Drupal.org blog: Migrating issues from security.drupal.org to git.drupalcode.org

As before, security reports should be submitted by clicking the “Report a security vulnerability” link on the project page. If a project has already migrated public issues to git.drupalcode.org, you may also mark an issue confidential as you open it. The Security Team triages confidential issues for all covered projects.This work is possible because of support from the Drupal Association and is very appreciated.
You can read about the Security Team’s process in general. There is also a page dedicated to managing security issues on git.drupalcode.org. Those pages likely need updates, so please report any documentation issues in the Security Team Queue..

  • We started by evaluating a few solutions. We decided to use the GitLab instance on drupalcode.org.
  • We planned how to remap and improve the current features from security.drupal.org and added some labels and automation to private issues on drupalcode.org.
  • We made new security issue reporting default to git.drupalcode.org for several months. This helped us could gain confidence in the system, fix bugs, and make improvements.
  • While that happened, Neil Drumm worked to create the migration process.
  • The migration finally ran from July 9th to July 12th.

Here are some of the key steps we took:
Thanks to longwave, hestenet, dokumori, drumm, and xjm for help in writing this post.

How do I use GitLab to submit and manage security issues?

We suppressed most emails during the migration, but a small number of people did get extra notification emails about issues, including old issues. We apologize for any resulting confusion.
Merge requests for security issues will get automated testing to increase the quality of the releases. (Previously, tests for core security issues had to be triggered manually, and contrib testing was not available.)
GitLab has more automation to help with advisory creation, reducing manual work.
Powerful features like labels, commenting, and thread reviews on merge requests are now possible for security issues as well.
For more information about how Drupal.org’s GitLab instance works, read our documentation.

What do you think?

The old site does a redirect to the new location for issues and members of the Security Team can get content out of it if anyone notices items missing from the migration.
All security issues have been migrated from the older security.drupal.org site to our GitLab instance at git.drupalcode.org. This is the latest in a series of steps to improve Drupal’s coordinated vulnerability disclosure tools. We hope this will help in a few ways:
Let us know your thoughts. If you have feedback about how to further improve the Security Team process, you can file them in the Security Team Queue. If you have issues to report about the GitLab tooling itself on git.drupalcode.org, you can file them in the Drupal.org queue.

Similar Posts