Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Version SECURITY.md #1871

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

TodicaIonut
Copy link
Contributor

No description provided.

Signed-off-by: Todica Ionut <todicaionut2000111@gmail.com>
Copy link
Contributor

@meshula meshula left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

Comment on lines 72 to 73
| 3.1.x | :warning: Only the most critical fixes, only if they can be easily backported. |
| 3.0.x | :warning: Only the most critical fixes, only if they can be easily backported. |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this true? Are we willing to still backport as far back as 3.0?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think fixes should be released all the way back to 2.5.x if it is a critical security issue with a published CVE, since that advertises that a vulnerability exists. I would assume there's software that can't switch to 3.x due to the API changes, so needs a 2.5.x fix. In that case, patch releases are usually only when specially requested by someone who needs them.

There is very little testing of old releases, so a bug that's only present in 3.2 or earlier may never be found. (That limitation might be worth mentioning in the Testing section of this document too.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree in principle but wonder if in practical terms, we are able to maintain 2.5.x to the historic level of quality, ie fuzz testing and everything else? It seems like a fix to 2.x might require a lot of someone's time, if we've stood down all the CI, and standing up the CI again also sounds like a lot of work?

@cary-ilm
Copy link
Member

Thanks for pointing out that we'd not updated the statement with the new release, that was an oversight.

We're going to discuss this at the next technical steering committee meeting and resolve the details of our policy regarding updates to previous releases. Stay tuned for that, or feel free to join the meeting and discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants