2019-11-18 05:58:33 +01:00
---
title: Release process
2014-09-26 09:49:44 +02:00
summary: Describes the process followed for "core" releases.
2019-11-18 05:58:33 +01:00
iconBrand: git-alt
---
2014-09-26 09:49:44 +02:00
2011-02-21 22:23:22 +01:00
# Release Process
2011-02-07 07:48:44 +01:00
2018-05-03 05:20:17 +02:00
This page describes the process followed for "core" releases
(the modules included by [silverstripe/recipe-core ](https://github.com/silverstripe/recipe-core )
and [silverstripe/recipe-cms ](https://github.com/silverstripe/recipe-cms )).
2011-02-07 07:48:44 +01:00
## Release Planning
2019-12-10 05:17:50 +01:00
The Silverstripe CMS core team uses an Agile methodology. We aim to keep the latest development branches of each
module in a "potentially releasable" state. Releases are planned around an issue backlog according to our
[roadmap ](https://www.silverstripe.org/software/roadmap/ ). We re-revaluate our priorities every few weeks.
Silverstripe CMS is split up into many modules listed on [github.com/silverstripe ](https://github.com/silverstripe ).
2020-01-06 22:08:32 +01:00
Each may have a different release line (e.g. 1.x vs. 4.x).
2018-01-29 03:38:04 +01:00
There are high-level "recipe" milestones on the [framework repository ](https://github.com/silverstripe/silverstripe-framework/milestones )
2019-12-10 05:17:50 +01:00
to combine individual module milestones into a larger release that's eventually available to install with
[composer ](https://silverstripe.org/download ).
2018-01-29 03:38:04 +01:00
2018-05-03 05:19:45 +02:00
New features and API changes are discussed as
2018-05-03 05:20:17 +02:00
[GitHub issues ](https://docs.silverstripe.org/en/contributing/issues_and_bugs/ )),
2018-05-03 05:19:45 +02:00
as well as the [forum ](https://forum.silverstripe.org ).
They are prioritised by the core team as tickets on
2019-09-06 06:01:30 +02:00
github.com. In addition, we collect community feedback as [feature ideas ](https://forum.silverstripe.org/c/feature-ideas ) on the forum.
2014-12-04 22:27:52 +01:00
Any feature ideas we're planning to implement will be flagged there.
2011-02-07 07:48:44 +01:00
Release dates are usually not published prior to the release, but you can get a good idea of the release status by
2013-04-02 01:46:36 +02:00
reviewing the release milestone on github.com. Releases will be
2018-05-03 05:19:45 +02:00
announced on the ["releases" forum category ](https://forum.silverstripe.org/c/releases ).
2011-02-07 07:48:44 +01:00
2019-05-22 00:16:24 +02:00
## Release numbering {#release-numbering}
2011-02-07 07:48:44 +01:00
2019-12-10 05:17:50 +01:00
Silverstripe CMS follows [Semantic Versioning ](http://semver.org ).
2011-02-07 07:48:44 +01:00
2019-12-10 05:17:50 +01:00
All Silverstripe CMS modules (including `silverstripe/framework` ) may have patch releases created at any time, and will
2019-05-22 00:16:24 +02:00
not necessarily match other core module patch release numbers. For example, your project may be using
2019-12-10 05:17:50 +01:00
`silverstripe/cms` 4.3.1 with `silverstripe/versioned` 4.3.9.
2019-05-22 00:16:24 +02:00
2019-12-10 05:17:50 +01:00
All Silverstripe CMS recipes are released in lock step with each other. For example, `silverstripe/installer` 4.3.1 will
contain `silverstripe/recipe-cms` 4.3.1 and `silverstripe/recipe-core` 4.3.1. These recipes may contain various patch
2019-05-22 00:16:24 +02:00
versions of its modules within the same minor release line (4.3 in this example).
2019-12-10 05:17:50 +01:00
## Regular quarterly releases
2020-01-06 22:08:32 +01:00
A regular Silverstripe CMS release is tagged on a quarterly basis, in the months: March, June, September, December. This usually involves creating a new minor increment of
2019-12-10 05:17:50 +01:00
each core recipe. Regular quarterly releases are preceded by pre-stable releases to help lay the groundwork for the
stable release.
### Beta phase
At the start of the Beta phase:
* new minor branches for core modules are forked from the major branches
* a feature freeze is instituted on the minor branches
* a `beta1` release is tagged for recipes and related modules.
2020-01-06 22:14:32 +01:00
The length of the beta phase period will be communicated at the time it is tagged via the [Silverstripe Forum ](https://forum.silverstripe.org/c/releases ). While the beta phase lasts additional betas may be released to address critical issues holding back
2019-12-10 05:17:50 +01:00
testers.
