<div dir="auto">Thanks for getting this started! I think we need to start thinking at the major release level and consider 7.x.x as one continuous release where only the latest version gets the patches. We’d also patch the last major release, the last version only, but only for a finite period of time, perhaps one year. That gives folks time to upgrade but not forever. So, once 8 released we’d commit to patching the 7 release for one year and only at the latest version, so 7.6.4, then 7.6.5, etc...</div><div dir="auto"><br></div><div dir="auto">Then for the 8 release we’d have something like this, hypothetically:</div><div dir="auto"><br></div><div dir="auto">  8.0.0 -> 8.0.1 -> 8.0.2 -> 8.2.0 -> 8.2.1 -> 8.4.0 -> 8.4.1 -> 8.4.2 -> …</div><div dir="auto"><br></div><div dir="auto">No patching backwards within a major release. </div><div dir="auto"><br></div><div dir="auto">—Steve</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jul 30, 2021 at 11:19 AM Jeff McKenna <<a href="mailto:jmckenna@gatewaygeomatics.com">jmckenna@gatewaygeomatics.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi devs,<br><br>GitHub now recommends that all repositories contain a SECURITY.md file (per <a href="https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository" target="_blank">https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository</a>).  I followed their steps and drafted one for MapServer through this commit: <a href="https://github.com/MapServer/MapServer/commit/dab99913d214c5440815f4c9955c49e3e7a0f684" target="_blank">https://github.com/MapServer/MapServer/commit/dab99913d214c5440815f4c9955c49e3e7a0f684</a><br><br>Question:  what versions should we list as supported, for security patches?<br><br>From checking our recent release history, I initially wrote that we support 7.6, 7.4, 7.2, 7.0, but not < 7.<br><br>personally, i feel that we should only support the current stable release, and the previous branch, such as:  8.0.x, and 7.6.x    (my reasoning: we are doing this for free/on our own time, and supporting too many past versions is not realistic, as we all have bills to pay).<br><br>please share your thoughts.<br><br>thanks!<br><br>-jeff<br><br><br>--<br>jeff mckenna<br>gatewaygeo: developers of ms4w, mapserver consulting and training<br>co-founder of foss4g<br><a href="http://gatewaygeo.com/" target="_blank">http://gatewaygeo.com/</a><br><br><br><br><br> 7.="" personally,="" i="" feel="" that="" we="" should="" only="" support="" the="" current="" stable="" release,="" and="" the="" previous="" branch,="" such="" as:="" 8.0.x,="" and="" 7.6.x="" (my="" reasoning:="" we="" are="" doing="" this="" for="" free/on="" our="" own="" time,="" and="" supporting="" too="" many="" past="" versions="" is="" not="" realistic,="" as="" we="" all="" have="" bills="" to="" pay).="" please="" share="" your="" thoughts.="" thanks!="" -jeff="" --="" jeff="" mckenna="" gatewaygeo:="" developers="" of="" ms4w,="" mapserver="" consulting="" and="" training="" co-founder="" of="" foss4g="" <a href="http://gatewaygeo.com/=" target="_blank">http://gatewaygeo.com/=</a>""></ 7.<br><br>personally, i feel that we should only support the current stable release, and the previous branch, such as:  8.0.x, and 7.6.x    (my reasoning: we are doing this for free/on our own time, and supporting too many past versions is not realistic, as we all have bills to pay).<br><br>please share your thoughts.<br><br>thanks!<br><br>-jeff<br><br><br>--<br>jeff mckenna<br>gatewaygeo: developers of ms4w, mapserver consulting and training<br>co-founder of foss4g<br><a href="http://gatewaygeo.com/" target="_blank">http://gatewaygeo.com/</a><br><br><br><br><br>>
_______________________________________________<br>
mapserver-dev mailing list<br>
<a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/mapserver-dev</a><br>
</blockquote></div></div>