Devs -

We have an unfortunate situation where we may need to break our commitment,
previously communicated, to support at least two Releases. i.e. The current
one and the last one.

We previously communicated that we would only look at fixes for the last
two releases.  Thus, if you are following along, our release 1.9.0 and our
release 1.8.4 are - by our internal policy - the two valid releases that we
show on the download list.  This means that when we get a report of a
critical issue, we fix the current release, and we fix the one before that.


We move all other releases to the archive.  They are not fixed.  If there
is a published CVE then the CVE details are public and likely exist in
previous Releases and, therefore, well known to the world.  We urge
everyone to patch and to update to keep your data and your deployments
safe. Always.

So... Unless we can get a 1.8.5 out immediately, I am PROPOSING and thereby
giving NOTICE now that we should be removing 1.8.4 from our "valid release"
designation in the next 10 days.

By implication, we already moved 1.7.x to EOL when we released 1.9.0.  I
hope everyone is following along well.

If you disagree with this, please comment now.  If you want to help Victor
get 1.8.5 out, you can contact him on this list.  I would like to
facilitate a situation which is better.

James

Reply via email to