Security maintenance policy

Hauke Mehrtens hauke at hauke-m.de
Thu Dec 17 10:17:33 EST 2020


Hi,

I put some dates on how long OpenWrt version is supported into the wiki 
about one year ago:
https://openwrt.org/docs/guide-developer/security#support_status

I use pretty short time frames there, so that I could later also take 
care of this myself. We extended this already, in the beginning 18.06 
was supported till Mai 2020, we did the last release in December 2020 
and 19.07 was extended from January 2021 to August 2021.

I think we should provide information about how long others can expect 
security updates from us, this is a commitment from our side.
I would only take this over form the core packages and not the feed, if 
the feed maintainers maintain their package it gets updates, if they not 
not take care it does not get updated.

I would propose the following policy:
1. Latest release (currently 19.07) gets full support (security bugs and 
other bugs are getting fixed)
2. The release before that (currently 18.06) gets only security updates 
if needed.
3. All older release (currently 17.01, 15.05) are completely unsupported 
and we do not provide any fixes, even for severe security problems.

As soon as a new major release is finally tagged (not the first RC), all 
the existing branches are moving one step lower.

As we currently do a release every 1 to 1.5 years this means we have to 
support every release for about 3 years.
We also have to provide the build infrastructure to be able to do an 
release for 3 years after the XX.XX.0 version and have 3 releases in 
parallel to master at maximum.

I think it is unrealistic to assume we will do a new major release every 
6 months, we tried this multiple times, but this never worked.

We could also reduce the 2.) policy and do the security only support for 
6 months after the next major release was done.

If someone needs longer support, some paid model like the Debian LTS 
model would be nice, so developers would get paid for an extended LTS 
support but still can release the code publicly.

I would like to get some comments about this, so we can have a concrete 
vote on this in about 2 weeks.

Hauke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-adm/attachments/20201217/132d306d/attachment.sig>


More information about the openwrt-adm mailing list