+1 for having quick and minimal effort security-only releases. At least for updating the latest release in cases where the patch has limited impact on everything else ("minimal effort").
-- Bjorn Danielsson Cuspy Code AB David Blevins <david.blev...@gmail.com> wrote: > So as I mentioned in the security reporting thread, although we do always use > the most recent versions of everything in our releases, we should probably > address our timing. > > Over the lifetime of TomEE we average 4.14 months between releases. Also in > the lifetime of TomEE, there've been about 18 CVEs that affect us. That's > one every 1.61 months. > > On top of that, once a new TomEE 1.x version comes out we don't really keep > supporting the previous 1.x release, which we should -- at least for security > fixes. > > - - - > > The fastest and most realistic way I can see to continuously turn out > releases that contain security updates with the least amount time is to: > > - branch from the latest supported tags (1.5.x, 1.6.x) > - apply the security patch or do the library upgrade > - release them as 1.5.x.y, 1.6.x.y > > My gut says anything else will just encounter the usual 4 month delay. As > well I can see there being a significant advantage to having security only > releases: > > - a lot easier to do the legal screening, code header scanning, etc. > - far less community time spent on rigorously testing all our applications > - less regression testing users have to do to upgrade. (We're always > adding new features to 1.x.y releases) > - doesn't disrupt or put pressure on our development cycle > > With the current Tomcat CVE now fixed, that'd give us: > > - 1.5.2.1 > - 1.6.0.1 > > Thoughts? > > > -David