| A guide to sending security advisory e-mails |
| ============================================ |
| |
| -------------------------------------------------------- |
| Step 1: Prepare the advisory texts, patches and metadata |
| -------------------------------------------------------- |
| |
| [details are covered elsewhere] |
| |
| ---------------------------------- |
| Step 2: Prepare the website update |
| ---------------------------------- |
| |
| $ cd ${PMC_AREA_WC}/security |
| $ ${TRUNK_WC}/tools/dist/advisory.py generate \ |
| --destination=${SITE_WC}/publish/security \ |
| CVE-2015-5259 CVE-2015-5343 ... |
| |
| This will generate a plain-text version of the advisories, including |
| patches etc., suitable for publishing on our web site. Once these |
| are generated, make sure you add the links to the new files to: |
| |
| ${SITE_WC}/publish/security/index.html |
| |
| |
| ----------------------------------------------- |
| Step 3: Check the advisories and their metadata |
| ----------------------------------------------- |
| |
| $ cd ${PMC_AREA_WC}/security |
| $ ${TRUNK_WC}/tools/dist/advisory.py test \ |
| --username=someone \ |
| --revision=22091347 \ |
| --release-versions=1.8.15,1.9.3 \ |
| --release-date=2015-12-15 \ |
| CVE-2015-5259 CVE-2015-5343 ... |
| |
| Assuming all the required bits are in place, this will generate the |
| complete text of a GPG-signed e-mail message, signed by and sent from |
| someone@apache.org, for all the listed CVE numbers. |
| |
| Note the arguments: |
| |
| --revision is the revision on |
| https://dist.apache.org/repos/dist/dev/subversion |
| in which the tarballs are/will be available |
| (see: notice-template.txt in ${PMC_AREA_WC}/security). |
| |
| --release-versions is a comma-separated list of version numbers |
| in which fixes for the CVE numbers will be |
| available. |
| |
| --release-date is the expected date of the release(s). |
| |
| |
| ---------------------- |
| Step 4: Send the mails |
| ---------------------- |
| |
| $ cd ${PMC_AREA_WC}/security |
| $ ${TRUNK_WC}/tools/dist/advisory.py send \ |
| (the rest of the arguments are as in step 3). |
| |
| The mails will be sent one at a time to each recipient separately. |
| |
| |
| -------------------------------------------------- |
| Step 5: Wait for the release. Release. |
| Commit the site update prepared in step 1. |
| -------------------------------------------------- |
| |
| |
| |
| TODO: security/mailer.py does not calculate the micalg= PGP/MIME |
| parameter based on the properties of the actual PGP key |
| used. It's currently hard-coded as "pgp-sha512" which *should* |
| be correct for anyone signing these mails with their ASF release |
| signing key. |