New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
⏳ Document Release Policy #1243
Comments
At the moment our policy in that regard is very simple: We only support the latest release as we have no capacity (in terms of maintainers) to handle multiple releases such as a long term supported one. This is indeed documented in our SECURITY.md file here in the repo: Lines 1 to 8 in eb59f3a
For vulnerabilities, there is one precedent where we provided a backport of the fix to the prior minor version. In other such incidents we did either provide a workaround that could get applied via configuration change to several prior releases or did try and identify and contact the affected instances' administrators. We have and would still use the information visible publicly in the directory to assess how widespread a problem is. Should many instances affected by a problem still be on an older minor release, a code change to mitigate to problem necessary and not too difficult to backport, I would consider doing so. At the time of writing this, shortly after the 1.7 releases, there are for example still many instances with 1.6 and 1.5 out there, but only a handful of 1.4 ones left. The part that is less clear to me is updates in our libraries. So far we had only one report of a vulnerability in one weakening pastes security. We do update as many of them as possible to the latest versions prior each of our releases, but so far have not considered any of them a reason for a backport. We really need someone looking into upgrading bootstrap, for example. Luckily that is mostly CSS, so while it makes the UI look dated, it's unlikely to affect us in terms of security. |
An addendum:
Yeah sure, feel free to add it there/propose a PR there. If anything more than what we have ( |
Awesome, thanks a lot for the kind and cool feedback @rugk 🙏 |
I'll let you know if I need some more resources, probably the releasePolicyLink 🤔 |
The problem
We are using
privatebin
and are realy hapy with it. I would like to applu governance on maintenance process, hence I would need to get the lifecycle policy about for example support strategy, end of life,...The solution
Provide some guidelines , for example by providing a
SECURITY.md
like on the repo explaining clearly how users should maintain their instance.For exammple, saying that each major version reaches its end of life as soon as a new major version is released.
Alternatives
Give the web page where it is documented.
Additional context
The main idea would to add it to https://endoflife.date/ (see the dedicated DEV.to series):
The text was updated successfully, but these errors were encountered: