How are issues in Gruntwork's code reported to customers? #66

marijakstrazdas · 2021-11-17T16:22:19Z

marijakstrazdas
Nov 17, 2021

A customer asked:

How are issues in Gruntwork's code reported to customers?

Answered by zackproser

For any critical / urgent changes—namely, any severe security issue—we notify customers ASAP (as in, when a fix is available) via a dedicated security alerts mailing list. This applies to any issues in our own code (note: this has never actually happened yet) and, more frequently, when we find out about vulnerabilities in the dependencies we use or believe our customers are likely to use (e.g., Linux, Jenkins, OpenSSL, etc).
For non critical / urgent changes, we fix the issue in the appropriate repo, release a new version, and add the information to our newsletter. We publish the newsletter on our blog every 1-2 months, notify customers via a separate mailing list, and share it via socia…

zackproser · 2021-11-17T16:34:14Z

For any critical / urgent changes—namely, any severe security issue—we notify customers ASAP (as in, when a fix is available) via a dedicated security alerts mailing list. This applies to any issues in our own code (note: this has never actually happened yet) and, more frequently, when we find out about vulnerabilities in the dependencies we use or believe our customers are likely to use (e.g., Linux, Jenkins, OpenSSL, etc).
For non critical / urgent changes, we fix the issue in the appropriate repo, release a new version, and add the information to our newsletter. We publish the newsletter on our blog every 1-2 months, notify customers via a separate mailing list, and share it via social media.
In the future, we plan to set up customers with automatic updates so they get a PR automatically opened when new releases are out. That way, they are notified via this very PR! This is Gruntwork Patcher. If they are interested, we can discuss further.

1 reply

Credit for this solution goes to @marijakstrazdas and @brikis98