Clarify positioning of extended stable and security merges
We've had some questions from developers as well as embedders re:
our merge policies for security issues in the extended stable
channel; this update helps clarify our stance.
Change-Id: I3aa5aa3a7c92ad174d15b3fe2ae99439f3009ea8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3258621
Auto-Submit: Alex Mineer <[email protected]>
Reviewed-by: Adrian Taylor <[email protected]>
Commit-Queue: Alex Mineer <[email protected]>
Cr-Commit-Position: refs/heads/main@{#938550}
diff --git a/docs/process/merge_request.md b/docs/process/merge_request.md
index 543ddbd..38bf38c 100644
--- a/docs/process/merge_request.md
+++ b/docs/process/merge_request.md
@@ -266,8 +266,8 @@
| branch | M(X) Branch | M(X) Beta | Polish issues for Finch-gated features (no workflow changes), any new regressions, any release blockers, any security issues, any string issues (.GRD changes) |
| beta | M(X) Beta | M(X) Stable Cut | Non-functional issues for Finch-gated features (e.g. add metrics, fix crash), noticeable new regressions, any release blockers, any security issues, urgent string issues (.GRD changes) |
| stable_cut | M(X) Stable Cut | M(X) Stable | Urgent new regressions, all release blockers, important security issues (medium severity or higher), emergency string issues (.GRD changes) |
-| stable | M(X) Stable | M(X+1) Stable | Urgent new regressions (especially user reports), urgent release blockers, important security issues (medium severity or higher) |
-| extended (if applicable) | M(X+1) Stable | M(X+2) Stable | Important security issues (medium severity or higher) applicable to Windows, Mac or Chrome OS |
+| stable | M(X) Stable | M(X+1) Stable | Urgent new regressions (especially user reports), urgent release blockers, important security issues (medium severity or higher) requested by the security team |
+| extended (if applicable) | M(X+1) Stable | M(X+2) Stable | Important security issues (medium severity or higher) applicable to any platform supported by Chrome Browser requested by the security team |
### Merge states and labels
diff --git a/docs/process/release_cycle.md b/docs/process/release_cycle.md
index d6633a36..d15623b 100644
--- a/docs/process/release_cycle.md
+++ b/docs/process/release_cycle.md
@@ -7,21 +7,33 @@
Chrome ships a new milestone (major version) to the stable channel every four
weeks. The new milestone is developed on main for four weeks (beginning on
branch point for the previous milestone) before the milestone's branch is cut,
-which is then stabilized for six weeks before being shipped to stable.
-
-Chrome also maintains every other milestone branch for four additional weeks by
-backporting important security fixes to create an extended stable channel,
-where a new milestone is shipped every eight weeks. During the first four
-weeks of this milestone, both stable and extended stable are shipped identical
-releases; see the [channel lifecycle](#channel-lifecycle) to learn more.
-The extended stable channel is only available to enterprises, who can enable it
-via enterprise policies.
-
-Biweekly updates (called refreshes) are shipped to both the stable and extended
-stable channels to deploy security fixes and keep Chrome's
+which is then stabilized for six weeks before being shipped to stable. Once
+a milestone reaches stable, biweekly updates (called refreshes) are shipped to
+the stable to deploy security fixes and keep Chrome's
[patch gap](https://groups.google.com/a/chromium.org/g/security-dev/c/fbiuFbW07vI)
-short. Selected regression fixes may also be included in stable channel
-refreshes, but not extended stable refreshes.
+short.
+
+## Extended Stable
+
+Chrome Browser also maintains every other milestone branch for four additional
+weeks by backporting important security fixes to create an extended stable
+channel, where a new milestone is shipped every eight weeks. During the first
+four weeks of this milestone, both stable and extended stable are shipped
+identical releases; see the [channel lifecycle](#channel-lifecycle) to learn
+more. The extended stable channel is only available to enterprises on the
+Windows and Mac platforms, and can be enabled via enterprise policies. Biweekly
+refreshes are shipped to extended stable as well.
+
+While extended stable is only shipped to Windows and Mac, security fixes that
+are relevant to any Chrome Browser platforms will be landed on the extended
+stable branch for use by embedders. It's important to note that while the team
+will make an effort to backport all important security fixes to extended
+stable, complex and risky changes as well as larger features that improve
+security (e.g.
+[Site Isolation](https://www.chromium.org/Home/chromium-security/site-isolation))
+may not be viable to backport and will only be available on the stable channel;
+as such, using the stable channel and stable branches is recommended for any
+team where security is a primary concern.
## Release Cycle
The diagram below shows when our different development checkpoints occur as a
