Le dim. 23 févr. 2025 à 21:00, Piotr P. Karwasz <pi...@mailing.copernik.eu>
a écrit :

> Hi Gary,
>
> On 23.02.2025 16:24, Gary Gregory wrote:
> > FWIW, a policy I would consider OK is something like "we support A and B
> > actively and would only consider a release of C for a severe security
> CVE,
> > but D is EOL and OB to further releases."
>
> Yes, it would be nice to have a well-defined set of level of support.
> Jarek provided an example on `security-discuss@community`[1]. I think
> that it is better to provide a larger list of supported versions, but
> limit the expectations of the users, e.g.:
>
> * `SECURITY-ONLY`: if a security vulnerability is discovered in Maven
> 3.8.x (NOT in its dependencies), we MAY consider a new release. Note:
> Maven 3.8.x MAY be declared EOL at any time with one month of notice. If
> you rely on Maven 3.8.x in production, consider looking for a company
> that provides commercial Maven support. The ASF does not endorse any
> such company, but we are aware of these companies...
>
> The reason I think it is better to leave to possibility of a security
> release open, is that users _might_ still check for updates for that
> branch. In December 2021 Apache Logging resurrected the 2.3.x and 2.12.x
> branches to patch Log4Shell, but users apparently didn't know it and we
> are still getting questions from users that use version 2.12.0. When we
> ask why they didn't upgrade, they say they are on Java 7 and can not
> upgrade to 2.17.x.
>
> That is why I think it is better to show that the door for 3.8.9 is
> open, especially if some user (or the company that provides him with
> commercial Maven support) wants to provide a PR that backports a
> security fix.
>

That's really the reason why I don't really see the need for a "policy"
that we would enforce.
If any committer wants to do an official bug fix release, I'm not sure why
we would stopping that.
It's just a matter of finding 3 PMC members that can review the release and
that's all.

I would think the date of the last bug fix release on a given branch kinda
indicates if it's being maintained actively or not.


>
> Regarding Maven dependencies, did you notice that Maven 3.9.x:
>
> * depends on `maven-resolver-tranport-http` version 1.9.x (supported),
>
> * which depends on HttpClient 4.5 (supported),
>
> * which depends on HttpCore 4.4 (EOL officially). ;-)
>
> Gary, could we have an official statement on HttpComponents web page
> that if shit hits the fan HttpCore 4.4.x MAY consider releasing a
> patched version?
>
> Piotr
>
> [1] https://lists.apache.org/thread/4jt9j4x61rwxmbw30f5gdsfoxm1mmfzz
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>
>

-- 
------------------------
Guillaume Nodet

Reply via email to