Marta,
I notice this interesting blog has relevant background details:
https://newsroom.eclipse.org/eclipse-newsletter/2023/may/reporting-and-managing-security-issues-eclipse-foundation-projects
With respect to timing, I see this in the policy:
https://www.eclipse.org/security/policy/#timing
With respect to distribution of a resolution, I do not see the use of,
nor definition of, the term "security release" but rather only the
following, where it simply mentions using "normal distribution channels"
at a minimum:
https://www.eclipse.org/security/policy/#distribution
In general, all changes are normally made available for distribution
within a day via integration builds, and, as you've noted, releases are
normally made available for distribution on a quarterly basis.
Also highly relevant, is that the simultaneous release, the mostly
widely used distribution channel, is also normally available quarterly.
SimRel integration (staging) builds are available daily with new content
available as contributed by the participating projects:
https://ci.eclipse.org/simrel/
Asking for special out-of-band "security releases" is asking for a lot
from the Platform project. Too much in my *personal opinion*, but
everyone is entitled to an option. Moreover, I assume this same policy,
and expectation, applies uniformly for all projects where that
expectation is probably significantly less realistic. It would seem
better to me to try to work (as much as possible) within the bounds of
the existing processes and normal distribution channels.
General cross-cutting discussions or issues can be hosted here:
https://github.com/eclipse-platform/.github/discussions
https://github.com/eclipse-platform/.github/issues
This related discussion is already underway:
https://github.com/eclipse-platform/.github/discussions/129
Regards,
Ed
On 18.07.2023 18:03, Marta Rybczynska via platform-dev wrote:
Hello,
Eclipse platform has been releasing every three month for some time.
I've been recently working on clarifying security processes and I
could not find a description how the Eclipse Platform handles a
security release.
Would a security fix need to wait for next 3-month release? This could
be in conflict with the 90 days vulnerability release policy. Consider
this scenario:
- A vulnerability is reported two weeks before the release and the
team needs some time to prepare a fix.
- The fix is ready one month after the release
- 90 days will come two weeks BEFORE the next release
Releasing a vulnerability information to the public without a release
fixing it is against best practices and it would be beneficial to
avoid it.
Do you consider running a separate bugfix release?
Could you please point me to documentation/discussions on how you do
handle or would handle such a situation?
Thanks in advance,
Marta
_______________________________________________
platform-dev mailing list
platform-dev@eclipse.org
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/platform-dev
_______________________________________________
platform-dev mailing list
platform-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/platform-dev