[mapserver-dev] Feedback on new SECURITY.md policy for MapServer

Jeff McKenna jmckenna at gatewaygeomatics.com
Thu Aug 26 09:16:53 PDT 2021 

On 2021-08-26 1:04 p.m., Daniel Morissette wrote:
> I like your suggestion (if I understood it correctly) except for the 1 
> year restriction. Even if 1 year to upgrade may sound like lots of time 
> to people who are always in the bleeding edge or who are working in a 
> lab, we have to think about people running systems in production and for 
> whom MapServer is not their day job, it is just one component of a 
> larger infrastructure. Upgrading from 7.6 to 8.0 and dealing with all 
> the changes to mapfiles and config is not a small task, it is likely to 
> break lots of stuff and require new developments in order to upgrade 
> (think of systems that generate mapfiles)... so this works needs to be 
> planned around all their other priorities and I find the 1 year window a 
> bit short.
> 
> So perhaps the rule could be to patch the last release branch of the two 
> most recent major releases.  At the moment that would be 7.6 and 6.4, 
> and the day that 8.0 is released that becomes 8.0 and 7.6 (and 6.x 
> becomes officially unmaintained).

This is in fact my exact suggestion in this initial thread: "only 
support the current stable release, and the previous branch, such as: 
8.0.x, and 7.6.x".

Your wording is more elegant and proper though.

So I am +1-ing both of our suggestions :)

-jeff



> 
> I think that's what you (Steve) suggested, but without the 1 year 
> restriction on the older major release.
> 
> Daniel
> 
> 
> On 2021-08-01 21:46, Steve Lime wrote:
>> Thanks for getting this started! I think we need to start thinking at 
>> the major release level and consider 7.x.x as one continuous release 
>> where only the latest version gets the patches. We’d also patch the 
>> last major release, the last version only, but only for a finite 
>> period of time, perhaps one year. That gives folks time to upgrade but 
>> not forever. So, once 8 released we’d commit to patching the 7 release 
>> for one year and only at the latest version, so 7.6.4, then 7.6.5, etc...
>>
>> Then for the 8 release we’d have something like this, hypothetically:
>>
>>    8.0.0 -> 8.0.1 -> 8.0.2 -> 8.2.0 -> 8.2.1 -> 8.4.0 -> 8.4.1 -> 
>> 8.4.2 -> …
>>
>> No patching backwards within a major release.
>>
>> —Steve
>>
>> On Fri, Jul 30, 2021 at 11:19 AM Jeff McKenna 
>> <jmckenna at gatewaygeomatics.com <mailto:jmckenna at gatewaygeomatics.com>> 
>> wrote:
>>
>>     Hi devs,
>>
>>     GitHub now recommends that all repositories contain a SECURITY.md
>>     file (per
>>     
>> https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository 
>>
>>     
>> <https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository>). 
>>
>>     I followed their steps and drafted one for MapServer through this
>>     commit:
>>     
>> https://github.com/MapServer/MapServer/commit/dab99913d214c5440815f4c9955c49e3e7a0f684 
>>
>>     
>> <https://github.com/MapServer/MapServer/commit/dab99913d214c5440815f4c9955c49e3e7a0f684> 
>>
>>
>>     Question: what versions should we list as supported, for security
>>     patches?
>>
>>      From checking our recent release history, I initially wrote that we
>>     support 7.6, 7.4, 7.2, 7.0, but not < 7.
>>
>>     personally, i feel that we should only support the current stable
>>     release, and the previous branch, such as: 8.0.x, and 7.6.x (my
>>     reasoning: we are doing this for free/on our own time, and
>>     supporting too many past versions is not realistic, as we all have
>>     bills to pay).
>>
>>     please share your thoughts.
>>
>>     thanks!
>>
>>     -jeff
>>
>>
>>     --
>>     jeff mckenna
>>     gatewaygeo: developers of ms4w, mapserver consulting and training
>>     co-founder of foss4g
>>     http://gatewaygeo.com/ <http://gatewaygeo.com/>
>>
>>
>>
>>
>>     7.="" personally,="" i="" feel="" that="" we="" should="" only=""
>>     support="" the="" current="" stable="" release,="" and="" the=""
>>     previous="" branch,="" such="" as:="" 8.0.x,="" and="" 7.6.x=""
>>     (my="" reasoning:="" we="" are="" doing="" this="" for="" free/on=""
>>     our="" own="" time,="" and="" supporting="" too="" many="" past=""
>>     versions="" is="" not="" realistic,="" as="" we="" all="" have=""
>>     bills="" to="" pay).="" please="" share="" your="" thoughts.=""
>>     thanks!="" -jeff="" --="" jeff="" mckenna="" gatewaygeo:=""
>>     developers="" of="" ms4w,="" mapserver="" consulting="" and=""
>>     training="" co-founder="" of="" foss4g="" http://gatewaygeo.com/=
>>     <http://gatewaygeo.com/=>""></ 7.
>>
>>     personally, i feel that we should only support the current stable
>>     release, and the previous branch, such as: 8.0.x, and 7.6.x (my
>>     reasoning: we are doing this for free/on our own time, and
>>     supporting too many past versions is not realistic, as we all have
>>     bills to pay).
>>
>>     please share your thoughts.
>>
>>     thanks!
>>
>>     -jeff
>>
>>
>>     --
>>     jeff mckenna
>>     gatewaygeo: developers of ms4w, mapserver consulting and training
>>     co-founder of foss4g
>>     http://gatewaygeo.com/ <http://gatewaygeo.com/>
>>
>>
>>
>>
>>      > _______________________________________________
>>     mapserver-dev mailing list
>>     mapserver-dev at lists.osgeo.org <mailto:mapserver-dev at lists.osgeo.org>
>>     https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>     <https://lists.osgeo.org/mailman/listinfo/mapserver-dev>
>>
>>
>> _______________________________________________
>> mapserver-dev mailing list
>> mapserver-dev at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>
> 
> 


-- 
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/

More information about the mapserver-dev mailing list