Hi Gary,

On 23.02.2025 16:24, Gary Gregory wrote:
FWIW, a policy I would consider OK is something like "we support A and B
actively and would only consider a release of C for a severe security CVE,
but D is EOL and OB to further releases."

Yes, it would be nice to have a well-defined set of level of support. Jarek provided an example on `security-discuss@community`[1]. I think that it is better to provide a larger list of supported versions, but limit the expectations of the users, e.g.:

* `SECURITY-ONLY`: if a security vulnerability is discovered in Maven 3.8.x (NOT in its dependencies), we MAY consider a new release. Note: Maven 3.8.x MAY be declared EOL at any time with one month of notice. If you rely on Maven 3.8.x in production, consider looking for a company that provides commercial Maven support. The ASF does not endorse any such company, but we are aware of these companies...

The reason I think it is better to leave to possibility of a security release open, is that users _might_ still check for updates for that branch. In December 2021 Apache Logging resurrected the 2.3.x and 2.12.x branches to patch Log4Shell, but users apparently didn't know it and we are still getting questions from users that use version 2.12.0. When we ask why they didn't upgrade, they say they are on Java 7 and can not upgrade to 2.17.x.

That is why I think it is better to show that the door for 3.8.9 is open, especially if some user (or the company that provides him with commercial Maven support) wants to provide a PR that backports a security fix.

Regarding Maven dependencies, did you notice that Maven 3.9.x:

* depends on `maven-resolver-tranport-http` version 1.9.x (supported),

* which depends on HttpClient 4.5 (supported),

* which depends on HttpCore 4.4 (EOL officially). ;-)

Gary, could we have an official statement on HttpComponents web page that if shit hits the fan HttpCore 4.4.x MAY consider releasing a patched version?

Piotr

[1] https://lists.apache.org/thread/4jt9j4x61rwxmbw30f5gdsfoxm1mmfzz


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Reply via email to