+1 for having quick and minimal effort security-only releases.
At least for updating the latest release in cases where the
patch has limited impact on everything else ("minimal effort").
--
Bjorn Danielsson
Cuspy Code AB
David Blevins <david.blev...@gmail.com> wrote:
> So as I mentioned in the security reporting thread, although we do always use
> the most recent versions of everything in our releases, we should probably
> address our timing.
>
> Over the lifetime of TomEE we average 4.14 months between releases. Also in
> the lifetime of TomEE, there've been about 18 CVEs that affect us. That's
> one every 1.61 months.
>
> On top of that, once a new TomEE 1.x version comes out we don't really keep
> supporting the previous 1.x release, which we should -- at least for security
> fixes.
>
> - - -
>
> The fastest and most realistic way I can see to continuously turn out
> releases that contain security updates with the least amount time is to:
>
> - branch from the latest supported tags (1.5.x, 1.6.x)
> - apply the security patch or do the library upgrade
> - release them as 1.5.x.y, 1.6.x.y
>
> My gut says anything else will just encounter the usual 4 month delay. As
> well I can see there being a significant advantage to having security only
> releases:
>
> - a lot easier to do the legal screening, code header scanning, etc.
> - far less community time spent on rigorously testing all our applications
> - less regression testing users have to do to upgrade. (We're always
> adding new features to 1.x.y releases)
> - doesn't disrupt or put pressure on our development cycle
>
> With the current Tomcat CVE now fixed, that'd give us:
>
> - 1.5.2.1
> - 1.6.0.1
>
> Thoughts?
>
>
> -David
