Security maintenance policy
Hauke Mehrtens
hauke at hauke-m.de
Thu Dec 17 10:17:33 EST 2020
Hi,
I put some dates on how long OpenWrt version is supported into the wiki
about one year ago:
https://openwrt.org/docs/guide-developer/security#support_status
I use pretty short time frames there, so that I could later also take
care of this myself. We extended this already, in the beginning 18.06
was supported till Mai 2020, we did the last release in December 2020
and 19.07 was extended from January 2021 to August 2021.
I think we should provide information about how long others can expect
security updates from us, this is a commitment from our side.
I would only take this over form the core packages and not the feed, if
the feed maintainers maintain their package it gets updates, if they not
not take care it does not get updated.
I would propose the following policy:
1. Latest release (currently 19.07) gets full support (security bugs and
other bugs are getting fixed)
2. The release before that (currently 18.06) gets only security updates
if needed.
3. All older release (currently 17.01, 15.05) are completely unsupported
and we do not provide any fixes, even for severe security problems.
As soon as a new major release is finally tagged (not the first RC), all
the existing branches are moving one step lower.
As we currently do a release every 1 to 1.5 years this means we have to
support every release for about 3 years.
We also have to provide the build infrastructure to be able to do an
release for 3 years after the XX.XX.0 version and have 3 releases in
parallel to master at maximum.
I think it is unrealistic to assume we will do a new major release every
6 months, we tried this multiple times, but this never worked.
We could also reduce the 2.) policy and do the security only support for
6 months after the next major release was done.
If someone needs longer support, some paid model like the Debian LTS
model would be nice, so developers would get paid for an extended LTS
support but still can release the code publicly.
I would like to get some comments about this, so we can have a concrete
vote on this in about 2 weeks.
Hauke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-adm/attachments/20201217/132d306d/attachment.sig>
More information about the openwrt-adm
mailing list