Hi, I've read new security advisories page and document about security release handing. They are very good. I'm really impressed by your quick actions.
But I have a question about new security relase handling step -- "What versions are supported in security fix?" Your new security release step says (NOTE: Emphasis added mine): > Package new versions for *all affected versions*; Are you sure you release *all* affected versions even if end-of-life versions are contained? If so, `The Release Process page <http://symfony.com/doc/current/contributing/community/releases.html>`_ should explain about this exception. If not so, means targets of security release are limited to currently supported version, you have to: * Add clear descriptions about targets of security release * Add descriptions about security vulerability in end-of-life version Making an exception for security release in end-of-line version is not uncommon way. But, in a realistic perspective, providing security fix for end-of-life versions might be expensive. At least, providing security announcements and patches or workarounds for *all* affected versions (include end-of-life versions) is a good, I think. Thanks, Kousuke -- -- If you want to report a vulnerability issue on Symfony, please read the procedure on http://symfony.com/security You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
