The move to the latest is of course usually a good idea, but sometimes beyond risk tolerance for some customers. If the fixes are already committed and will be in future releases, a one-off custom build that is effectively but not officially 9.1.2 might be worth considering. Don't give it that number but rather 9.1.1-withcommitedfixes or something, as I think it would to violate apache policy for a PMC member to create and distribute something with an unvoted release number on it. The primary problem with custom builds is that they need to be maintained every time a new release comes out, but if it only contains already committed changes, that issue goes away.
On Mon, Apr 22, 2024 at 7:01 AM Alessandro Benedetti <a.benede...@sease.io> wrote: > Adding some discussions I had with @jan...@apache.org <jan...@apache.org> > over > slack: > > "Your client should be aware that they are vulnerable to a bunch of CVEs if > they stay on 9.1. See > > https://solr.apache.org/security.html#cve-2023-50292-apache-solr-schema-designer-blindly-trusts-all-configsets-possibly-leading-to-rce-by-unauthenticated-users > " > > "We may not be allowed to release a 9.1.2 with known vulnerabilities " > > "There are dozens of 3rd party dep upgrades since 9.1 as well that should > probably be upgraded before such a release, mounting up to a ton of extra > work and added risk for very little gain, given that a 9.6 upgrade is > likely to be a drop-in upgrade." > > And given that 9.6 is under release, I have a strong feeling I should try > to convince the client to go with it, rather than a 9.1.2. > In the meantime additional discussion happens here, I'll talk with the > sponsor, strongly advising that a 9.6 upgrade makes more sense now. > > I'll keep this thread updated in case we don't need 9.1.2 anymore. > > -------------------------- > *Alessandro Benedetti* > Director @ Sease Ltd. > *Apache Lucene/Solr Committer* > *Apache Solr PMC Member* > > e-mail: a.benede...@sease.io > > > *Sease* - Information Retrieval Applied > Consulting | Training | Open Source > > Website: Sease.io <http://sease.io/> > LinkedIn <https://linkedin.com/company/sease-ltd> | Twitter > <https://twitter.com/seaseltd> | Youtube > <https://www.youtube.com/channel/UCDx86ZKLYNpI3gzMercM7BQ> | Github > <https://github.com/seaseltd> > > > On Mon, 22 Apr 2024 at 12:07, Alessandro Benedetti <a.benede...@sease.io> > wrote: > > > Hi all, > > I managed to secure a sponsorship to work on a bug that impacted the > > Learning To Rank module (re-scoring was ignoring query limits and time > > allowed, causing outages and crashes). > > The contribution has been merged already in 10, 9.x and 9.1: > > https://issues.apache.org/jira/browse/SOLR-17018 > > I take the occasion to thank everyone involved. > > > > As agreed with the client as a sponsoring condition, the bugfix is > > expected to come in a 9.1.2 release. > > I anticipated this via Slack roughly 3 months ago when negotiating the > > sponsorship. > > So, first of all, I would like to discuss if doing a 9.1.2 just including > > this additional bugfix is still ok and I'm happy to volunteer as Release > > Manager, it will be my first time so I may have questions. > > It's an inactive branch so as soon as the discussion is finished I'll cut > > the branch. > > > > In the meantime, I am looking around for the steps to do for a release > and > > I found the release wizard Python script, that should be a decent entry > > point, feel free to point me in any other direction if it's a better > start. > > > > Cheers > > -------------------------- > > *Alessandro Benedetti* > > Director @ Sease Ltd. > > *Apache Lucene/Solr Committer* > > *Apache Solr PMC Member* > > > > e-mail: a.benede...@sease.io > > > > > > *Sease* - Information Retrieval Applied > > Consulting | Training | Open Source > > > > Website: Sease.io <http://sease.io/> > > LinkedIn <https://linkedin.com/company/sease-ltd> | Twitter > > <https://twitter.com/seaseltd> | Youtube > > <https://www.youtube.com/channel/UCDx86ZKLYNpI3gzMercM7BQ> | Github > > <https://github.com/seaseltd> > > > -- http://www.needhamsoftware.com (work) https://a.co/d/b2sZLD9 (my fantasy fiction book)
