You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/06/04 18:50:47 UTC
[GitHub] [pulsar] michaeljmarshall opened a new pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
michaeljmarshall opened a new pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829
The original context for this PR is on the dev mailing list here: https://lists.apache.org/thread.html/ra2db06e8da85bff67d8d588dc1e93d965f2e1d70c95bda2f08d14138%40%3Cdev.pulsar.apache.org%3E
### Motivation
The Pulsar project does not explicitly declare version support time lines. By declaring support time lines, we can give our users more confidence that they will receive relevant security fixes before vulnerabilities are announced. Additionally, these time lines will guide the PMC when determining which branches need to receive security fixes.
### Modifications
Add a `SECURITY.md` file.
### Release Process
If this PR is accepted, I'll follow up with a change to the pulsar wiki to update the release process. Each minor and major release will require an update to the table in the `SECURITY.md` file.
### Other Changes
It might be worth adding the content in this PR to a page on the pulsar website. I'm not sure where to add that yet, so I'd like to get feedback on this content before duplicating it to the website.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-1032969711
@Anonymitaet - can you take a look at this PR? I'm not sure which directory I'm supposed to use for the webpage. Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-1026329148
@dave2wave - thank you for reminding me about this PR. I updated it so that it will live on the `pulsar.apache.org` website and the `SECURITY.md` page will point to the appropriate webpage.
@sijie and @Anonymitaet - PTAL, thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-1035243898
Merging this PR now. I responded to all feedback, and I posted the PR to the mailing list on Feb 1st.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-1029280103
@merlimat - PTAL. I added a note about linear upgrades based on our conversation in today's community meeting.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-857200858
> @michaeljmarshall just my two cents: seems that the contents of Supported Versions in this PR are not appropriate to be located in the Pulsar Security Chapter (which should include secure the components in your Pulsar deployment, configure encryption/authentication/authorization, and more).
I don't have strong feelings about its location and am happy to move it to another location. I was thinking it could belong in the Security chapter because security vulnerabilities only really affect users that are actually using the security features, and the only way to know that you are not subject to known security vulnerabilities is to run on the latest supported version for a given minor release.
In looking at your screen shots from the Apache Spark website, they have similar information here: https://spark.apache.org/versioning-policy.html. That `Developers` tab seems appropriate, but I'm not seeing the same type of tab/chapter on the pulsar site. I like that the Apache Spark one is not versioned. Do you we have sections of docs that are not versioned?
Also, I can see that they have a reference to the Apache security link in a location similar to our current set up:
<img width="1255" alt="Screen Shot 2021-06-08 at 3 40 16 PM" src="https://user-images.githubusercontent.com/47911938/121262954-29520480-c872-11eb-9759-ec1e135f28d2.png">
@Anonymitaet - are you open to adding a new tab in the top banner named "Developers"? That could be a natural location for the supported version information as well as the listing our known security vulnerabilities. It could be very similar to the Apache Spark implementation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall merged pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
michaeljmarshall merged pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Anonymitaet commented on pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
Anonymitaet commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-1035753177
> > @michaeljmarshall I suggest copying the same changes to `site2/website-next`? (since we're upgrading Docusaurus and coping all contents in `site2/website` to `site2/website-next` )
>
> @Anonymitaet - thanks for letting me know. Is this documented anywhere? Is there a plan to resolve any conflicts? I am worried that I did not know about this nuance and may have only written docs to the `site2/docs` directory. It's possible that others have too.
@michaeljmarshall
- Since we're working on [PIP 87](https://docs.google.com/document/d/1IV35SI_F8G8cL-Vuzknc6RTGLK9_edRMpZpnrHvAWNs/edit#heading=h.n6wibg4w77xk), it is a temporary change on `site2/website-next`.
- If users only commit changes to `site2/website`, it does not matter since @urfreespace will migrate contents in `site2/website` to `site2/website-next` periodically. Before the new website goes live, @urfreespace will check all contents and make sure no content is missing.
