Backporting fixes

'''This page is a work in progress. Comments are welcome on the talk page, but remember this is not final!'''

Bugs are found in MediaWiki all the time. Some of these bugs are pretty high priority for the Wikimedia Foundation (eg: security-related or they break needed functionality by the Wikimedia community).

Below is the general process and flow for backporting these fixes to both Wikimedia Wikis and the stable and LTS releases.

Security Related Backports

 * 1) If you find a security flaw in MediaWiki, please email security@wikimedia.org directly with details. Please give us a couple days to fix the issue and roll out new releases for third-party users before public disclosure.
 * 2) These are filed as bugs, but are marked Security and thus are not public before the fix has been released.
 * 3) The issue is diagnosed and a solution is created.
 * 4) A 'hotfix' is deployed to the WMF Cluster, where all of the Wikimedia Wikis are hosted.
 * NB: The WMF Cluster is running up to two different MediaWiki versions at any time, and both versions are hotfixed at the same time; ie: to 1.22wmf1 and 1.22wmf2.
 * 1) After this hotfix is deployed a security release of MediaWiki is made for all currently supported versions.

Non-Security Related Backports

 * 1) A bug is discovered that is causing pain for Wikimedia community members/users of mediawiki.
 * 2) (Some decision on priority to fix the bug is made)
 * 3) A fix is created for the bug.
 * 4) Now if the fix is deemed high priority enough for the Wikimedia community that it can not wait until the next scheduled deployment (sometimes up to 2 weeks later depending on the specific wiki) it needs to be backported to a previously deployed version.
 * Depending on the timing, it needs to be backported to up to 2 different versions of currently deployed MediaWiki, as above with the security fix.
 * 1) Separately and possibly in conjunction, if the fix is deemed important enough to be backported to a stable/LTS release of MediaWiki, which doesn't happen very often for non-security related bugs, new stable/LTS releases are created by the Release Manager for third-party releases.