[mapserver-dev] Feedback on new SECURITY.md policy for MapServer
Jeff McKenna
jmckenna at gatewaygeomatics.com
Thu Aug 26 09:37:49 PDT 2021
On 2021-08-26 1:16 p.m., Jeff McKenna wrote:
> On 2021-08-26 1:04 p.m., Daniel Morissette wrote:
>> I like your suggestion (if I understood it correctly) except for the 1
>> year restriction. Even if 1 year to upgrade may sound like lots of
>> time to people who are always in the bleeding edge or who are working
>> in a lab, we have to think about people running systems in production
>> and for whom MapServer is not their day job, it is just one component
>> of a larger infrastructure. Upgrading from 7.6 to 8.0 and dealing with
>> all the changes to mapfiles and config is not a small task, it is
>> likely to break lots of stuff and require new developments in order to
>> upgrade (think of systems that generate mapfiles)... so this works
>> needs to be planned around all their other priorities and I find the 1
>> year window a bit short.
>>
>> So perhaps the rule could be to patch the last release branch of the
>> two most recent major releases. At the moment that would be 7.6 and
>> 6.4, and the day that 8.0 is released that becomes 8.0 and 7.6 (and
>> 6.x becomes officially unmaintained).
>
> This is in fact my exact suggestion in this initial thread: "only
> support the current stable release, and the previous branch, such as:
> 8.0.x, and 7.6.x".
>
> Your wording is more elegant and proper though.
>
> So I am +1-ing both of our suggestions :)
>
> -jeff
Sorry, my initial wording assumes that we have 8.0 released (meaning we
would only support the 8.0 and 7.6 branches). I think we are saying the
exact same thing. But your wording is so much better. -jeff
>
>
>
>>
>> I think that's what you (Steve) suggested, but without the 1 year
>> restriction on the older major release.
>>
>> Daniel
>>
>>
>> On 2021-08-01 21:46, Steve Lime wrote:
>>> Thanks for getting this started! I think we need to start thinking at
>>> the major release level and consider 7.x.x as one continuous release
>>> where only the latest version gets the patches. We’d also patch the
>>> last major release, the last version only, but only for a finite
>>> period of time, perhaps one year. That gives folks time to upgrade
>>> but not forever. So, once 8 released we’d commit to patching the 7
>>> release for one year and only at the latest version, so 7.6.4, then
>>> 7.6.5, etc...
>>>
>>> Then for the 8 release we’d have something like this, hypothetically:
>>>
>>> 8.0.0 -> 8.0.1 -> 8.0.2 -> 8.2.0 -> 8.2.1 -> 8.4.0 -> 8.4.1 ->
>>> 8.4.2 -> …
>>>
>>> No patching backwards within a major release.
>>>
>>> —Steve
>>>
>>> On Fri, Jul 30, 2021 at 11:19 AM Jeff McKenna
>>> <jmckenna at gatewaygeomatics.com
>>> <mailto:jmckenna at gatewaygeomatics.com>> wrote:
>>>
>>> Hi devs,
>>>
>>> GitHub now recommends that all repositories contain a SECURITY.md
>>> file (per
>>> https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
>>>
>>> <https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository>).
>>>
>>> I followed their steps and drafted one for MapServer through this
>>> commit:
>>> https://github.com/MapServer/MapServer/commit/dab99913d214c5440815f4c9955c49e3e7a0f684
>>>
>>> <https://github.com/MapServer/MapServer/commit/dab99913d214c5440815f4c9955c49e3e7a0f684>
>>>
>>>
>>> Question: what versions should we list as supported, for security
>>> patches?
>>>
>>> From checking our recent release history, I initially wrote that we
>>> support 7.6, 7.4, 7.2, 7.0, but not < 7.
>>>
>>> personally, i feel that we should only support the current stable
>>> release, and the previous branch, such as: 8.0.x, and 7.6.x (my
>>> reasoning: we are doing this for free/on our own time, and
>>> supporting too many past versions is not realistic, as we all have
>>> bills to pay).
>>>
>>> please share your thoughts.
>>>
>>> thanks!
>>>
>>> -jeff
>>>
>>>
>>> --
>>> jeff mckenna
>>> gatewaygeo: developers of ms4w, mapserver consulting and training
>>> co-founder of foss4g
>>> http://gatewaygeo.com/ <http://gatewaygeo.com/>
>>>
>>>
>>>
>>>
>>> 7.="" personally,="" i="" feel="" that="" we="" should="" only=""
>>> support="" the="" current="" stable="" release,="" and="" the=""
>>> previous="" branch,="" such="" as:="" 8.0.x,="" and="" 7.6.x=""
>>> (my="" reasoning:="" we="" are="" doing="" this="" for="" free/on=""
>>> our="" own="" time,="" and="" supporting="" too="" many="" past=""
>>> versions="" is="" not="" realistic,="" as="" we="" all="" have=""
>>> bills="" to="" pay).="" please="" share="" your="" thoughts.=""
>>> thanks!="" -jeff="" --="" jeff="" mckenna="" gatewaygeo:=""
>>> developers="" of="" ms4w,="" mapserver="" consulting="" and=""
>>> training="" co-founder="" of="" foss4g="" http://gatewaygeo.com/=
>>> <http://gatewaygeo.com/=>""></ 7.
>>>
>>> personally, i feel that we should only support the current stable
>>> release, and the previous branch, such as: 8.0.x, and 7.6.x (my
>>> reasoning: we are doing this for free/on our own time, and
>>> supporting too many past versions is not realistic, as we all have
>>> bills to pay).
>>>
>>> please share your thoughts.
>>>
>>> thanks!
>>>
>>> -jeff
>>>
>>>
>>> --
>>> jeff mckenna
>>> gatewaygeo: developers of ms4w, mapserver consulting and training
>>> co-founder of foss4g
>>> http://gatewaygeo.com/ <http://gatewaygeo.com/>
>>>
>>>
>>>
>>>
>>> > _______________________________________________
>>> mapserver-dev mailing list
>>> mapserver-dev at lists.osgeo.org <mailto:mapserver-dev at lists.osgeo.org>
>>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>> <https://lists.osgeo.org/mailman/listinfo/mapserver-dev>
>>>
>>>
>>> _______________________________________________
>>> mapserver-dev mailing list
>>> mapserver-dev at lists.osgeo.org
>>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>>
>>
>>
>
>
--
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/
More information about the mapserver-dev
mailing list