blob: d7ee94372e37caa31de5f91ac539ae253f654800 [file] [view]
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*
- [TODO: `<Project Name>` — release trains, release managers, security team roster](#todo-project-name--release-trains-release-managers-security-team-roster)
- [Release branches currently in flight](#release-branches-currently-in-flight)
- [Current release managers](#current-release-managers)
- [Known release-manager rotations](#known-release-manager-rotations)
- [Release managers for releases currently relevant to the security tracker](#release-managers-for-releases-currently-relevant-to-the-security-tracker)
- [Security team roster](#security-team-roster)
- [What this means for sync and fix skills](#what-this-means-for-sync-and-fix-skills)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
# TODO: `<Project Name>` — release trains, release managers, security team roster
Fast-moving project state. Update every time a release ships, a new
release branch opens, or a security-team member joins / rotates off.
## Release branches currently in flight
TODO: list the project's active release branches. For each branch:
- the branch name (e.g. `v1-2-test`);
- which next release is expected to cut from it (e.g. `1.2.3`);
- whether new security fixes should default to this branch or a
different one.
Example shape:
> - **`main`** — becomes the next minor release (X.Y+1.0 eventually).
> - **`v1-2-test`** — patch branch for the `1.2.x` series. Next patch is `1.2.3`.
> - **`v1-1-test`** — no further `1.1.x` releases planned.
## Current release managers
TODO: describe how to authoritatively identify the release manager
for a given cut. Two sources usually work:
1. TODO: the project's release-plan wiki / schedule page.
2. TODO: the `[RESULT][VOTE]` thread on the project's `<dev-list>`.
The sender of the `[RESULT][VOTE] …` message **is** the release
manager for that specific cut.
## Known release-manager rotations
TODO: list any active rotation rosters (providers / components / core
/ chart / …).
## Release managers for releases currently relevant to the security tracker
TODO: for each recently-shipped or upcoming release carrying security
fixes, record:
- the release name + date;
- the release manager (with email + GitHub handle);
- the source of that attribution (archive URL to the `[RESULT][VOTE]`
thread);
- which CVEs shipped in it.
When this list becomes stale, the sync skill will surface it as a
blocker.
## Security team roster
TODO: the **authoritative** source is the collaborator list of the
tracker repository — anyone listed as a collaborator, regardless of
permission level, is on the security team.
```bash
gh api repos/<tracker>/collaborators --jq '.[].login'
```
Snapshot (update in the same change as member joins / rotates):
> TODO: list of GitHub handles.
## What this means for sync and fix skills
TODO: explicit defaults for the generic skills:
- Default milestone for a new patch-train security issue.
- Which backport labels the fix skill should apply by default.
- Legacy / do-not-use milestones (branches that have been retired).
- Any other sync-surfaced blockers specific to this project.