+1 looks good. Just regarding the latest digit, was wondering is we could use instead: su1, security update 1 sec01, security 01
The latest one is the more commonly used. JLouis 2014-02-19 18:08 GMT+01:00 David Blevins <david.blev...@gmail.com>: > So as I mentioned in the security reporting thread, although we do always > use the most recent versions of everything in our releases, we should > probably address our timing. > > Over the lifetime of TomEE we average 4.14 months between releases. Also > in the lifetime of TomEE, there've been about 18 CVEs that affect us. > That's one every 1.61 months. > > On top of that, once a new TomEE 1.x version comes out we don't really > keep supporting the previous 1.x release, which we should -- at least for > security fixes. > > - - - > > The fastest and most realistic way I can see to continuously turn out > releases that contain security updates with the least amount time is to: > > - branch from the latest supported tags (1.5.x, 1.6.x) > - apply the security patch or do the library upgrade > - release them as 1.5.x.y, 1.6.x.y > > My gut says anything else will just encounter the usual 4 month delay. As > well I can see there being a significant advantage to having security only > releases: > > - a lot easier to do the legal screening, code header scanning, etc. > - far less community time spent on rigorously testing all our > applications > - less regression testing users have to do to upgrade. (We're always > adding new features to 1.x.y releases) > - doesn't disrupt or put pressure on our development cycle > > With the current Tomcat CVE now fixed, that'd give us: > > - 1.5.2.1 > - 1.6.0.1 > > Thoughts? > > > -David > > > > > > -- Jean-Louis
