diff options
Diffstat (limited to 'docs/doing-a-release.rst')
| -rw-r--r-- | docs/doing-a-release.rst | 36 |
1 files changed, 31 insertions, 5 deletions
diff --git a/docs/doing-a-release.rst b/docs/doing-a-release.rst index 283b98b6..043d52d2 100644 --- a/docs/doing-a-release.rst +++ b/docs/doing-a-release.rst @@ -3,12 +3,33 @@ Doing a release Doing a release of ``cryptography`` requires a few steps. +Security Releases +----------------- + +In addition to the other steps described below, for a release which fixes a +security vulnerability, you should also include the following steps: + +* Request a `CVE from MITRE`_. Once you have received the CVE, it should be + included in the :doc:`changelog`. Ideally you should request the CVE before + starting the release process so that the CVE is available at the time of the + release. +* Ensure that the :doc:`changelog` entry credits whoever reported the issue. +* The release should be announced on the `oss-security`_ mailing list, in + addition to the regular announcement lists. + Verifying OpenSSL version ------------------------- -The release process uses a static build for Windows wheels. Check that the -Windows Jenkins builders have the latest version of OpenSSL installed -before performing the release. +The release process creates wheels bundling OpenSSL for Windows, macOS, and +Linux. Check that the Windows, macOS, and Linux builders (both +``pyca/cryptography-manylinux1`` and ``pyca/cryptography-manylinux2010``) have +the latest OpenSSL. If anything is out of date follow the instructions for +upgrading OpenSSL. + +Upgrading OpenSSL +----------------- + +Use the `upgrading OpenSSL issue template`_. Bumping the version number -------------------------- @@ -30,7 +51,7 @@ The commit that merged the version number bump is now the official release commit for this release. You will need to have ``gpg`` installed and a ``gpg`` key in order to do a release. Once this has happened: -* Run ``invoke release {version}``. +* Run ``python release.py {version}``. The release should now be available on PyPI and a tag should be available in the repository. @@ -59,8 +80,9 @@ Post-release tasks ------------------ * Update the version number to the next major (e.g. ``0.5.dev1``) in - ``cryptography/__about__.py`` and + ``src/cryptography/__about__.py`` and ``vectors/cryptography_vectors/__about__.py``. +* Close the `milestone`_ for the previous release on GitHub. * Add new :doc:`/changelog` entry with next version and note that it is under active development * Send a pull request with these items @@ -70,5 +92,9 @@ Post-release tasks * Send an email to the `mailing list`_ and `python-announce`_ announcing the release. +.. _`CVE from MITRE`: https://cveform.mitre.org/ +.. _`oss-security`: https://www.openwall.com/lists/oss-security/ +.. _`upgrading OpenSSL issue template`: https://github.com/pyca/cryptography/issues/new?template=openssl-release.md +.. _`milestone`: https://github.com/pyca/cryptography/milestones .. _`mailing list`: https://mail.python.org/mailman/listinfo/cryptography-dev .. _`python-announce`: https://mail.python.org/mailman/listinfo/python-announce-list |