- We will inform the community once we need to change the workflow, thanks for the reminder.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Anonymitaet commented on a change in pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
Anonymitaet commented on a change in pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#discussion_r804323498
##########
File path: site2/docs/security-versioning-policy.md
##########
@@ -0,0 +1,67 @@
+---
+id: security-policy-and-supported-versions
+title: Security Policy and Supported Versions
+sidebar_label: Security Policy and Supported Versions
+---
+
+## Reporting a Vulnerability
+
+The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/. When reporting a
+vulnerability to security@apache.org, you can copy your email to [private@pulsar.apache.org](mailto:private@pulsar.apache.org)
+to send your report to the Apache Pulsar Project Management Committee. This is a private mailing list.
+
+## Using Pulsar's Security Features
+
+You can find documentation on Pulsar's available security features and how to use them here:
+https://pulsar.apache.org/docs/en/security-overview/.
+
+## Security Vulnerability Announcements
+
+The Pulsar community will announce security vulnerabilities and how to mitigate them on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org).
+For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.
+
+## Versioning Policy
+
+The Pulsar project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). Existing releases can expect
+patches for bugs and security vulnerabilities. New features will target minor releases.
+
+When upgrading an existing cluster, it is important to upgrade components linearly through each minor version. For
+example, when upgrading from 2.8.x to 2.10.x, it is important to upgrade to 2.9.x before going to 2.10.x.
+
+## Supported Versions
+
+Feature release branches will be maintained with security fix and bug fix releases for a period of at least 12 months
+after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after
+the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even to fix security
+vulnerabilities.
+
+Note that a minor version can be maintained past it's 12 month initial support period. For example, version 2.7 is still
+actively maintained.
+
+Security fixes will be given priority when it comes to back porting fixes to older versions that are within the
+supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest
+versions will have the most bug fixes.
+
+When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor
+release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided.
+
+The following table shows version support timelines and will be updated with each release.
+
+| Version | Supported | Initial Release | At Least Until |
+|:-------:|:------------------:|:---------------:|:--------------:|
+| 2.9.x | :white_check_mark: | November 2021 | November 2022 |
+| 2.8.x | :white_check_mark: | June 2021 | June 2022 |
+| 2.7.x | :white_check_mark: | November 2020 | November 2021 |
+| 2.6.x | :x: | June 2020 | June 2021 |
+| 2.5.x | :x: | January 2020 | January 2021 |
+| 2.4.x | :x: | July 2019 | July 2020 |
+| < 2.3.x | :x: | - | - |
+
+If there is ambiguity about which versions of Pulsar are actively supported, please ask on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org)
+mailing list.
Review comment:
FYI @momo-jun @D-2-Ed @DaveDuggins
This is related to doc maintenance (doc life cycle)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-1035222196
> @michaeljmarshall I suggest copying the same changes to `site2/website-next`? (since we're upgrading Docusaurus and coping all contents in `site2/website` to `site2/website-next` )
@Anonymitaet - thanks for letting me know. Is this documented anywhere? Is there a plan to resolve any conflicts? I am worried that I did not know about this nuance and may have only written docs to the `site2/docs` directory. It's possible that others have too.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] codelipenghui commented on a change in pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
codelipenghui commented on a change in pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#discussion_r803219706
##########
File path: site2/docs/security-versioning-policy.md
##########
@@ -0,0 +1,67 @@
+---
+id: security-policy-and-supported-versions
+title: Security Policy and Supported Versions
+sidebar_label: Security Policy and Supported Versions
+---
+
+## Reporting a Vulnerability
+
+The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/. When reporting a
+vulnerability to security@apache.org, you can copy your email to [private@pulsar.apache.org](mailto:private@pulsar.apache.org)
+to send your report to the Apache Pulsar Project Management Committee. This is a private mailing list.
+
+## Using Pulsar's Security Features
+
+You can find documentation on Pulsar's available security features and how to use them here:
+https://pulsar.apache.org/docs/en/security-overview/.
+
+## Security Vulnerability Announcements
+
+The Pulsar community will announce security vulnerabilities and how to mitigate them on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org).
+For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.
+
+## Versioning Policy
+
+The Pulsar project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). Existing releases can expect
+patches for bugs and security vulnerabilities. New features will target minor releases.
+
+When upgrading an existing cluster, it is important to upgrade components linearly through each minor version. For
+example, when upgrading from 2.8.x to 2.10.x, it is important to upgrade to 2.9.x before going to 2.10.x.
+
+## Supported Versions
+
+Feature release branches will be maintained with security fix and bug fix releases for a period of at least 12 months
+after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after
+the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even to fix security
+vulnerabilities.
+
+Note that a minor version can be maintained past it's 12 month initial support period. For example, version 2.7 is still
+actively maintained.
+
+Security fixes will be given priority when it comes to back porting fixes to older versions that are within the
+supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest
+versions will have the most bug fixes.
+
+When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor
+release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided.
+
+The following table shows version support timelines and will be updated with each release.
+
+| Version | Supported | Initial Release | At Least Until |
+|:-------:|:------------------:|:---------------:|:--------------:|
+| 2.9.x | :white_check_mark: | November 2021 | November 2022 |
+| 2.8.x | :white_check_mark: | June 2021 | June 2022 |
+| 2.7.x | :white_check_mark: | November 2020 | November 2021 |
+| 2.6.x | :x: | June 2020 | June 2021 |
+| 2.5.x | :x: | January 2020 | January 2021 |
+| 2.4.x | :x: | July 2019 | July 2020 |
+| < 2.3.x | :x: | - | - |
+
+If there is ambiguity about which versions of Pulsar are actively supported, please ask on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org)
+mailing list.
+
+## Release Frequency
+
+With the acceptance of [PIP-47 - A Time Based Release Plan](https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan),
+the Pulsar community aims to complete 4 minor releases each year. Patch releases are completed based on demand as well
Review comment:
4 major releases?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-857276259
I spoke with @merlimat in the community meeting about this today. He mentioned that `Developers` didn't seem like the right word for the tab and that 1 year for our initial support window for releases seems reasonable. I agree that developers might leave some users thinking that they don't need to inspect the tab and would thus miss these important details. I'll need to try to find a better word. (Feel free to propose one, if you're reading this.)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] dave2wave commented on pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
dave2wave commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-1026199793
I think that with updates to cover what are now our current versions and what's now EOL plus the url change this will be good to merge.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on a change in pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on a change in pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#discussion_r796173101
##########
File path: SECURITY.md
##########
@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+Feature release branches will, generally, be maintained with security fix and bug fix releases for a period of 12 months
+after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after
+the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even for security fixes.
+
+Security fixes will be given priority when it comes to back porting fixes to older versions that are within the
+supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest
+versions will have the most bug fixes.
+
+When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor
+release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided.
+
+The following table shows version support timelines and will be updated with releases.
+
+| Version | Supported | Initial Release | Until |
+|:-------:|:------------------:|:---------------:|:-------------:|
+| 2.7.x | :white_check_mark: | November 2020 | November 2021 |
+| 2.6.x | :white_check_mark: | June 2020 | June 2021 |
+| 2.5.x | :x: | January 2020 | January 2021 |
+| 2.4.x | :x: | July 2019 | July 2020 |
+| < 2.3.x | :x: | - | - |
+
+## Release Frequency
+
+With the acceptance of [PIP-47 - A Time Based Release Plan](https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan),
+the Pulsar community aims to complete 4 minor releases each year.
+
+## Reporting a Vulnerability
+
+The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/.
+
+## Using Pulsar's Security Features
+
+You can find documentation on Pulsar's available security features and how to use them here:
+https://pulsar.apache.org/docs/en/security-overview/.
Review comment:
Does this still apply? Why have we added the `/next` in the url?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on a change in pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on a change in pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#discussion_r803938859
##########
File path: site2/docs/security-versioning-policy.md
##########
@@ -0,0 +1,67 @@
+---
+id: security-policy-and-supported-versions
+title: Security Policy and Supported Versions
+sidebar_label: Security Policy and Supported Versions
+---
+
+## Reporting a Vulnerability
+
+The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/. When reporting a
+vulnerability to security@apache.org, you can copy your email to [private@pulsar.apache.org](mailto:private@pulsar.apache.org)
+to send your report to the Apache Pulsar Project Management Committee. This is a private mailing list.
+
+## Using Pulsar's Security Features
+
+You can find documentation on Pulsar's available security features and how to use them here:
+https://pulsar.apache.org/docs/en/security-overview/.
