luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-01-23 20:46:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Expand security policy to cover previous stable branch

Browse Source 
The goal here is to reconcile the difference between GLib's 6-month
security policy and GNOME's 12-month policy (which may soon be expanded
to 13 months, gnome-build-meta#731). It's strange for GLib to be an
exception when the rest of GNOME supports two stable branches at a time.
I'm not aware of any other GNOME project with a shorter release lifetime
than GNOME itself, and it results in a situation where the previous
stable version of the GNOME runtime never receives any GLib updates,
since we stick with the same GLib version for the entire release and do
not do security backports.

But I also want to avoid creating an expectation that GLib maintainers
will do a bunch of additional backporting work, so most commits should
be out of scope. We can say maintainer discretion will be used to
determine whether a backport to the previous stable branch is warranted.
And normally, it won't be, so the goal should be no previous stable
branch releases. But occasionally we might feel a CVE is important
enough that a release really is warranted.
This commit is contained in:
Michael Catanzaro 2023-09-28 11:08:01 -05:00 committed by Philip Withnall
parent 1cd0dfa55b
commit 61075ef0bd
2 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -19,9 +19,10 @@ GLib on Windows.
## Supported versions ## Supported versions
Only the most recent unstable and stable release series are supported. All Upstream GLib only supports the most recent stable release series, the previous
older versions are not supported upstream and may contain bugs, some of stable release series, and the current development release series. All
which may be exploitable security vulnerabilities. older versions are not supported upstream and may contain bugs, some of which
may be exploitable security vulnerabilities.
See [SECURITY.md](SECURITY.md) for more details. See [SECURITY.md](SECURITY.md) for more details.

15
SECURITY.md
View File

@ -7,11 +7,16 @@
## Supported Versions ## Supported Versions
Upstream GLib only supports the most recent stable release series, and the Upstream GLib only supports the most recent stable release series, the previous
current development release series. Any older stable release series are no stable release series, and the current development release series. Any older
longer supported, although they may still receive backported security updates stable release series are no longer supported, although they may still receive
in long-term support distributions. Such support is up to the distributions, backported security updates in long-term support distributions. Such support is
though. up to the distributions, though.
The previous stable release series will generally receive fixes only for high
impact security issues, at maintainer discretion. Since such issues are rare,
it's expected that there may be no backports or releases on the previous stable
branch.
Under GLibs versioning scheme, stable release series have an *even* minor Under GLibs versioning scheme, stable release series have an *even* minor
component (for example, 2.66.0, 2.66.1, 2.68.3), and development release series component (for example, 2.66.0, 2.66.1, 2.68.3), and development release series