Security fixes¶

Security issues against AMO are currently reported in Bugzilla. When someone is assigned to work on one, they should open a new draft security advisory describing the security issue and linking to the bugzilla bug, but not publish it. That unlocks the ability to have a private PR and fork to work on the issue.

The corresponding private PR should is reviewed as normal but once it has been reviewed, it should not be merged right away. Instead, it should be called out in the release notes for the next release. Merging to master is part of push duty and happens right before tagging, using GitHub regular merge functionality on the PR. The advisory can then be closed (it’s never published).

Security fixes¶

Previous topic

Next topic

This Page