Unpredictable events, such as the discovery of a security or data integrity issue, might require a release outside the normal standard release schedule. Because of the nature of the triggering event, these emergency releases will happen with limited warning, and could happen at any time.
Immediately upon deciding a security release is required
An email announcement will be sent to all instance managers that there is an upcoming security release
The security issue will have a fix developed and integrated into the affected code repository
Affected code repository will undergo code freeze - all affected source code repositories will have a version selected for integration into the release
From most recent stable if it has appropriate fixes
Or from any most-appropriate source (such as a stable release plus some set of changes or any code version) as determined by technical team.
A list of changes introduced between previous release and the new version will be produced.
When that list of changes have infrastructural or procedural prerequisites, those prerequisites will be reviewed for readiness, and deployed if required using emergency change management processes
When that list of changes includes fixes in an open source module that were previously released in an internal module, the now redundant fix from the internal mode will be removed.
All changes will be checked to ensure they do not introduce security issues. Where a change does introduce a security issue it will be removed or disabled for the release
All changes will be checked to ensure they do not introduce significant regressions. Where a change does introduce a regression it will be removed or disabled for the release
The release will be committed to the version control system
The list of supported releases will be updated
A release announcement including the list of changes (referencing bug or work item identifiers when applicable) will be emailed to all Instance Managers and uploaded to the cwp.govt.nz website. This announcement will indicate that this is a security release, that agencies are required to upgrade to this release, and include a timeframe that this upgrade is required to be completed by.
Agency actions post release
Once a security release has been announced, agencies should, for each instance under their control, within the timeframe included in the announcement:
Integrate the release into the instance’s codebase. See upgrading for instructions.
Release newly updated codebase via the agency’s release procedure. See deploying code for details on the tools CWP provides for managing releases.
An agency may inform SilverStripe that they will not be able to upgrade within the timeframe, in which case SilverStripe will work with the agency on providing resource to help overcome the cause of the inability to upgrade.
Where an agency has not upgraded within the timeframe SilverStripe will forcibly upgrade the instance, and notify the Instance Manager of this action via email.