Hello, Eclipse platform has been releasing every three month for some time. I've been recently working on clarifying security processes and I could not find a description how the Eclipse Platform handles a security release.
Would a security fix need to wait for next 3-month release? This could be in conflict with the 90 days vulnerability release policy. Consider this scenario: - A vulnerability is reported two weeks before the release and the team needs some time to prepare a fix. - The fix is ready one month after the release - 90 days will come two weeks BEFORE the next release Releasing a vulnerability information to the public without a release fixing it is against best practices and it would be beneficial to avoid it. Do you consider running a separate bugfix release? Could you please point me to documentation/discussions on how you do handle or would handle such a situation? Thanks in advance, Marta
_______________________________________________ platform-dev mailing list platform-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev