Would a security fix need to wait
for next 3-month release? This could be in conflict with the 90 days vulnerability release policy. Consider this scenario:
- A vulnerability is reported two weeks before the release and the team needs some time to prepare a fix.
- The fix is ready one month after the release
- 90 days will come two weeks BEFORE the next release
Releasing
a vulnerability information to the public without a release fixing it
is against best practices and it would be beneficial to avoid it.
Do you consider running a separate bugfix release?
So far, with the current processes and maintainers, the answer is no. This 90 days vulnerability release process cannot work for Eclipse Platform in some cases.
However, as usual, if someone is willing to take care of doing security releases to enforce this, then it would be welcome.
Could you please point me to documentation/discussions on how you do handle or would handle such a situation?
If we want to comply with a 90-days vulnerability release process, I see only 2 solutions: either more frequent releases (ie moving Platform to 2-months releases) or someone actually willing to take care of producing security releases. None is something that can be done trivially as they all have impact or requirements that may not be in the best interest of the current maintainers.
HTH
