On Thu, Nov 13, 2025 at 11:12 PM Phil Steitz <[email protected]> wrote:
> On Thu, Nov 13, 2025 at 2:23 PM Emmanuel Bourg <[email protected]> wrote: > > Commons Lang 2.6 is 14 years old. Maintaining it indefinitely for free > > doesn't sound right to me. > > I agree with the sentiment here, but I also understand Vladmir's position. > We should formally EOL lang2 (and *many* other n-k versions of Commons > components) unless we are willing to backport security fixes. We must definitely publish advisories for components as long as we've not formally EOL'ed them. I'm looking forward to ATR making it easier to be more explicit about this (and make it machine-readable) as Piotr mentions. I do see some possible middle ground for versions that are in a phase where we don't commit to creating security fixes, but do commit to creating advisories: in that case mature organizations that have the capability to assess whether an advisory for a dependency impacts their use can keep using it. Kind regards, -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
