-
Notifications
You must be signed in to change notification settings - Fork 626
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version SECURITY.md #1871
base: main
Are you sure you want to change the base?
Version SECURITY.md #1871
Conversation
Signed-off-by: Todica Ionut <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice
| 3.1.x | :warning: Only the most critical fixes, only if they can be easily backported. | | ||
| 3.0.x | :warning: Only the most critical fixes, only if they can be easily backported. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this true? Are we willing to still backport as far back as 3.0?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think fixes should be released all the way back to 2.5.x if it is a critical security issue with a published CVE, since that advertises that a vulnerability exists. I would assume there's software that can't switch to 3.x due to the API changes, so needs a 2.5.x fix. In that case, patch releases are usually only when specially requested by someone who needs them.
There is very little testing of old releases, so a bug that's only present in 3.2 or earlier may never be found. (That limitation might be worth mentioning in the Testing section of this document too.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree in principle but wonder if in practical terms, we are able to maintain 2.5.x to the historic level of quality, ie fuzz testing and everything else? It seems like a fix to 2.x might require a lot of someone's time, if we've stood down all the CI, and standing up the CI again also sounds like a lot of work?
Thanks for pointing out that we'd not updated the statement with the new release, that was an oversight. We're going to discuss this at the next technical steering committee meeting and resolve the details of our policy regarding updates to previous releases. Stay tuned for that, or feel free to join the meeting and discussion. |
No description provided.