|
Name |
|
Date |
Size |
#Lines |
LOC |
| .. | | 04-Feb-2021 | - |
| backport/ | H | 04-Feb-2021 | - | 990 | 719 |
| backport_tests_data/ | H | 04-Feb-2021 | - | 4,935 | 3,688 |
| security/ | H | 04-Feb-2021 | - | 2,237 | 1,703 |
| templates/ | H | 04-Feb-2021 | - | 725 | 468 |
| README.advisory | H A D | 05-Dec-2015 | 2.6 KiB | 79 | 55 |
| README.backport | H A D | 12-Feb-2018 | 3 KiB | 86 | 56 |
| advisory.py | H A D | 25-Oct-2016 | 6.4 KiB | 183 | 135 |
| backport.pl | H A D | 03-May-2022 | 42.4 KiB | 1,344 | 1,024 |
| backport_tests.py | H A D | 25-Mar-2020 | 24 KiB | 717 | 405 |
| backport_tests_pl.py | H A D | 30-Mar-2015 | 2.2 KiB | 54 | 19 |
| backport_tests_py.py | H A D | 30-Mar-2015 | 2.1 KiB | 55 | 24 |
| changes-to-html.py | H A D | 13-Sep-2018 | 2.3 KiB | 89 | 47 |
| checksums.py | H A D | 25-Mar-2020 | 3.2 KiB | 114 | 60 |
| detect-conflicting-backports.py | H A D | 20-Oct-2016 | 4.1 KiB | 124 | 77 |
| dist.sh | H A D | 06-Aug-2017 | 13.5 KiB | 417 | 275 |
| edit-N-log-messages | H A D | 24-Dec-2017 | 2.8 KiB | 95 | 53 |
| extract-for-examination.sh | H A D | 19-Nov-2009 | 1,005 | 38 | 14 |
| merge-approved-backports.py | H A D | 20-Oct-2016 | 1.7 KiB | 54 | 26 |
| nightly.sh | H A D | 21-May-2019 | 2.9 KiB | 99 | 50 |
| nominate.pl | H A D | 03-May-2022 | 42.4 KiB | 1,344 | 1,024 |
| rat-excludes | H A D | 30-Jul-2015 | 1.3 KiB | 50 | 49 |
| release-lines.yaml | H A D | 25-Mar-2020 | 1.4 KiB | 31 | 28 |
| release.py | H A D | 25-Mar-2020 | 75.2 KiB | 1,917 | 1,355 |
| test.sh | H A D | 19-Nov-2009 | 2 KiB | 63 | 32 |
README.advisory
1A guide to sending security advisory e-mails
2============================================
3
4--------------------------------------------------------
5Step 1: Prepare the advisory texts, patches and metadata
6--------------------------------------------------------
7
8[details are covered elsewhere]
9
10----------------------------------
11Step 2: Prepare the website update
12----------------------------------
13
14 $ cd ${PMC_AREA_WC}/security
15 $ ${TRUNK_WC}/tools/dist/advisory.py generate \
16 --destination=${SITE_WC}/publish/security \
17 CVE-2015-5259 CVE-2015-5343 ...
18
19This will generate a plain-text version of the advisories, including
20patches etc., suitable for publishing on our web site. Once these
21are generated, make sure you add the links to the new files to:
22
23 ${SITE_WC}/publish/security/index.html
24
25
26-----------------------------------------------
27Step 3: Check the advisories and their metadata
28-----------------------------------------------
29
30 $ cd ${PMC_AREA_WC}/security
31 $ ${TRUNK_WC}/tools/dist/advisory.py test \
32 --username=someone \
33 --revision=22091347 \
34 --release-versions=1.8.15,1.9.3 \
35 --release-date=2015-12-15 \
36 CVE-2015-5259 CVE-2015-5343 ...
37
38Assuming all the required bits are in place, this will generate the
39complete text of a GPG-signed e-mail message, signed by and sent from
40someone@apache.org, for all the listed CVE numbers.
41
42Note the arguments:
43
44 --revision is the revision on
45 https://dist.apache.org/repos/dist/dev/subversion
46 in which the tarballs are/will be available
47 (see: notice-template.txt in ${PMC_AREA_WC}/security).
