security releases announced?
Security releases are are announced via the Evergreen blog and via e-mail to the open-ils-general mailing list.