Release process improvement

frisi · April 8, 2016, 1:09pm

it would be great to add an item to the release-checklist to make sure https://plone.org/security/hotfixes/ is always updated for new releases.

mauritsvanrees · April 8, 2016, 4:03pm

That is documented here: https://github.com/plone/buildout.coredev/blob/5.1/docs/release.rst

I was about to add a line "Update page at https://plone.org/security/hotfixes/" but I don't know how this hotfixes page can be updated. I see it is a @@hotfixes browser view, so this is calculated.

5.0.4 is missing from the list now, which I guess is why you bring this up.

Alexander_Loechel · April 8, 2016, 7:30pm

Sorry, for being late on this.

https://plone.org/security/hotfixes/ and https://plone.org/security/hotfix_json are both maintained by the Plone Security Team and not the Release Team.

I have updated it.

@mauritsvanrees please contact me directly and I will show you how to update this in order to the process.

mauritsvanrees · April 11, 2016, 9:16am

I have had contact with Alexander and I can now update the hotfixes page too.
I have added a line in the list of release actions:
https://github.com/plone/buildout.coredev/commit/5e22c5dd9bec039642fc67d21d2528b67192d4d0

hvelarde · April 11, 2016, 2:17pm

seems release 4.3.9 is missing the reference to https://plone.org/security/20151006 (plone4.csrffixes).

tkimnguyen · April 11, 2016, 2:56pm

Isn't that because that fix is included in this version?

hvelarde · April 11, 2016, 2:57pm

I don't think so as it depends in an external package; the security team must know for sure.

tkimnguyen · April 11, 2016, 3:00pm

You're right... it's not included by default.

tkimnguyen · April 11, 2016, 3:01pm

4.3.8 didn't mention that fix either. I'm not hearing here that it should.

frisi · April 11, 2016, 3:12pm

thanks maurits. this is exactly what i was asking for. the first thing i do before updating to a new release is to check if applied hotfixes can be removed. i guess others do it the same way. having up-to date information on plone.org/security/hotfixes improves the update process a lot

mauritsvanrees · April 13, 2016, 6:46pm

plone4.csrffixes remains needed on all Plone 4 versions. I have just edited the hotfixed page to let Plone 4.3.9 show this hotfix too.

Technically, plone4.csrffixes should not be needed on Plone 4.3.8 and higher, but for the full protection you would then need to update plone.protect to version 3.x. We have not managed to do this in the core development buildout, because lots and lots of tests then fail.
It's complicated...
Some more hints over here:

Personally, I have included this hotfix on only a few sites, regardless of the exact Plone version. We did forbid access to the ZMI instead.