Drupal.org blog: Migrating issues from security.drupal.org to git.drupalcode.org
All security issues have been migrated from the older security.drupal.org site to our GitLab instance at git.drupalcode.org. This is the latest in a series of steps to improve Drupal’s coordinated vulnerability disclosure tools. We hope this will help in a few ways:
Merge requests for security issues will get automated testing to increase the quality of the releases. (Previously, tests for core security issues had to be triggered manually, and contrib testing was not available.)
GitLab has more automation to help with advisory creation, reducing manual work.
Powerful features like labels, commenting, and thread reviews on merge requests are now possible for security issues as well.
Here are some of the key steps we took:
- We started by evaluating a few solutions. We decided to use the GitLab instance on drupalcode.org.
- We planned how to remap and improve the current features from security.drupal.org and added some labels and automation to private issues on drupalcode.org.
- We made new security issue reporting default to git.drupalcode.org for several months. This helped us could gain confidence in the system, fix bugs, and make improvements.
- While that happened, Neil Drumm worked to create the migration process.
- The migration finally ran from July 9th to July 12th.
This work is possible because of support from the Drupal Association and is very appreciated.
We suppressed most emails during the migration, but a small number of people did get extra notification emails about issues, including old issues. We apologize for any resulting confusion.
How do I use GitLab to submit and manage security issues?As before, security reports should be submitted by clicking the “Report a security vulnerability” link on the project page. If a project has already migrated public issues to git.drupalcode.org, you may also mark an issue confidential as you open it. The Security Team triages confidential issues for all covered projects.
For more information about how Drupal.org’s GitLab instance works, read our documentation.
You can read about the Security Team’s process in general. There is also a page dedicated to managing security issues on git.drupalcode.org. Those pages likely need updates, so please report any documentation issues in the Security Team Queue..
What do you think?Let us know your thoughts. If you have feedback about how to further improve the Security Team process, you can file them in the Security Team Queue. If you have issues to report about the GitLab tooling itself on git.drupalcode.org, you can file them in the Drupal.org queue.
The old site does a redirect to the new location for issues and members of the Security Team can get content out of it if anyone notices items missing from the migration.
Thanks to longwave, hestenet, dokumori, drumm, and xjm for help in writing this post.