#### "Beta release" definition
2020-01-06 22:08:32 +01:00
The purpose of a beta release is to initiate a "Feature Freeze" to stabilise the Silverstripe CMS codebase for an upcoming stable release and showcase
2019-12-10 05:17:50 +01:00
new features. A beta release is likely to contain regressions and new bugs. A beta release is primarily aimed at testers
who want to help identify bugs and regressions.
#### "Feature freeze" definition
A "Feature freeze" is a pre-release minor branch state. This state allows the core team to stabilise the upcoming
release and reach production quality.
The following type of changes can be merged in a branch in feature freeze:
* bug fixes, regardless of severity
* API changes if they fix a bug and are compliant with our existing semver commitments
* merge-ups from older minor branches (introducing bug fixes).
The following changes cannot be merged in a branch in feature freeze:
* anything that introduces new features
* API changes not targeted to fixing a bug, or that alter an existing API in a stable release.
### Release Candidate phase
All critical or high priority issues in the beta release should have been identified and fixed by the start of the
Release Candidate phase.
At the start of the Release Candidate phase:
* a publicly visible `rc1` release is tagged for recipes and related modules
* a private Release Candidate is created containing fixes for undisclosed vulnerabilities on top of the `rc1` release
* the private Release Candidate is delivered to independent auditors for a security review.
The Release Candidate phase lasts approximately two weeks. Additional patches may be added to the final release only if:
* vulnerabilities are discovered by the security audit
* additional critical issues are identified.
#### "Release Candidate" definition
A release candidate will not introduce any new features compared to its preceding beta release. The Silverstripe CMS
core team is confident a release candidate is production quality and does not introduce new regressions.
The purpose of a release candidate is to allow module maintainers and project owners to audit the upcoming release and
confidently plan their upgrades.
Only critical bug fixes can be added to the upcoming stable release once the release candidate is released.
### Stable phase
A new stable minor release is tagged for Silverstripe CMS core recipes. This marks the start of our official semver
commitment for any new APIs introduced in that minor release.
2018-09-05 03:54:48 +02:00
## Supported versions {#supported-versions}
2011-02-07 07:48:44 +01:00
At any point in time, the core development team will support a set of releases to varying levels:
2019-12-10 05:17:50 +01:00
* The status of major releases is determined by the [roadmap ](http://silverstripe.org/roadmap )
* Minor releases of major releases in "active development" or "full support" are released roughly every three months, and their End-of-Life (EOL) is announced at least six months in advance
* The latest minor release is supported as long as the underlying major release
* API changes and major new features are applied to the master branch, to be included in the next major release
* New APIs can be applied to the current minor release of major releases in "active development", but should usually be marked as "internal" APIs until they're considered stable
* Enhancements are applied to the next minor release of major releases in "active development"
* Non-critical bugfixes and all security fixes are applied to all supported minor releases of major releases in "active development" or "full support"
* Critical bugfixes and [critical security fixes ](#severity-rating ) are applied to the all minor releases of major releases in "active development", "full support" or "limited support"
* [Non-critical security fixes ](#severity-rating ) are backported to releases in "limited support" on a best effort basis
* Any patches applied to older minor releases are merged up regularly to newer minor releases (in the same major release)
* Any patches applied to older major releases are merged up regularly to newer major releases
Note that this only applies to the "core" recipe (the modules included by [silverstripe/recipe-core ](https://github.com/silverstripe/recipe-core )
2018-09-05 03:54:48 +02:00
and [silverstripe/recipe-cms ](https://github.com/silverstripe/recipe-cms )).
For [supported modules ](https://www.silverstripe.org/software/addons/silverstripe-commercially-supported-module-list/ ) outside of this recipe,
please refer to our [supported modules definition ](https://www.silverstripe.org/software/addons/supported-modules-definition/ ).
2011-02-07 07:48:44 +01:00
2012-02-01 01:47:49 +01:00
## Deprecation
2011-02-07 07:48:44 +01:00
2013-03-20 10:20:27 +01:00
Needs of developers (both on core framework and custom projects) can outgrow the capabilities
2015-06-18 07:26:58 +02:00
of a certain API. Existing APIs might turn out to be hard to understand, maintain, test or stabilise.
2011-02-07 07:48:44 +01:00
In these cases, it is best practice to "refactor" these APIs into something more useful.
2019-12-10 05:17:50 +01:00
The Silverstripe CMS team acknowledges that developers have built a lot of code on top of existing APIs,
2011-02-07 07:48:44 +01:00
so we strive for giving ample warning on any upcoming changes through a "deprecation cycle".
How to deprecate an API:
2019-12-10 05:17:50 +01:00
* Add a `@deprecated` item to the docblock tag, with a `{@link <class>}` item pointing to the new API to use.
