tools/dist/README.advisory - subversion - Git at Google

 A guide to sending security advisory e-mails
 ============================================

 --------------------------------------------------------
 Step 1: Prepare the advisory texts, patches and metadata
 --------------------------------------------------------

 [details are covered elsewhere]

 ----------------------------------
 Step 2: Prepare the website update
 ----------------------------------

   $ cd ${PMC_AREA_WC}/security
   $ ${TRUNK_WC}/tools/dist/advisory.py generate \
         --destination=${SITE_WC}/publish/security \
         CVE-2015-5259 CVE-2015-5343 ...

 This will generate a plain-text version of the advisories, including
 patches etc., suitable for publishing on our web site. Once these
 are generated, make sure you add the links to the new files to:

     ${SITE_WC}/publish/security/index.html


 -----------------------------------------------
 Step 3: Check the advisories and their metadata
 -----------------------------------------------

   $ cd ${PMC_AREA_WC}/security
   $ ${TRUNK_WC}/tools/dist/advisory.py test \
         --username=someone \
         --revision=22091347 \
         --release-versions=1.8.15,1.9.3 \
         --release-date=2015-12-15 \
         CVE-2015-5259 CVE-2015-5343 ...

 Assuming all the required bits are in place, this will generate the
 complete text of a GPG-signed e-mail message, signed by and sent from
 someone@apache.org, for all the listed CVE numbers.

 Note the arguments:

     --revision    is the revision on
                   https://dist.apache.org/repos/dist/dev/subversion
                   in which the tarballs are/will be available
                   (see: notice-template.txt in ${PMC_AREA_WC}/security).

     --release-versions   is a comma-separated list of version numbers
                          in which fixes for the CVE numbers will be
                          available.

     --release-date       is the expected date of the release(s).


 ----------------------
 Step 4: Send the mails
 ----------------------

   $ cd ${PMC_AREA_WC}/security
   $ ${TRUNK_WC}/tools/dist/advisory.py send \
         (the rest of the arguments are as in step 3).

 The mails will be sent one at a time to each recipient separately.


 --------------------------------------------------
 Step 5: Wait for the release. Release.
         Commit the site update prepared in step 1.
 --------------------------------------------------


 TODO: security/mailer.py does not calculate the micalg= PGP/MIME
       parameter based on the properties of the actual PGP key
       used. It's currently hard-coded as "pgp-sha512" which *should*
       be correct for anyone signing these mails with their ASF release
       signing key.
	A guide to sending security advisory e-mails
	============================================

	--------------------------------------------------------
	Step 1: Prepare the advisory texts, patches and metadata
	--------------------------------------------------------

	[details are covered elsewhere]

	----------------------------------
	Step 2: Prepare the website update
	----------------------------------

	$ cd ${PMC_AREA_WC}/security
	$ ${TRUNK_WC}/tools/dist/advisory.py generate \
	--destination=${SITE_WC}/publish/security \
	CVE-2015-5259 CVE-2015-5343 ...

	This will generate a plain-text version of the advisories, including
	patches etc., suitable for publishing on our web site. Once these
	are generated, make sure you add the links to the new files to:

	${SITE_WC}/publish/security/index.html


	-----------------------------------------------
	Step 3: Check the advisories and their metadata
	-----------------------------------------------

	$ cd ${PMC_AREA_WC}/security
	$ ${TRUNK_WC}/tools/dist/advisory.py test \
	--username=someone \
	--revision=22091347 \
	--release-versions=1.8.15,1.9.3 \
	--release-date=2015-12-15 \
	CVE-2015-5259 CVE-2015-5343 ...

	Assuming all the required bits are in place, this will generate the
	complete text of a GPG-signed e-mail message, signed by and sent from
	someone@apache.org, for all the listed CVE numbers.

	Note the arguments:

	--revision is the revision on
	https://dist.apache.org/repos/dist/dev/subversion
	in which the tarballs are/will be available
	(see: notice-template.txt in ${PMC_AREA_WC}/security).

	--release-versions is a comma-separated list of version numbers
	in which fixes for the CVE numbers will be
	available.

	--release-date is the expected date of the release(s).


	----------------------
	Step 4: Send the mails
	----------------------

	$ cd ${PMC_AREA_WC}/security
	$ ${TRUNK_WC}/tools/dist/advisory.py send \
	(the rest of the arguments are as in step 3).

	The mails will be sent one at a time to each recipient separately.


	--------------------------------------------------
	Step 5: Wait for the release. Release.
	Commit the site update prepared in step 1.
	--------------------------------------------------



	TODO: security/mailer.py does not calculate the micalg= PGP/MIME
	parameter based on the properties of the actual PGP key
	used. It's currently hard-coded as "pgp-sha512" which should
	be correct for anyone signing these mails with their ASF release
	signing key.