So as I mentioned in the security reporting thread, although we do always use the most recent versions of everything in our releases, we should probably address our timing.
Over the lifetime of TomEE we average 4.14 months between releases. Also in the lifetime of TomEE, there've been about 18 CVEs that affect us. That's one every 1.61 months. On top of that, once a new TomEE 1.x version comes out we don't really keep supporting the previous 1.x release, which we should -- at least for security fixes. - - - The fastest and most realistic way I can see to continuously turn out releases that contain security updates with the least amount time is to: - branch from the latest supported tags (1.5.x, 1.6.x) - apply the security patch or do the library upgrade - release them as 1.5.x.y, 1.6.x.y My gut says anything else will just encounter the usual 4 month delay. As well I can see there being a significant advantage to having security only releases: - a lot easier to do the legal screening, code header scanning, etc. - far less community time spent on rigorously testing all our applications - less regression testing users have to do to upgrade. (We're always adding new features to 1.x.y releases) - doesn't disrupt or put pressure on our development cycle With the current Tomcat CVE now fixed, that'd give us: - 1.5.2.1 - 1.6.0.1 Thoughts? -David
