Le dim. 23 févr. 2025 à 21:00, Piotr P. Karwasz <pi...@mailing.copernik.eu> a écrit :
> Hi Gary, > > On 23.02.2025 16:24, Gary Gregory wrote: > > FWIW, a policy I would consider OK is something like "we support A and B > > actively and would only consider a release of C for a severe security > CVE, > > but D is EOL and OB to further releases." > > Yes, it would be nice to have a well-defined set of level of support. > Jarek provided an example on `security-discuss@community`[1]. I think > that it is better to provide a larger list of supported versions, but > limit the expectations of the users, e.g.: > > * `SECURITY-ONLY`: if a security vulnerability is discovered in Maven > 3.8.x (NOT in its dependencies), we MAY consider a new release. Note: > Maven 3.8.x MAY be declared EOL at any time with one month of notice. If > you rely on Maven 3.8.x in production, consider looking for a company > that provides commercial Maven support. The ASF does not endorse any > such company, but we are aware of these companies... > > The reason I think it is better to leave to possibility of a security > release open, is that users _might_ still check for updates for that > branch. In December 2021 Apache Logging resurrected the 2.3.x and 2.12.x > branches to patch Log4Shell, but users apparently didn't know it and we > are still getting questions from users that use version 2.12.0. When we > ask why they didn't upgrade, they say they are on Java 7 and can not > upgrade to 2.17.x. > > That is why I think it is better to show that the door for 3.8.9 is > open, especially if some user (or the company that provides him with > commercial Maven support) wants to provide a PR that backports a > security fix. > That's really the reason why I don't really see the need for a "policy" that we would enforce. If any committer wants to do an official bug fix release, I'm not sure why we would stopping that. It's just a matter of finding 3 PMC members that can review the release and that's all. I would think the date of the last bug fix release on a given branch kinda indicates if it's being maintained actively or not. > > Regarding Maven dependencies, did you notice that Maven 3.9.x: > > * depends on `maven-resolver-tranport-http` version 1.9.x (supported), > > * which depends on HttpClient 4.5 (supported), > > * which depends on HttpCore 4.4 (EOL officially). ;-) > > Gary, could we have an official statement on HttpComponents web page > that if shit hits the fan HttpCore 4.4.x MAY consider releasing a > patched version? > > Piotr > > [1] https://lists.apache.org/thread/4jt9j4x61rwxmbw30f5gdsfoxm1mmfzz > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > > -- ------------------------ Guillaume Nodet