* Update the deprecated code to throw a [Deprecation::notice() ](api:SilverStripe\Dev\Deprecation::notice( )) error.
* Both the docblock and error message should contain the **target version** where the functionality is removed.
So, if you're committing the change to a *3.1* minor release, the target version will be *4.0* .
* Deprecations should not be committed to patch releases
* Deprecations should only be committed to pre-release branches, ideally before they enter the "beta" phase.
If deprecations are introduced after this point, their target version needs to be increased by one.
* Make sure that the old deprecated function works by calling the new function - don't have duplicated code!
* The commit message should contain an `API` prefix (see ["commit message format" ](code#commit-messages ))
* Document the change in the [changelog ](/changelogs ) for the next release
2020-01-06 22:08:32 +01:00
* Deprecated APIs can be removed only after developers have had sufficient time to react to the changes. Hence, deprecated APIs should be removed in MAJOR releases only. Between MAJOR releases, leave the code in place with a deprecation warning.
2019-12-10 05:17:50 +01:00
* Exceptions to the deprecation cycle are APIs that have been moved into their own module, and continue to work with the new minor release. These changes can be performed in a single minor release without a deprecation period.
* Add a `warnings` entry to the module's `.upgrade.yml` file so the
[Silverstripe Upgrader can flag deprecated APIs ](/upgrading/upgrading_module#upgradeyml ).
2013-03-20 10:20:27 +01:00
2011-02-07 07:48:44 +01:00
Here's an example for replacing `Director::isDev()` with a (theoretical) `Env::is_dev()` :
2017-08-03 02:51:32 +02:00
```php
2017-10-27 04:38:27 +02:00
/**
* Returns true if your are in development mode
* @deprecated 4.0 Use {@link Env::is_dev()} instead.
*/
public function isDev()
{
Deprecation::notice('4.0', 'Use Env::is_dev() instead');
return Env::is_dev();
}
2017-08-03 02:51:32 +02:00
```
2013-03-20 10:20:27 +01:00
2015-06-18 07:26:58 +02:00
This change could be committed to a minor release like *3.2.0* , and remains deprecated in all subsequent minor releases
(e.g. *3.3.0* , *3.4.0* ), until a new major release (e.g. *4.0.0* ), at which point it gets removed from the codebase.
2012-02-01 01:47:49 +01:00
2015-06-10 00:27:54 +02:00
Deprecation notices are enabled by default on dev environment, but can be
2017-01-30 16:34:55 +01:00
turned off via either `.env` or in your _config.php. Deprecation
2015-06-10 00:27:54 +02:00
notices are always disabled on both live and test.
2018-06-25 00:39:53 +02:00
`app/_config.php`
2015-06-10 00:27:54 +02:00
2017-08-03 02:51:32 +02:00
```php
2017-10-27 04:38:27 +02:00
Deprecation::set_enabled(false);
2017-08-03 02:51:32 +02:00
```
2015-06-10 00:27:54 +02:00
2017-01-30 16:34:55 +01:00
`.env`
2015-06-10 00:27:54 +02:00
2017-10-27 04:38:27 +02:00
```
SS_DEPRECATION_ENABLED="0"
```
2015-06-10 00:27:54 +02:00
2012-02-01 01:47:49 +01:00
## Security Releases
2019-12-10 05:17:50 +01:00
A security release is a [Silverstripe CMS Core Release ](making_a_silverstripe_core_release#standard-release-process ) with patches for one or more security issues.
2019-09-18 01:13:02 +02:00
2012-02-01 01:47:49 +01:00
### Reporting an issue
2018-03-06 23:07:17 +01:00
Report security issues in our [commercially supported modules ](https://www.silverstripe.org/software/addons/silverstripe-commercially-supported-module-list/ )
2019-02-25 03:48:54 +01:00
to [security@silverstripe.com ](mailto:security@silverstripe.org ).
2014-09-26 09:49:44 +02:00
Please don't file security issues in our [bugtracker ](issues_and_bugs ).
2012-02-01 01:47:49 +01:00
2014-09-26 09:49:44 +02:00
### Acknowledgment and disclosure
2012-02-01 01:47:49 +01:00
2018-03-06 23:07:17 +01:00
In the event of a confirmed vulnerability in our
[supported modules ](https://www.silverstripe.org/software/addons/silverstripe-commercially-supported-module-list/ ),
we will take the following actions:
2012-02-01 01:47:49 +01:00
2019-12-10 05:17:50 +01:00
* Acknowledge to the reporter that we've received the report and that a fix is forthcoming.
We'll give a rough timeline and ask the reporter to keep the issue confidential until we announce it.
