Actions

Developer Area/Release Instructions/Pre-release: Difference between revisions

From Mahara Wiki

< Developer Area‎ | Release Instructions
Line 4: Line 4:


Done? [[Developer Area/Release Instructions/Release day|> Go to 'Release day']]
Done? [[Developer Area/Release Instructions/Release day|> Go to 'Release day']]
==πŸ“‹ Checklist before starting==
🟑 '''Start up'''
*Who is leading the release, i.e. the 'Release manager'?
*What type of release? release candidate, major release, or minor-point release
*Is your [https://git.mahara.org/scripts/mahara-scripts mahara-scripts] repo up-to-date so that you have the [http://git.mahara.org/scripts/mahara-scripts/blobs/master/release.php latest release script]? The release script will clone the git.mahara.org repo and generate the zip files.
*Do you have a [https://wiki.mahara.org/wiki/Developer_Area/Release_Instructions/Creating_a_GPG_key valid GPG key] added to your Launchpad account? This is required to run the release script, which generates a signed zip file based on this GPG key. See [https://launchpad.net/~username/+editpgpkeys https://launchpad.net/~username/+editpgpkeys.]
🟑 '''Release manager''' - '''check permissions'''
*Security bug reports are only visible to members of the security group. If you are helping with the release, you'll need to be part of the [https://launchpad.net/~mahara-security security group].
*After the release has been created, we post information about the release in the [https://mahara.org/interaction/forum/view.php?id=1 News] and [https://mahara.org/interaction/forum/view.php?id=43 Security Announcement] forums. If this is your job, you may need to check that you have access (follow the preceding links to check).
<small>Ask the tech lead/product owner for permissions if you cannot check off any of the steps.</small>
==πŸ”’ Apply for CVE numbers for security fixes==
Apply for a CVE number as soon as a bug report exists for a security issue. CVE numbers that we receive are embargoed are details are not leaked until we let MITRE know that they can be published. '''Catalyst NZ staff''' also have access to that information on Seafile along with a running record of which bugs have been reported to MITRE (or others if needed).
While CVE numbers are not a requirement, it is good practice and they are useful for administrators who monitor security announcements. πŸ›‘ Note: This MITRE CVE form can '''ONLY''' be used if the issue hasn't been made public yet.


#[https://cveform.mitre.org/ Apply for CVE numbers for each non-public security issue with the MITRE request form]
== πŸ“° Comms ==
#Add the CVE number to the security bug report using the 'Link to CVE' option on the sidebar. Note: it takes a few days for Launchpad to accept the CVE number.
#Prepare the security announcement post in the Launchpad bug report through comments or updating the description.