48
49 --release-versions is a comma-separated list of version numbers
50 in which fixes for the CVE numbers will be
51 available.
52
53 --release-date is the expected date of the release(s).
54
55
56----------------------
57Step 4: Send the mails
58----------------------
59
60 $ cd ${PMC_AREA_WC}/security
61 $ ${TRUNK_WC}/tools/dist/advisory.py send \
62 (the rest of the arguments are as in step 3).
63
64The mails will be sent one at a time to each recipient separately.
65
66
67--------------------------------------------------
68Step 5: Wait for the release. Release.
69 Commit the site update prepared in step 1.
70--------------------------------------------------
71
72
73
74TODO: security/mailer.py does not calculate the micalg= PGP/MIME
75 parameter based on the properties of the actual PGP key
76 used. It's currently hard-coded as "pgp-sha512" which *should*
77 be correct for anyone signing these mails with their ASF release
78 signing key.
79
README.backport
1A guide to the various backport scripts:
2========================================
3
4There two primary functions:
5
6F1. Auto-merge bot; the nightly svn-role commits.
7
8F2. Conflicts detector bot; the svn-backport-conflicts-1.9.x buildbot task.
9
10And two interactive functions¹:
11
12F3. Reviewing STATUS nominations and casting votes.
13
14F4. Adding new entries to STATUS.
15
16
17
18The scripts are:
19
20backport.pl:
21 oldest script, implements [F1], [F2], and [F3]. As of Feb 2018, used in
22 production by svn-role (running on svn-qavm3) and by svn-backport-conflicts-1.9.x
23 (a buildbot job).
24
25nominate.pl:
26 Symlink to backport.pl. Implements [F4]. (The script inspects its argv[0].)
27
28backport_tests_pl.py:
29 Regression tests for backport.pl.
30
31
32backport/*.py:
33 New Python-based library implementation of STATUS parsing (status.py) and
34 of merging nominated revisions (merger.py). Colloquially referred to as
35 'backport.py', even though there is no script by that name. Written in
36 Python 3.
37
38 The modules include their unit tests, see 'python3 -munittest
39 backport.status' and 'python3 -munittest backport.merger'. However,
40 changes to these files should be tested both by the unit tests and by the
41 backport_tests_py.py blackbox/regression tests.
42
43detect-conflicting-backports.py:
44 Implementation of [F2] using backport.py.
45 Not currently used in production.
46
47merge-approved-backports.py:
48 Implementation of [F1] using backport.py.
49 Not currently used in production.
50
51backport_tests_py.py:
52 Regression tests for detect-conflicting-backports.py and merge-approved-backports.py
53
54
55backport_tests.py:
56 Common part of backport_tests_pl.py and backport_tests_py.py. Uses the
57 svntest framework (../../subversion/tests/cmdline/svntest/), which is
58 written in Python 2.
59
60 Note that backport_tests.py and backport/*.py are written in different
61 languages, so they never 'import' each other. backport_tests.py invokes
62 detect-conflicting-backports.py, merge-approved-backports.py, and
63 backport.pl in the same manner: through subprocess.check_call().
64
65backport_tests_data/backport*.dump:
66 Expected output files for backport_tests.py; see the BackportTest
67 decorator in backport_tests.py.
68
69
70All scripts can be run with '--help' to display their usage messages.
71
72backport.pl is considered deprecated since backport.py is better architected
73and is written in a language that many more active developers are comfortable
74with. The unattended jobs [F1] and [F2] should be converted to using
75backport.py whenever someone gets around to do the legwork. The interactive
76versions [F3] and [F4] are still in active use, however, so the physical
77backport.pl script should be kept around until Python versions of these are
78available.
79
80
81TODO: document that "Notes: ... --accept=foo ..." is parsed, see backport_tests.py #3.
82
83
84¹ For backport.pl's interactive features, see:
85<http://mail-archives.apache.org/mod_mbox/subversion-dev/201503.mbox/%3c20150304225114.GD2036@tarsus.local2%3e>
86