mamccorm opened a new issue, #5159: URL: https://github.com/apache/couchdb/issues/5159
Hi there, I'd like to ask for some clarify on which versions of couchdb are actively maintained, and when we might see subsequent patch releases. If some documentation exists, i'd be grateful if you could link here. Otherwise, i've been trying to determine by looking at Git releases, and this is what I can see: - **v3.3.3** - Latest release, last cut in December 2023 - **v3.2.2** - Last cut in April 2023 - **v3.2.3** - Last cut in April 2023 Going from the above, it doesn't look like the project is being actively maintained, at least in the sense of publishing releases, it's been 8 months since the last release was cut, and 14 months since the previous, and no patch releases since. If I look at the images on Dockerhub, it does look like some of the tags are being re-pushed, i.e these ones look to have been pushed in the last couple of weeks: - [couchdb:3.3.3](https://hub.docker.com/layers/library/couchdb/3.3.3/images/sha256-3aec22c010bc7198b16f277da98b887ebd61264c951df97bab11f1be9d4870be?context=explore) - [couchdb:3.2.3](https://hub.docker.com/layers/library/couchdb/3.2.3/images/sha256-a54fa2d7d5c42bf77696d0aaa50af0dea43e6b00b146c2ad734d593c3f2e41a1?context=explore) Older tags don't look to have been pushed any time recently. So it looks like we're re-building v3.2 and v3.3, does that mean these are the two supported versions? and if supported, how come we aren't cutting patch releases to maintain them in GitHub? Another reason that makes me think v3.2 is not being maintained - a [GH issue was opened](https://github.com/apache/couchdb-docker/issues/231) to fix a CVE, but it looks like this was closed, and fixed in v3.3 instead (i.e not addressed in v3.2). When I look at both images, they also have a lot of vulnerabilities, which is the part of the reason for exploring the above, example: ```bash % grype couchdb:3.3.3 ... ... ✔ Vulnerability DB [no update available] ✔ Pulled image ✔ Loaded image couchdb:3.3.3 ✔ Parsed image sha256:1d8323a5b9e3888f3adc3e8468857bb983688bec36be7cc196b7b8ea2b846d8e ✔ Cataloged contents 13044b00fd70799b183580943c83b1179a69f4f9da246144898f4032cd0a0b24 ├── ✔ Packages [137 packages] ├── ✔ File digests [5,170 files] ├── ✔ File metadata [5,170 locations] └── ✔ Executables [811 executables] ✔ Scanned for vulnerabilities [170 vulnerability matches] ├── by severity: 6 critical, 17 high, 33 medium, 9 low, 86 negligible (19 unknown) ``` Also, i'm aware a lot of these may come from the choice of base image - upgrading from bullseye to bookworm would remediate a large chunk of them, but there'd still probably be over half remaining. Might be something worth considering? Anyway, confirmation on what versions are supported, would be great, and thanks in advance -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
