Am 2018-02-08 17:54, schrieb Jonathan Riddell:
We had one last 5.8 release scheduled for April but instead we did it
this week and I think the idea of releases as required by security
updates is a sensible way forward. But for how much longer? Any
distro packagers have an opinion of how long they'd like it to be
What about: as long as a security patch applies we backport it?
Reasoning: if we look at todays two CVEs we can notice a pattern. The
bugs have been around for a "long" time (as all security issues tend to
do) and they might have been discovered if someone would have reworked
the code. So for new issues it will be either in code not yet present in
5.8 or very likely unchanged since 5.8.