2019-02-25 03:48:54 +01:00
* Assign a [CVE identifier ](https://cve.mitre.org ) to the issue.
2019-12-10 05:17:50 +01:00
* For "high" and "critical" issues (CVSS of >=7.0): Pre-announce the upcoming security release to a private pre-announcement mailing list of important stakeholders (see below).
2019-02-25 03:48:54 +01:00
* We will inform you about resolution and [announce ](https://forum.silverstripe.org/c/releases ) a
2019-12-10 05:17:50 +01:00
[new release ](http://silverstripe.org/security-releases/ ) publicly.
2012-02-01 01:47:49 +01:00
You can help us determine the problem and speed up responses by providing us with more information on how to reproduce
2019-12-10 05:17:50 +01:00
the issue:
* Silverstripe CMS version (incl. any installed modules)
* PHP/webserver version and configuration
* anonymised webserver access logs (if a hack is suspected)
* any other services and web packages running on the same server.
2012-02-01 01:47:49 +01:00
### Severity rating
2014-09-26 09:49:44 +02:00
Each [security release ](http://www.silverstripe.org/security-releases/ ) includes an overall severity rating and one for
2019-02-25 03:48:54 +01:00
each vulnerability. The rating indicates how important an update is.
It follows the [Common Vulnerability Scoring System (CVSS) ](https://www.first.org/cvss ).
2019-12-10 05:17:50 +01:00
This rating determines which release lines are targeted with security fixes.
2012-02-01 01:47:49 +01:00
2019-02-25 03:48:54 +01:00
| Severity | CVSS | Description |
|---------------|------|-------------|
| **Critical** | 9.0 to 10.0 | Critical releases require immediate action. Such vulnerabilities allow attackers to take control of your site and you should upgrade on the day of release. *Example: Directory traversal, privilege escalation* |
| **High** | 7.0 to 8.9 | Important releases should be evaluated immediately. These issues allow an attacker to compromise a site's data and should be fixed within days. *Example: SQL injection.* |
| **Medium** | 4.0 to 6.9 | Releases of moderate severity should be applied as soon as possible. They allow the unauthorized editing or creation of content. *Examples: Cross Site Scripting (XSS) in template helpers.* |
| **Low** | 0.1 to 3.9 | Low risk releases fix information disclosure and read-only privilege escalation vulnerabilities. These updates should also be applied as soon as possible, but with an impact-dependent priority. *Example: Exposure of the core version number, Cross Site Scripting (XSS) limited to the admin interface.* |
2014-02-12 01:28:18 +01:00
2017-05-24 12:27:47 +02:00
### Internal Security Process
2019-12-10 05:17:50 +01:00
See [Silverstripe CMS Core Release Process ](making_a_silverstripe_core_release ).
2017-05-24 12:27:47 +02:00
2018-12-18 04:39:32 +01:00
### Pre-announcement mailing list
2014-02-12 01:28:18 +01:00
2019-02-25 03:48:54 +01:00
In addition to our public disclosure process, we maintain a private mailing list where upcoming
"high" or "critical" security releases are pre-announced.
Members of this list will receive a security pre-announcement, as soon as it has been
2018-12-18 21:41:44 +01:00
sufficiently researched, with a timeline for the upcoming release.
This will happen a few days before the announcement goes public alongside a new release,
and most likely before a patch has been developed.
2019-12-10 05:17:50 +01:00
Since we'll distribute sensitive information on unpatched vulnerabilities in this list,
2018-12-18 21:41:44 +01:00
the selection criteria for joining naturally has to be strict.
Applicants should provide references within the community,
as well as a demonstrated need for this level of information
(e.g. involvement with a large website with sensitive customer data).
2019-12-10 05:17:50 +01:00
You don’ t need to be a client of Silverstripe Ltd to get on board,
2018-12-18 21:41:44 +01:00
but we will need to perform some low-touch background checks to verify your identity.
2019-12-10 05:17:50 +01:00
Please contact [security@silverstripe.org ](mailto:security@silverstripe.org ) for details.
2014-03-15 23:41:21 +01:00
2018-12-18 21:41:44 +01:00
2014-03-15 23:41:21 +01:00
## Quality Assurance and Testing
2019-12-10 05:17:50 +01:00
The quality of our software is important to us, and we continuously test it for regressions
2014-03-15 23:41:21 +01:00
through a broad suite of unit and integration tests. Most of these run on
2018-01-29 03:38:04 +01:00
[Travis CI ](http://travis-ci.com ), and results are publicly available.
Check the badges on the various modules available on [github.com/silverstripe ](http://github.com/silverstripe ).
There's also a [build matrix ](https://www.silverstripe.org/software/addons/silverstripe-commercially-supported-module-list/ )
for our commercially supported modules (only showing build status for the default branch).