Β  Β  '''Security forum post template'''
Β  Β  '''''Title...''''' '''in Mahara before''' '''''affected versions'''''
Β  Β  Vulnerability type: ''...''
Β  Β  Attack type: ''...''
Β  Β  Impact(if needed): ''...''
Β  Β  Affected components: ''...''
Β  Β  Description: ''Affected Mahara versions'', ''and summary of issue''.
Β  Β  Reported by: ''...''
Β  Β  Bug report: ''Launchpad ID and URL to the bug report)''
==🚧 Prep branches, milestones, and bugs==
===''Release candidate (RC)''===
====(RC) Create a new <code>_DEV</code> branch====
This branch is only created once per major version during the first RC. Subsequent release candidates shall use the same branch.
Create a new <code>_DEV</code> branch based off of main.
#<code>git checkout main</code>
#<code>git checkout -b 1.10_DEV</code>
#<code>git push gerrit 1.10_DEV</code>
If Gerrit won't let you push your new branch, create it through https://reviews.mahara.org/admin/repos/mahara,branches
Commit and push these changes:
#In the '''<code>Makefile</code>''' of the new '''<code>_DEV</code>''' branch, replace <code>main</code> with the name of the branch.
#Create an empty 'ChangeLog' file. The file needs a capital C and L in the name.
#Update the release in <code>htdocs/lib/version.php</code> to be <code>[whatever]rc1.</code>
====(RC) Bump the version on <code>main</code>====
#Go to the main branch and bump the version to <code>1.5.0dev</code> (if you just created the <code>1.4_DEV</code> branch)
#In <code>htdocs/lib/version.php</code> (update series, release and version - version should be today's date)
#README
#Commit and make push
====(RC) Do not create a release====
Bugs should not have an RC as its milestone. Leave them as 'Fix committed'.
Note: For organising bugs after the first release candidate, an rc2 milestone may be created for to track which ones will go onto the final release. Once an rc2 bug has been committed, their status should change back to its original .0 milestone.
===''Major release (M)''===
These are done at the end of April and October.
====(M) Update the README====
Review the <code>README.md</code> file and update it to reflect any changes:
#Check the supported versions of PHP, Postgres, and MySQL / MariaDB.
#Check theΒ  minimum browser requirements.
#Update the copyright message so it extends to the current year.
#Update the [[System_Administrator's_Guide/Requirements#Software|Software requirements]] page to match the changes.
Note: For PHP versions, the minimum '''and''' maximum supported version needs to be listed to avoid confusion as PHP does release versions more frequently.
===Minor points and security releases===
We release minor point updates for all the supported released versions of Mahara during security releases and after major releases.
===Create a release on Launchpad (''excludes RC'')===
Go to <u><nowiki>https://launchpad.net/mahara/+milestone/</nowiki><code>X.Y.Z</code></u> ''OR'' Go to the series page and click 'Create milestone'.
#Move any bugs that are not going to be part of this release to the next milestone in the series, e.g. if this is <code>X.Y.3</code> then move to <code>X.Y.4</code>. You may need to make the milestone if it doesn't already exist via <code><nowiki>https://launchpad.net/mahara/X.Y</nowiki></code> and using the 'create milestone' link.
#Click on 'Create release' and give it today's date.
#Double check that 'Keep the X.Y.Z milestone active' remains '''unchecked'''.
==🌏 Prep the new language packs==
You need to set up launchpad translations for the new branch.Β  See the separate instructions on [[Developer Area/Language Packs/Launchpad Branching|setting up a new translations branch]].
==πŸ“° Comms==
===Let Mahara Partners know one week before the release===
===Let Mahara Partners know one week before the release===
<small>🚨 Note: Kristina does this task as a [https://mahara.org/group/members.php?id=1037 member of the Mahara partners group].</small>
<small>🚨 Note: Kristina doe</small>version to <code>XX.XX.0dev</code> (if you just created the <code>XX.XX_DEV</code> <small>s this task as a [https://mahara.org/group/members.php?id=1037 member of the Mahara partners group].</small>


