Anonymitaet commented on a change in pull request #10829: URL: https://github.com/apache/pulsar/pull/10829#discussion_r804323498
########## File path: site2/docs/security-versioning-policy.md ########## @@ -0,0 +1,67 @@ +--- +id: security-policy-and-supported-versions +title: Security Policy and Supported Versions +sidebar_label: Security Policy and Supported Versions +--- + +## Reporting a Vulnerability + +The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/. When reporting a +vulnerability to [email protected], you can copy your email to [[email protected]](mailto:[email protected]) +to send your report to the Apache Pulsar Project Management Committee. This is a private mailing list. + +## Using Pulsar's Security Features + +You can find documentation on Pulsar's available security features and how to use them here: +https://pulsar.apache.org/docs/en/security-overview/. + +## Security Vulnerability Announcements + +The Pulsar community will announce security vulnerabilities and how to mitigate them on the [[email protected]](mailto:[email protected]). +For instructions on how to subscribe, please see https://pulsar.apache.org/contact/. + +## Versioning Policy + +The Pulsar project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). Existing releases can expect +patches for bugs and security vulnerabilities. New features will target minor releases. + +When upgrading an existing cluster, it is important to upgrade components linearly through each minor version. For +example, when upgrading from 2.8.x to 2.10.x, it is important to upgrade to 2.9.x before going to 2.10.x. + +## Supported Versions + +Feature release branches will be maintained with security fix and bug fix releases for a period of at least 12 months +after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after +the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even to fix security +vulnerabilities. + +Note that a minor version can be maintained past it's 12 month initial support period. For example, version 2.7 is still +actively maintained. + +Security fixes will be given priority when it comes to back porting fixes to older versions that are within the +supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest +versions will have the most bug fixes. + +When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor +release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided. + +The following table shows version support timelines and will be updated with each release. + +| Version | Supported | Initial Release | At Least Until | +|:-------:|:------------------:|:---------------:|:--------------:| +| 2.9.x | :white_check_mark: | November 2021 | November 2022 | +| 2.8.x | :white_check_mark: | June 2021 | June 2022 | +| 2.7.x | :white_check_mark: | November 2020 | November 2021 | +| 2.6.x | :x: | June 2020 | June 2021 | +| 2.5.x | :x: | January 2020 | January 2021 | +| 2.4.x | :x: | July 2019 | July 2020 | +| < 2.3.x | :x: | - | - | + +If there is ambiguity about which versions of Pulsar are actively supported, please ask on the [[email protected]](mailto:[email protected]) +mailing list. Review comment: FYI @momo-jun @D-2-Ed @DaveDuggins This is related to doc maintenance (doc life cycle) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
