From 61075ef0bd89474b218c2e502090916763d3be24 Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Thu, 28 Sep 2023 11:08:01 -0500 Subject: [PATCH] Expand security policy to cover previous stable branch The goal here is to reconcile the difference between GLib's 6-month security policy and GNOME's 12-month policy (which may soon be expanded to 13 months, gnome-build-meta#731). It's strange for GLib to be an exception when the rest of GNOME supports two stable branches at a time. I'm not aware of any other GNOME project with a shorter release lifetime than GNOME itself, and it results in a situation where the previous stable version of the GNOME runtime never receives any GLib updates, since we stick with the same GLib version for the entire release and do not do security backports. But I also want to avoid creating an expectation that GLib maintainers will do a bunch of additional backporting work, so most commits should be out of scope. We can say maintainer discretion will be used to determine whether a backport to the previous stable branch is warranted. And normally, it won't be, so the goal should be no previous stable branch releases. But occasionally we might feel a CVE is important enough that a release really is warranted. --- README.md | 7 ++++--- SECURITY.md | 15 ++++++++++----- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 13f8aa2f3..6e19a3888 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,10 @@ GLib on Windows. ## Supported versions -Only the most recent unstable and stable release series are supported. All -older versions are not supported upstream and may contain bugs, some of -which may be exploitable security vulnerabilities. +Upstream GLib only supports the most recent stable release series, the previous +stable release series, and the current development release series. All +older versions are not supported upstream and may contain bugs, some of which +may be exploitable security vulnerabilities. See [SECURITY.md](SECURITY.md) for more details. diff --git a/SECURITY.md b/SECURITY.md index c7fb8162c..c7797d5bd 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,11 +7,16 @@ ## Supported Versions -Upstream GLib only supports the most recent stable release series, and the -current development release series. Any older stable release series are no -longer supported, although they may still receive backported security updates -in long-term support distributions. Such support is up to the distributions, -though. +Upstream GLib only supports the most recent stable release series, the previous +stable release series, and the current development release series. Any older +stable release series are no longer supported, although they may still receive +backported security updates in long-term support distributions. Such support is +up to the distributions, though. + +The previous stable release series will generally receive fixes only for high +impact security issues, at maintainer discretion. Since such issues are rare, +it's expected that there may be no backports or releases on the previous stable +branch. Under GLib’s versioning scheme, stable release series have an *even* minor component (for example, 2.66.0, 2.66.1, 2.68.3), and development release series