August 14th, 2008
As most of you know, a critical security vulnerability affecting all Joomla versions below (and including) 1.5.5 was discovered on Tuesday, August 12th 2008. What most of you don’t know, is what went on behind the scenes that day. A whole mass of people came together and immediately worked on all the tasks necessary to make 1.5.6 happen. Experiencing this first hand was quite amazing… Publishing a release is a process that normally has two weeks (and a team of people) devoted to it (for everything from selecting which remaining artifacts will be fixed, to translations, to clicking publish and everything in-between). This all happened in a VERY short time.
Here’s an abridged breakdown of how 1.5.6 came to be…
Bug Squad member Marijke Stuivenberg points the squad to a reported vulnerability in Joomla 1.5.5.
Bug Squad members Jennifer Mariott, Elin Waring, and Marijke (along with development coordinator Wilco Jansen, OSM Vice President Rob Schley and myself) verify that the vulnerability exists and the report is valid.
All available development Work Group members, Bug Squad members and Core Team members are notified of the issue.
Bug Squad confirms that 1.5’s SVN is stable and is ready for immediate release pending vulnerability fix.
Forum moderators are informed of and asked to remove references of this issue until release.
Patch is generated and provided to Bug Squad for testing/confirmation of fix.
Patch is confirmed to fix vulnerability.
Front page announcement is drafted.
Patch is committed into SVN along with all preparations for release.
Joomla 1.5 branch is frozen for release cycle. Bug Squad begins testing sanity and operation of SVN.
Security announcement (on developer.joomla.org) is drafted.
Front page announcement provided to translators.
Joomlacode prepared for release.
Bug Squad confirms sanity of SVN and that all release preparations are in place.
Package generation begins.
Full download packages generated.
Packages provided to Bug Squad for validation and testing.
Bug Squad confirms package sanity, final steps before release are completed.
Front Page article and Developer security report published.
Full download packages released.
All patch downloads tested and published. Release cycle completed.
Total time from report of vulnerability to initial release: 2 hours 50 minutes
Total time from report of vulnerability to completion of release cycle completion: 3 hours 40 minutes
Total number of people directly involved: between 20 and 30