[mapserver-dev] Feedback on new SECURITY.md policy for MapServer

Daniel Morissette dmorissette at mapgears.com
Thu Aug 26 09:04:50 PDT 2021 

I like your suggestion (if I understood it correctly) except for the 1 
year restriction. Even if 1 year to upgrade may sound like lots of time 
to people who are always in the bleeding edge or who are working in a 
lab, we have to think about people running systems in production and for 
whom MapServer is not their day job, it is just one component of a 
larger infrastructure. Upgrading from 7.6 to 8.0 and dealing with all 
the changes to mapfiles and config is not a small task, it is likely to 
break lots of stuff and require new developments in order to upgrade 
(think of systems that generate mapfiles)... so this works needs to be 
planned around all their other priorities and I find the 1 year window a 
bit short.

So perhaps the rule could be to patch the last release branch of the two 
most recent major releases.  At the moment that would be 7.6 and 6.4, 
and the day that 8.0 is released that becomes 8.0 and 7.6 (and 6.x 
becomes officially unmaintained).

I think that's what you (Steve) suggested, but without the 1 year 
restriction on the older major release.

Daniel


On 2021-08-01 21:46, Steve Lime wrote:
> Thanks for getting this started! I think we need to start thinking at 
> the major release level and consider 7.x.x as one continuous release 
> where only the latest version gets the patches. We’d also patch the last 
> major release, the last version only, but only for a finite period of 
> time, perhaps one year. That gives folks time to upgrade but not 
> forever. So, once 8 released we’d commit to patching the 7 release for 
> one year and only at the latest version, so 7.6.4, then 7.6.5, etc...
> 
> Then for the 8 release we’d have something like this, hypothetically:
> 
>    8.0.0 -> 8.0.1 -> 8.0.2 -> 8.2.0 -> 8.2.1 -> 8.4.0 -> 8.4.1 -> 8.4.2 -> …
> 
> No patching backwards within a major release.
> 
> —Steve
> 
> On Fri, Jul 30, 2021 at 11:19 AM Jeff McKenna 
> <jmckenna at gatewaygeomatics.com <mailto:jmckenna at gatewaygeomatics.com>> 
> wrote:
> 
>     Hi devs,
> 
>     GitHub now recommends that all repositories contain a SECURITY.md
>     file (per
>     https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
>     <https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository>).
>     I followed their steps and drafted one for MapServer through this
>     commit:
>     https://github.com/MapServer/MapServer/commit/dab99913d214c5440815f4c9955c49e3e7a0f684
>     <https://github.com/MapServer/MapServer/commit/dab99913d214c5440815f4c9955c49e3e7a0f684>
> 
>     Question: what versions should we list as supported, for security
>     patches?
> 
>      From checking our recent release history, I initially wrote that we
>     support 7.6, 7.4, 7.2, 7.0, but not < 7.
> 
>     personally, i feel that we should only support the current stable
>     release, and the previous branch, such as: 8.0.x, and 7.6.x (my
>     reasoning: we are doing this for free/on our own time, and
>     supporting too many past versions is not realistic, as we all have
>     bills to pay).
> 
>     please share your thoughts.
> 
>     thanks!
> 
>     -jeff
> 
> 
>     --
>     jeff mckenna
>     gatewaygeo: developers of ms4w, mapserver consulting and training
>     co-founder of foss4g
>     http://gatewaygeo.com/ <http://gatewaygeo.com/>
> 
> 
> 
> 
>     7.="" personally,="" i="" feel="" that="" we="" should="" only=""
>     support="" the="" current="" stable="" release,="" and="" the=""
>     previous="" branch,="" such="" as:="" 8.0.x,="" and="" 7.6.x=""
>     (my="" reasoning:="" we="" are="" doing="" this="" for="" free/on=""
>     our="" own="" time,="" and="" supporting="" too="" many="" past=""
>     versions="" is="" not="" realistic,="" as="" we="" all="" have=""
>     bills="" to="" pay).="" please="" share="" your="" thoughts.=""
>     thanks!="" -jeff="" --="" jeff="" mckenna="" gatewaygeo:=""
>     developers="" of="" ms4w,="" mapserver="" consulting="" and=""
>     training="" co-founder="" of="" foss4g="" http://gatewaygeo.com/=
>     <http://gatewaygeo.com/=>""></ 7.
> 
>     personally, i feel that we should only support the current stable
>     release, and the previous branch, such as: 8.0.x, and 7.6.x (my
>     reasoning: we are doing this for free/on our own time, and
>     supporting too many past versions is not realistic, as we all have
>     bills to pay).
> 
>     please share your thoughts.
> 
>     thanks!
> 
>     -jeff
> 
> 
>     --
>     jeff mckenna
>     gatewaygeo: developers of ms4w, mapserver consulting and training
>     co-founder of foss4g
>     http://gatewaygeo.com/ <http://gatewaygeo.com/>
> 
> 
> 
> 
>      > _______________________________________________
>     mapserver-dev mailing list
>     mapserver-dev at lists.osgeo.org <mailto:mapserver-dev at lists.osgeo.org>
>     https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>     <https://lists.osgeo.org/mailman/listinfo/mapserver-dev>
> 
> 
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
> 


-- 
Daniel Morissette
Mapgears Inc
T: +1 418-696-5056 #201

More information about the mapserver-dev mailing list