| | 10 | |
| | 11 | === Preparing Security Announcements === |
| | 12 | |
| | 13 | Part of the release-notes of patch-level releases (such as !QtWebKit-2.2.1, !QtWebKit-2.2.2, etc) should be dedicated to the security problems which have been fixed. It's standard procedure to include a list of security issues fixed (including the CVE Id) and give credit to the researchers who discovered and reported it. |
| | 14 | |
| | 15 | Examples of security announcements: |
| | 16 | * [http://googlechromereleases.blogspot.com/2011/08/stable-channel-update_22.html Google Chrome] |
| | 17 | * [http://support.apple.com/kb/HT4808 Apple Safari] |
| | 18 | |
| | 19 | The list of security bugs fixed in the branch since the last release can be extracted from the git changelog using the {{{cherry-pick-into-release-branch.py}}} script. For example, to extract a list of all security issues fixed from the tag {{{qtwebkit-2.2.0}}} until now: |
| | 20 | (notice you'll need proper bugzilla privileges) |
| | 21 | |
| | 22 | {{{ |
| | 23 | $ cherry-pick-into-release-branch.py --no-git-pull --list-only --security-bugs-from qtwebkit-2.2.0.. |
| | 24 | }}} |
| | 25 | |
| | 26 | With this list in hand, we can go to Bugzilla and find out, manually: |
| | 27 | * The CVE Id of the issue; |
| | 28 | * The researchers who should receive credit; |
| | 29 | |
| | 30 | Once the release notes is ready, it should be sent to the [mailto:security@webkit.org WebKit Security Mailing List] for peer review. Preferably one or two days before making it public. |
| | 31 | |
| | 32 | Exceptions should always be discussed in the [mailto:security@webkit.org WebKit Security Mailing List]. |
