Hi, On Tue, Jul 18, 2023 at 6:04 PM Marta Rybczynska via platform-releng-dev < platform-releng-...@eclipse.org> wrote:
> Would a security fix need to wait for next 3-month release? This could be > in conflict with the 90 days vulnerability release policy. Consider this > scenario: > - A vulnerability is reported two weeks before the release and the team > needs some time to prepare a fix. > - The fix is ready one month after the release > - 90 days will come two weeks BEFORE the next release > Releasing a vulnerability information to the public without a release > fixing it is against best practices and it would be beneficial to avoid it. > > Do you consider running a separate bugfix release? > So far, with the current processes and maintainers, the answer is no. This 90 days vulnerability release process cannot work for Eclipse Platform in some cases. However, as usual, if someone is willing to take care of doing security releases to enforce this, then it would be welcome. Could you please point me to documentation/discussions on how you do handle > or would handle such a situation? > If we want to comply with a 90-days vulnerability release process, I see only 2 solutions: either more frequent releases (ie moving Platform to 2-months releases) or someone actually willing to take care of producing security releases. None is something that can be done trivially as they all have impact or requirements that may not be in the best interest of the current maintainers. HTH
_______________________________________________ platform-dev mailing list platform-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev
