+1 - good idea As for the su1 or sec01 suffixes, I was thinking the same thing as well but now I prefer the additional .1 instead. The reason is it makes it easier for tooling to compare versions. jm2c.
Regards, Alan On Feb 19, 2014, at 11:16 AM, Jean-Louis MONTEIRO <jeano...@gmail.com> wrote: > +1 looks good. > > Just regarding the latest digit, was wondering is we could use instead: > su1, security update 1 > sec01, security 01 > > The latest one is the more commonly used. > > JLouis > > > 2014-02-19 18:08 GMT+01:00 David Blevins <david.blev...@gmail.com>: > >> So as I mentioned in the security reporting thread, although we do always >> use the most recent versions of everything in our releases, we should >> probably address our timing. >> >> Over the lifetime of TomEE we average 4.14 months between releases. Also >> in the lifetime of TomEE, there've been about 18 CVEs that affect us. >> That's one every 1.61 months. >> >> On top of that, once a new TomEE 1.x version comes out we don't really >> keep supporting the previous 1.x release, which we should -- at least for >> security fixes. >> >> - - - >> >> The fastest and most realistic way I can see to continuously turn out >> releases that contain security updates with the least amount time is to: >> >> - branch from the latest supported tags (1.5.x, 1.6.x) >> - apply the security patch or do the library upgrade >> - release them as 1.5.x.y, 1.6.x.y >> >> My gut says anything else will just encounter the usual 4 month delay. As >> well I can see there being a significant advantage to having security only >> releases: >> >> - a lot easier to do the legal screening, code header scanning, etc. >> - far less community time spent on rigorously testing all our >> applications >> - less regression testing users have to do to upgrade. (We're always >> adding new features to 1.x.y releases) >> - doesn't disrupt or put pressure on our development cycle >> >> With the current Tomcat CVE now fixed, that'd give us: >> >> - 1.5.2.1 >> - 1.6.0.1 >> >> Thoughts? >> >> >> -David >> >> >> >> >> >> > > > -- > Jean-Louis