Let Mahara Partners know in the [https://mahara.org/interaction/forum/view.php?id=1136 Partner forum] that a release is upcoming. Details are not shared though as the reports are still embargoed.p
Let Mahara Partners know in the [https://mahara.org/interaction/forum/view.php?id=1136 Partner forum] that a release is upcoming. Details are not shared though as the reports are still embargoed.p
Line 149: Line 67:
#Update your [https://ethercalc.net/track-bugstracking tracking of bugs] daily
#Update your [https://ethercalc.net/track-bugstracking tracking of bugs] daily
#Share with the team what needs doing to progress and share the tasks
#Share with the team what needs doing to progress and share the tasks
==πŸ“‹ Checklist for devs before starting==
🟑 '''Start up'''
*Confirm who will be the 'Release Manager'
*Confirm what type of release this is, i.e. major or minor point.
*Update your [https://git.mahara.org/scripts/mahara-scripts mahara-scripts] repo so that you have the [http://git.mahara.org/scripts/mahara-scripts/blobs/master/release.php latest release script]. The release script will clone the git.mahara.org repo and generate the zip files that go onto Launchpad.
*Make sure you have a [https://wiki.mahara.org/wiki/Developer_Area/Release_Instructions/Creating_a_GPG_key valid GPG key] added to your Launchpad account. This is required to run the release script, which generates a signed zip file based on this GPG key. See [https://launchpad.net/~username/+editpgpkeys https://launchpad.net/~username/+editpgpkeys.]
🟑 '''Release Manager tasks''' - '''check permissions'''
*The Release Manager should make sure devs are part of the [https://launchpad.net/~mahara-security security group] so that they can see security bug reports.
*Give access to those who will be responsible for posting these announcements. After the release has been created, we post information about the release in the [https://mahara.org/interaction/forum/view.php?id=1 News] and [https://mahara.org/interaction/forum/view.php?id=43 Security Announcement] forums.
==πŸ”’ Apply for CVE numbers for security fixes (release manager)==
Apply for a CVE number as soon as a bug report exists for a security issue. CVE numbers that we receive are embargoed are details are not leaked until we let MITRE know that they can be published. '''Catalyst NZ staff''' also have access to that information on Seafile along with a running record of which bugs have been reported to MITRE (or others if needed).
While CVE numbers are not a requirement, it is good practice and they are useful for administrators who monitor security announcements. πŸ›‘ Note: This MITRE CVE form can '''ONLY''' be used if the issue hasn't been made public yet.
#[https://cveform.mitre.org/ Apply for CVE numbers for each non-public security issue with the MITRE request form]
#Add the CVE number to the security bug report using the 'Link to CVE' option on the sidebar. Note: it takes a few days for Launchpad to accept the CVE number.
#Prepare the security announcement post in the Launchpad bug report through comments or updating the description.
Β  Β  '''Security forum post template'''
Β  Β  '''''Title...''''' '''in Mahara before''' '''''affected versions'''''
Β  Β  Vulnerability type: ''...''
Β  Β  Attack type: ''...''
Β  Β  Impact(if needed): ''...''
Β  Β  Affected components: ''...''
Β  Β  Description: ''Affected Mahara versions'', ''and summary of issue''.
Β  Β  Reported by: ''...''
Β  Β  Bug report: ''Launchpad ID and URL to the bug report)''
==🚧 '''Prep milestones and branches'''==
(This applies to RC, major and minor point releases)
==== Setting up milestones on Launchpad ====
Go to <u><nowiki>https://launchpad.net/mahara/+milestone/</nowiki><code>X.Y.Z</code></u> ''OR'' Go to the series page and click 'Create milestone'.
#Move any bugs that are not going to be part of this release to the next milestone in the series, e.g. if this is <code>X.Y.3</code> then move to <code>X.Y.4</code>. You may need to make the milestone if it doesn't already exist via <code><nowiki>https://launchpad.net/mahara/X.Y</nowiki></code> and using the 'create milestone' link.
#Click on 'Create release' and give it today's date.
#Double check that 'Keep the X.Y.Z milestone active' remains '''unchecked'''.
====(RC only) Create a new <code>_DEV</code> branch====
This branch is only created once per major release. Subsequent release candidates shall use the same branch (e.g. RC2 etc)
To create the new <code>_DEV</code> branch based off of main:
#<code>git checkout main</code>
#<code>git checkout -b XX.XX_DEV</code>
#<code>git push gerrit XX.XX_DEV</code>
(If Gerrit won't let you push your new branch, create it through [https://reviews.mahara.org/admin/repos/mahara,branches https://reviews.mahara.org/admin/repos/mahara,branches)]
Commit and push these changes:
#In the '''<code>Makefile</code>''' of the new '''<code>_DEV</code>''' branch, replace <code>main</code> with the name of the branch.
#Create an empty 'ChangeLog' file. The file needs a capital C and L in the name.
#Update the release in <code>htdocs/lib/version.php</code> to beΒ  <code>$config->release = 'XX.XXrc1';</code>
====(RC only) Bump the version on <code>main</code>====
#Go to the main branch and bump the branch)
#In <code>htdocs/lib/version.php</code> (update <code>$config->series</code>, <code>$config->release</code> and <code>$config->version</code> - version should be today's date)
#Update the README.md with information about how to upgrade to this version, e.g. which minimum version they should have etc
#Commit and <code>make push</code>
For a Release Candidate, at this point a zip file will be generated with the Release script and made available on Launchpad for the community to test. This includes a selection of bugs that have been targeted to a the 'rc1' milestone. After the first release candidate, an rc2 milestone may be created to track which ones will go onto the final release. '''Once an rc1 or rc2 bug has been committed, its status should change back to its original .0 milestone.'''
At this point, a Release Candidate has been created and goes through testing.
The following steps are for creating the major release.
===''Major release (M)''===
These are done at the end of April and October.
====(Major only) Update the README====
Review the <code>README.md</code> file and update it to reflect any changes:
#Check the supported versions of PHP, Postgres, and MySQL / MariaDB.
#Check theΒ  minimum browser requirements.
#Update the copyright message so it extends to the current year.
#Update the [[System_Administrator's_Guide/Requirements#Software|Software requirements]] page to match the changes.
Note: For PHP versions, the minimum '''and''' maximum supported version needs to be listed to avoid confusion as PHP does release versions more frequently.
==🌏 Language packs==
New language packs are prepped for major releases. For all releases, you need to update launchpad translations for the new Bazaar branch.Β  See the separate instructions on [[Developer Area/Language Packs/Launchpad Branching|setting up a new Bazaar translations branch]].
#


