Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Help BTR Establish a Process for Taking Django Security Fixes #5

Closed
feanil opened this issue Feb 17, 2023 · 11 comments
Closed

Help BTR Establish a Process for Taking Django Security Fixes #5

feanil opened this issue Feb 17, 2023 · 11 comments
Assignees

Comments

@feanil
Copy link
Contributor

feanil commented Feb 17, 2023

Playbook for frontend: https://openedx.atlassian.net/wiki/spaces/COMM/pages/3664412693/Applying+a+security+patch+to+a+package

Original conversations:

@feanil feanil converted this from a draft issue Feb 17, 2023
@feanil feanil self-assigned this Feb 22, 2023
@kdmccormick
Copy link
Member

Another conversation:

@pshiu
Copy link

pshiu commented Mar 8, 2023

Open question for BTR:

  • Does the injection of proactive security fixes into named release branches impact BTR's testing processes?
  • Would it make sense to limit backports of proactive security fixes to a certain severity level?
    • (Security WG can come up with the severity level; but would this benefit BTR in light of the previous question?)

@pshiu
Copy link

pshiu commented Mar 9, 2023

Informally discussed with the 2U Open Source Process Working Group to gain more ideas. Summary:

  • Security issues should not be considered fixed until they are backported.
  • Idea: Get Dependabot alerts for non-default branches. But seems impossible: [GitHub docs]
  • Named releases don’t run “make upgrade”. They (BTR?) apply Django security patches though.
  • From a maintainer's point of view, it would be great if it were clear for them to know what they need to backport and what they don't because it will be taken care of by, e.g., BTR.

Source from 2U Slack

@alangsto
Copy link

Informally discussed with BTR group to create a new role to handle security updates for Django and Node.

There is an existing github workflow for updating dependencies in specified repositories, this could be used to update the Django and Node versions when a security patch is released.

@feanil feanil moved this from Todo to In Progress in Security Working Group Apr 20, 2023
@feanil
Copy link
Contributor Author

feanil commented Apr 26, 2023

Jorge is working to establish a BTR Security Patcher role. I'm working with him on the definition of that role.

@magajh
Copy link

magajh commented May 25, 2023

Hey there! I'll be working on this issue

@magajh
Copy link

magajh commented May 25, 2023

assign me

@feanil
Copy link
Contributor Author

feanil commented Oct 18, 2023

The workflow needs a bit more work because the vulnerability databases we were looking at were not getting updated very quickly. We'll need to update to have manual intervention to start the patching process.

@magajh
Copy link

magajh commented Nov 15, 2023

Update: From the BTR team, we are currently working on an issue that focuses on monitoring security vulnerabilities in our release branches. This effort is closely related to this task and is likely to have a significant impact on the process of managing Django security patches.
Link to the issue: openedx/wg-build-test-release#317

@magajh
Copy link

magajh commented May 15, 2024

Here is a draft document detailing the process we are currently following in the BTR to apply Django security patches:
https://openedx.atlassian.net/wiki/spaces/COMM/pages/edit-v2/3878060063?draftShareId=cfc59029-e858-44fd-bee6-ec7163d05d89

@magajh
Copy link

magajh commented Jun 5, 2024

Here's what we've accomplished to help the BTR establish a process for applying Django security patches regularly:

  • A "security patcher" role has been created within the BTR, thanks to collaboration between @jalondonot and @feanil. This role will ensure security for Open edX releases by collaborating with the Security Working Group, prioritizing patches, leading testing, documenting vulnerabilities, and keeping dependencies secure. This includes making sure Django security fixes are applied regularly.

  • A document outlining the process for identifying and applying security patches has been created: link to document.

This process may evolve further once issue openedx/wg-build-test-release#317 gets fully addressed, but in the meantime, we have a defined process in place for regular application of Django security patches. So I think we are good to close this issue
cc @feanil

@magajh magajh closed this as completed Jun 5, 2024
@github-project-automation github-project-automation bot moved this from In Progress to Done in Security Working Group Jun 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

No branches or pull requests

5 participants