[mapserver-dev] Feedback on new SECURITY.md policy for MapServer

Steve Lime sdlime at gmail.com
Sun Aug 1 18:46:30 PDT 2021


Thanks for getting this started! I think we need to start thinking at the
major release level and consider 7.x.x as one continuous release where only
the latest version gets the patches. We’d also patch the last major
release, the last version only, but only for a finite period of time,
perhaps one year. That gives folks time to upgrade but not forever. So,
once 8 released we’d commit to patching the 7 release for one year and only
at the latest version, so 7.6.4, then 7.6.5, etc...

Then for the 8 release we’d have something like this, hypothetically:

  8.0.0 -> 8.0.1 -> 8.0.2 -> 8.2.0 -> 8.2.1 -> 8.4.0 -> 8.4.1 -> 8.4.2 -> …

No patching backwards within a major release.

—Steve

On Fri, Jul 30, 2021 at 11:19 AM Jeff McKenna <jmckenna at gatewaygeomatics.com>
wrote:

> Hi devs,
>
> GitHub now recommends that all repositories contain a SECURITY.md file
> (per
> https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository).
> I followed their steps and drafted one for MapServer through this commit:
> https://github.com/MapServer/MapServer/commit/dab99913d214c5440815f4c9955c49e3e7a0f684
>
> Question: what versions should we list as supported, for security patches?
>
> From checking our recent release history, I initially wrote that we
> support 7.6, 7.4, 7.2, 7.0, but not < 7.
>
> personally, i feel that we should only support the current stable release,
> and the previous branch, such as: 8.0.x, and 7.6.x (my reasoning: we are
> doing this for free/on our own time, and supporting too many past versions
> is not realistic, as we all have bills to pay).
>
> please share your thoughts.
>
> thanks!
>
> -jeff
>
>
> --
> jeff mckenna
> gatewaygeo: developers of ms4w, mapserver consulting and training
> co-founder of foss4g
> http://gatewaygeo.com/
>
>
>
>
> 7.="" personally,="" i="" feel="" that="" we="" should="" only=""
> support="" the="" current="" stable="" release,="" and="" the=""
> previous="" branch,="" such="" as:="" 8.0.x,="" and="" 7.6.x="" (my=""
> reasoning:="" we="" are="" doing="" this="" for="" free/on="" our="" own=""
> time,="" and="" supporting="" too="" many="" past="" versions="" is=""
> not="" realistic,="" as="" we="" all="" have="" bills="" to="" pay).=""
> please="" share="" your="" thoughts.="" thanks!="" -jeff="" --="" jeff=""
> mckenna="" gatewaygeo:="" developers="" of="" ms4w,="" mapserver=""
> consulting="" and="" training="" co-founder="" of="" foss4g=""
> http://gatewaygeo.com/=""></ 7.
>
> personally, i feel that we should only support the current stable release,
> and the previous branch, such as: 8.0.x, and 7.6.x (my reasoning: we are
> doing this for free/on our own time, and supporting too many past versions
> is not realistic, as we all have bills to pay).
>
> please share your thoughts.
>
> thanks!
>
> -jeff
>
>
> --
> jeff mckenna
> gatewaygeo: developers of ms4w, mapserver consulting and training
> co-founder of foss4g
> http://gatewaygeo.com/
>
>
>
>
> > _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20210801/da988682/attachment.html>


More information about the mapserver-dev mailing list