<br />
<br />

Revision as of 17:51, 29 April 2022

This document details the steps to follow in preparation of a release.

πŸ“£ Please complete these steps a week before the release, especially announcements to Mahara Partners.

Done? > Go to 'Release day'

πŸ“° Comms

Let Mahara Partners know one week before the release

🚨 Note: Kristina doeversion to XX.XX.0dev (if you just created the XX.XX_DEV s this task as a member of the Mahara partners group.

Let Mahara Partners know in the Partner forum that a release is upcoming. Details are not shared though as the reports are still embargoed.p

Draft the Security Announcements forum post

Get the announcement information from the Launchpad bug comment/description and format it for the security announcement into HTML.

Draft the News forum post for the security releases

Take the URLs of the newly created security announcement forum posts and insert them into the following template to look something like this.

Note: links to the Security Announcements forum posts will be available once created one the day of the release.

Title:  Mahara security releases <insert milestones part of this release>
Kia ora Mahara community,
We have security updates available for all supported versions of Mahara:
- 21.10.1
- XX.XX.X
- XX.XX.X
These updates include fixes for a number of security vulnerabilities for which you can find more information:
Title of security issue
...
You can download the latest versions from Launchpad or check out the relevant branch from Git.
We recommend you update your instance of Mahara to the latest minor point release of the series of Mahara you
are using, or if you are on an unsupported version of Mahara, upgrade to a supported one.
Thank you,
<Name of person leading the release>

πŸ”Ž Investigation

Check bug reports and their statuses

  1. Book a meeting with the tech lead, product owner, and those working on the release.
  2. Get the series number for each supported Mahara version, e.g. 21.10, 21.04, and 20.10.
  3. Go to Mahara's Launchpad to check there is an unreleased milestone for each supported series number. See above for how to create new milestones.
  4. Go through each bug report and check they have allocated milestone(s). If they don't, ask the Tech lead where to allocate them.

Track the associated bug reports

  1. Create a spreadsheet to track the bugs. [ethercalc.net/track-bugs Example template]
  2. Go through each supported milestone's bugs:
    1. See associated bugs for a milestone by going to 'Series and Milestones' and clicking the first milestone with an empty circle above it.
    2. Record the progress status of the bug, i.e. if there someone is working on it, and the patch URL in reviews.mahara.org
  3. Double check that all 'Private security' bug reports with patches that are ready, go into the release.

Follow-on tasks

  1. Get bugs code-reviewed, verified, and merged by delegating tasks to team members.
  2. Backport security patches into supported Mahara versions.
  3. Update your tracking of bugs daily
  4. Share with the team what needs doing to progress and share the tasks

πŸ“‹ Checklist for devs before starting

🟑 Start up

  • Confirm who will be the 'Release Manager'
  • Confirm what type of release this is, i.e. major or minor point.
  • Update your mahara-scripts repo so that you have the latest release script. The release script will clone the git.mahara.org repo and generate the zip files that go onto Launchpad.
  • Make sure you have a valid GPG key added to your Launchpad account. This is required to run the release script, which generates a signed zip file based on this GPG key. See https://launchpad.net/~username/+editpgpkeys.

