Re: Discussion: Declare EOL for Maven 3.8.x and change support policy

Sun, 23 Feb 2025 12:00:40 -0800 

Hi Gary,

On 23.02.2025 16:24, Gary Gregory wrote:

FWIW, a policy I would consider OK is something like "we support A and B
actively and would only consider a release of C for a severe security CVE,
but D is EOL and OB to further releases."



Yes, it would be nice to have a well-defined set of level of support. 
Jarek provided an example on `security-discuss@community`[1]. I think 
that it is better to provide a larger list of supported versions, but 
limit the expectations of the users, e.g.:



* `SECURITY-ONLY`: if a security vulnerability is discovered in Maven 
3.8.x (NOT in its dependencies), we MAY consider a new release. Note: 
Maven 3.8.x MAY be declared EOL at any time with one month of notice. If 
you rely on Maven 3.8.x in production, consider looking for a company 
that provides commercial Maven support. The ASF does not endorse any 
such company, but we are aware of these companies...



The reason I think it is better to leave to possibility of a security 
release open, is that users _might_ still check for updates for that 
branch. In December 2021 Apache Logging resurrected the 2.3.x and 2.12.x 
branches to patch Log4Shell, but users apparently didn't know it and we 
are still getting questions from users that use version 2.12.0. When we 
ask why they didn't upgrade, they say they are on Java 7 and can not 
upgrade to 2.17.x.



That is why I think it is better to show that the door for 3.8.9 is 
open, especially if some user (or the company that provides him with 
commercial Maven support) wants to provide a PR that backports a 
security fix.


Regarding Maven dependencies, did you notice that Maven 3.9.x:

* depends on `maven-resolver-tranport-http` version 1.9.x (supported),

* which depends on HttpClient 4.5 (supported),

* which depends on HttpCore 4.4 (EOL officially). ;-)


Gary, could we have an official statement on HttpComponents web page 
that if shit hits the fan HttpCore 4.4.x MAY consider releasing a 
patched version?


Piotr

[1] https://lists.apache.org/thread/4jt9j4x61rwxmbw30f5gdsfoxm1mmfzz


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org























					Reply via email to