Re: Security releases

Wed, 19 Feb 2014 12:56:25 -0800 

+1 if possible (the issue will be to upgrade a lib without uprgading
to next version, can need as much work as upgrading to trunk
sometimes...)
Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau



2014-02-19 20:27 GMT+01:00 Bjorn Danielsson <bjorn-apa...@lists.cuspycode.com>:
> +1 for having quick and minimal effort security-only releases.
>
> At least for updating the latest release in cases where the
> patch has limited impact on everything else ("minimal effort").
>
> --
> Bjorn Danielsson
> Cuspy Code AB
>
>
> David Blevins <david.blev...@gmail.com> wrote:
>> So as I mentioned in the security reporting thread, although we do always 
>> use the most recent versions of everything in our releases, we should 
>> probably address our timing.
>>
>> Over the lifetime of TomEE we average 4.14 months between releases.  Also in 
>> the lifetime of TomEE, there've been about 18 CVEs that affect us.  That's 
>> one every 1.61 months.
>>
>> On top of that, once a new TomEE 1.x version comes out we don't really keep 
>> supporting the previous 1.x release, which we should -- at least for 
>> security fixes.
>>
>>  - - -
>>
>> The fastest and most realistic way I can see to continuously turn out 
>> releases that contain security updates with the least amount time is to:
>>
>>   - branch from the latest supported tags (1.5.x, 1.6.x)
>>   - apply the security patch or do the library upgrade
>>   - release them as 1.5.x.y, 1.6.x.y
>>
>> My gut says anything else will just encounter the usual 4 month delay.  As 
>> well I can see there being a significant advantage to having security only 
>> releases:
>>
>>   - a lot easier to do the legal screening, code header scanning, etc.
>>   - far less community time spent on rigorously testing all our applications
>>   - less regression testing users have to do to upgrade.  (We're always 
>> adding new features to 1.x.y releases)
>>   - doesn't disrupt or put pressure on our development cycle
>>
>> With the current Tomcat CVE now fixed, that'd give us:
>>
>>  - 1.5.2.1
>>  - 1.6.0.1
>>
>> Thoughts?
>>
>>
>> -David

Reply via email to