72 hrs have passed… I’m assuming we are now ok w this exception to the policy. https://lists.apache.org/thread/1klwl2yznyvp8poyqd00cd0c8m4ygv88
There are open issues we will make public. If you are on release 1.8.4 or earlier, now may be a good time to figure out an upgrade path. I’m still hoping we can get 1.8.5 out. Again, if any concerns with any of this please speak up now, if you can help, step forward. I know this all sounds a bit “formal” but open source projects need this and I believe this is what is expected at an Apache project. Thanks On Wed, Feb 14, 2024 at 8:22 PM James Dailey <jamespdai...@gmail.com> wrote: > Devs - > > We have an unfortunate situation where we may need to break our > commitment, previously communicated, to support at least two Releases. i.e. > The current one and the last one. > > We previously communicated that we would only look at fixes for the last > two releases. Thus, if you are following along, our release 1.9.0 and our > release 1.8.4 are - by our internal policy - the two valid releases that we > show on the download list. This means that when we get a report of a > critical issue, we fix the current release, and we fix the one before that. > > > We move all other releases to the archive. They are not fixed. If there > is a published CVE then the CVE details are public and likely exist in > previous Releases and, therefore, well known to the world. We urge > everyone to patch and to update to keep your data and your deployments > safe. Always. > > So... Unless we can get a 1.8.5 out immediately, I am PROPOSING and > thereby giving NOTICE now that we should be removing 1.8.4 from our "valid > release" designation in the next 10 days. > > By implication, we already moved 1.7.x to EOL when we released 1.9.0. I > hope everyone is following along well. > > If you disagree with this, please comment now. If you want to help Victor > get 1.8.5 out, you can contact him on this list. I would like to > facilitate a situation which is better. > > James > >