🟑 Release Manager tasks - check permissions

  • The Release Manager should make sure devs are part of the security group so that they can see security bug reports.
  • Give access to those who will be responsible for posting these announcements. After the release has been created, we post information about the release in the News and Security Announcement forums.

πŸ”’ Apply for CVE numbers for security fixes (release manager)

Apply for a CVE number as soon as a bug report exists for a security issue. CVE numbers that we receive are embargoed are details are not leaked until we let MITRE know that they can be published. Catalyst NZ staff also have access to that information on Seafile along with a running record of which bugs have been reported to MITRE (or others if needed).

While CVE numbers are not a requirement, it is good practice and they are useful for administrators who monitor security announcements. πŸ›‘ Note: This MITRE CVE form can ONLY be used if the issue hasn't been made public yet.

  1. Apply for CVE numbers for each non-public security issue with the MITRE request form
  2. Add the CVE number to the security bug report using the 'Link to CVE' option on the sidebar. Note: it takes a few days for Launchpad to accept the CVE number.
  3. Prepare the security announcement post in the Launchpad bug report through comments or updating the description.
   Security forum post template
   Title... in Mahara before affected versions
   Vulnerability type: ...
   Attack type: ...
   Impact(if needed): ...
   Affected components: ...
   Description: Affected Mahara versions, and summary of issue.
   Reported by: ...
   Bug report: Launchpad ID and URL to the bug report)

🚧 Prep milestones and branches

(This applies to RC, major and minor point releases)

Setting up milestones on Launchpad

Go to https://launchpad.net/mahara/+milestone/X.Y.Z OR Go to the series page and click 'Create milestone'.

  1. Move any bugs that are not going to be part of this release to the next milestone in the series, e.g. if this is X.Y.3 then move to X.Y.4. You may need to make the milestone if it doesn't already exist via https://launchpad.net/mahara/X.Y and using the 'create milestone' link.
  2. Click on 'Create release' and give it today's date.
  3. Double check that 'Keep the X.Y.Z milestone active' remains unchecked.

(RC only) Create a new _DEV branch

This branch is only created once per major release. Subsequent release candidates shall use the same branch (e.g. RC2 etc)

To create the new _DEV branch based off of main:

  1. git checkout main
  2. git checkout -b XX.XX_DEV
  3. git push gerrit XX.XX_DEV

(If Gerrit won't let you push your new branch, create it through https://reviews.mahara.org/admin/repos/mahara,branches)

Commit and push these changes:

  1. In the Makefile of the new _DEV branch, replace main with the name of the branch.
  2. Create an empty 'ChangeLog' file. The file needs a capital C and L in the name.
  3. Update the release in htdocs/lib/version.php to be $config->release = 'XX.XXrc1';

(RC only) Bump the version on main

  1. Go to the main branch and bump the branch)
  2. In htdocs/lib/version.php (update $config->series, $config->release and $config->version - version should be today's date)
  3. Update the README.md with information about how to upgrade to this version, e.g. which minimum version they should have etc
  4. Commit and make push

For a Release Candidate, at this point a zip file will be generated with the Release script and made available on Launchpad for the community to test. This includes a selection of bugs that have been targeted to a the 'rc1' milestone. After the first release candidate, an rc2 milestone may be created to track which ones will go onto the final release. Once an rc1 or rc2 bug has been committed, its status should change back to its original .0 milestone.

At this point, a Release Candidate has been created and goes through testing.

The following steps are for creating the major release.

Major release (M)

These are done at the end of April and October.

(Major only) Update the README

Review the README.md file and update it to reflect any changes:

  1. Check the supported versions of PHP, Postgres, and MySQL / MariaDB.
  2. Check the minimum browser requirements.
  3. Update the copyright message so it extends to the current year.
  4. Update the Software requirements page to match the changes.

Note: For PHP versions, the minimum and maximum supported version needs to be listed to avoid confusion as PHP does release versions more frequently.

🌏 Language packs

New language packs are prepped for major releases. For all releases, you need to update launchpad translations for the new Bazaar branch. See the separate instructions on setting up a new Bazaar translations branch.


✨ You did it!!! Head over to Release day ✨

Extra: