daohualiuxiang
/
node
mirror of https://github.com/nodejs/node.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: add request to hold off publicising sec releases 

- We've often seen tweets go out early before announcement
  and other parts of the security release complete
- Make an explicit ask that collaborators avoid doing this
  by gating on the tweet from the Node.js account
- Releasers would still be free to tweet earlier as they know
  when the process is complete.

Signed-off-by: Michael Dawson <mdawson@devrus.com>

PR-URL: https://github.com/nodejs/node/pull/46702
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
pull/46901/head
Michael Dawson 2023-02-17 13:15:00 -05:00
parent bd04106b4d
commit 7cb09f40a6
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/contributing/security-release-process.md
View File

@ -118,6 +118,7 @@ out a better way, forward the email you receive to
`oss-security@lists.openwall.com` as a CC.
* [ ] Create a new issue in [nodejs/tweet][]
```text
Security release pre-alert:
@ -130,6 +131,13 @@ out a better way, forward the email you receive to
https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
```
We specifically ask that collaborators other than the releasers and security
steward working on the security release do not tweet or publicise the release
until the tweet from the Node.js twitter handle goes out. We have often
seen tweets sent out before the release and associated announcements are
complete which may confuse those waiting for the release and also takes
away from the work the releasers have put into shipping the releases.
* [ ] Request releaser(s) to start integrating the PRs to be released.
* [ ] Notify [docker-node][] of upcoming security release date: _**LINK**_