+
+## Security Vulnerability Announcements
+
+The Pulsar community will announce security vulnerabilities and how to mitigate them on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org).
+For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.
+
+## Versioning Policy
+
+The Pulsar project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). Existing releases can expect
+patches for bugs and security vulnerabilities. New features will target minor releases.
+
+When upgrading an existing cluster, it is important to upgrade components linearly through each minor version. For
+example, when upgrading from 2.8.x to 2.10.x, it is important to upgrade to 2.9.x before going to 2.10.x.
+
+## Supported Versions
+
+Feature release branches will be maintained with security fix and bug fix releases for a period of at least 12 months
+after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after
+the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even to fix security
+vulnerabilities.
+
+Note that a minor version can be maintained past it's 12 month initial support period. For example, version 2.7 is still
+actively maintained.
+
+Security fixes will be given priority when it comes to back porting fixes to older versions that are within the
+supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest
+versions will have the most bug fixes.
+
+When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor
+release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided.
+
+The following table shows version support timelines and will be updated with each release.
+
+| Version | Supported | Initial Release | At Least Until |
+|:-------:|:------------------:|:---------------:|:--------------:|
+| 2.9.x | :white_check_mark: | November 2021 | November 2022 |
+| 2.8.x | :white_check_mark: | June 2021 | June 2022 |
+| 2.7.x | :white_check_mark: | November 2020 | November 2021 |
+| 2.6.x | :x: | June 2020 | June 2021 |
+| 2.5.x | :x: | January 2020 | January 2021 |
+| 2.4.x | :x: | July 2019 | July 2020 |
+| < 2.3.x | :x: | - | - |
+
+If there is ambiguity about which versions of Pulsar are actively supported, please ask on the [users@pulsar.apache.org](mailto:users@pulsar.apache.org)
+mailing list.
+
+## Release Frequency
+
+With the acceptance of [PIP-47 - A Time Based Release Plan](https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan),
+the Pulsar community aims to complete 4 minor releases each year. Patch releases are completed based on demand as well
Review comment:
We call them minor releases because we follow semantic versioning. It's covered in PIP 47 here https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan#what-about-version-numbers.
> Currently the Apache Pulsar version number is comprised with 3 components: major.minor.bug
>
> Feature releases will be a minor release by default (e.g. 2.3.0 => 2.4.0) - unless
> * We break compatibility (i.e. remove deprecated public methods after a reasonable period), in which case we bump major version (e.g. 2.4.0 => 3.0.0).
> * We do something totally amazing and decide to bump major version.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on a change in pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on a change in pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#discussion_r796173101
##########
File path: SECURITY.md
##########
@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+Feature release branches will, generally, be maintained with security fix and bug fix releases for a period of 12 months
+after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after
+the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even for security fixes.
+
+Security fixes will be given priority when it comes to back porting fixes to older versions that are within the
+supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest
+versions will have the most bug fixes.
+
+When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor
+release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided.
+
+The following table shows version support timelines and will be updated with releases.
+
+| Version | Supported | Initial Release | Until |
+|:-------:|:------------------:|:---------------:|:-------------:|
+| 2.7.x | :white_check_mark: | November 2020 | November 2021 |
+| 2.6.x | :white_check_mark: | June 2020 | June 2021 |
+| 2.5.x | :x: | January 2020 | January 2021 |
+| 2.4.x | :x: | July 2019 | July 2020 |
+| < 2.3.x | :x: | - | - |
+
+## Release Frequency
+
+With the acceptance of [PIP-47 - A Time Based Release Plan](https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan),
+the Pulsar community aims to complete 4 minor releases each year.
+
+## Reporting a Vulnerability
+
+The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/.
+
+## Using Pulsar's Security Features
+
+You can find documentation on Pulsar's available security features and how to use them here:
+https://pulsar.apache.org/docs/en/security-overview/.
Review comment:
Does this still apply? Why have we added the `/next` in the url? (Asking just so I can understand our website better.)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Anonymitaet commented on pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
Anonymitaet commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-856657578
@michaeljmarshall just my two cents: seems that the contents of `Supported Versions` in this PR are not appropriate to be located in the [Pulsar Security Chapter](https://pulsar.apache.org/docs/en/security-overview/) (which should include secure the components in your Pulsar deployment, configure encryption/authentication/authorization, and more).
Kafka Security Chapter: https://kafka.apache.org/documentation/#security
Confluent Security Chapter: https://docs.confluent.io/platform/current/security/general-overview.html
Pls correct me if I'm wrong, thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-861179213
@Anonymitaet - great, thanks for the feedback.
For anyone following this thread, I won't be able to follow up on this until next week. I expect to complete it then.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-856303704
@sijie and @Anonymitaet - do you have any other comments on the content? As far as where the information should be on the website, I am thinking we can add some information to the https://pulsar.apache.org/docs/en/security-overview/ and then I am thinking we can add a tab for "Supported Versions" in that same security section. I think it'd make sense to update the website for all versions that are "supported" as defined in this PR.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on a change in pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on a change in pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#discussion_r799700590
##########
File path: SECURITY.md
##########
@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+Feature release branches will, generally, be maintained with security fix and bug fix releases for a period of 12 months
+after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after
+the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even for security fixes.
+
+Security fixes will be given priority when it comes to back porting fixes to older versions that are within the
+supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest
+versions will have the most bug fixes.
+
+When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor
+release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided.
+
+The following table shows version support timelines and will be updated with releases.
+
+| Version | Supported | Initial Release | Until |
+|:-------:|:------------------:|:---------------:|:-------------:|
+| 2.7.x | :white_check_mark: | November 2020 | November 2021 |
+| 2.6.x | :white_check_mark: | June 2020 | June 2021 |
+| 2.5.x | :x: | January 2020 | January 2021 |
+| 2.4.x | :x: | July 2019 | July 2020 |
+| < 2.3.x | :x: | - | - |
+
+## Release Frequency
+
+With the acceptance of [PIP-47 - A Time Based Release Plan](https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan),
+the Pulsar community aims to complete 4 minor releases each year.
+
+## Reporting a Vulnerability
+
+The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/.
+
+## Using Pulsar's Security Features
+
+You can find documentation on Pulsar's available security features and how to use them here:
+https://pulsar.apache.org/docs/en/security-overview/.
Review comment:
I am a bit confused about where to put the doc. This PR current puts the new page is in `site2/docs`. Are docs supposed to be copied to `site2/website-next/docs` too?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Anonymitaet commented on pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
Anonymitaet commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-1033278866
@michaeljmarshall I suggest copying the same changes to `site2/website-next`? (since we're upgrading Docusaurus and coping all contents in `site2/website` to `site2/website-next` )
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-1035236976
I copied the webpage doc to `site2/website-next/docs`. I had to rebase to get the new docs, so I had to push with force. I didn't update anything other than copying the doc and adding it to the sidebar.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Anonymitaet commented on pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
Anonymitaet commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-857298442
@michaeljmarshall thanks for your explanations, then I know why you want to add `supported versions` to the `Security` chapter. If this only affects the users who want to use the security features, I think locating it to the `Security` chapter is fine.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on a change in pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on a change in pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#discussion_r799702959
##########
File path: SECURITY.md
##########
@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+Feature release branches will, generally, be maintained with security fix and bug fix releases for a period of 12 months
+after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after
+the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even for security fixes.
+
+Security fixes will be given priority when it comes to back porting fixes to older versions that are within the
+supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest
+versions will have the most bug fixes.
+
+When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor
+release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided.
+
+The following table shows version support timelines and will be updated with releases.
+
+| Version | Supported | Initial Release | Until |
+|:-------:|:------------------:|:---------------:|:-------------:|
+| 2.7.x | :white_check_mark: | November 2020 | November 2021 |
+| 2.6.x | :white_check_mark: | June 2020 | June 2021 |
+| 2.5.x | :x: | January 2020 | January 2021 |
+| 2.4.x | :x: | July 2019 | July 2020 |
+| < 2.3.x | :x: | - | - |
+
+## Release Frequency
+
+With the acceptance of [PIP-47 - A Time Based Release Plan](https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan),
+the Pulsar community aims to complete 4 minor releases each year.
+
+## Reporting a Vulnerability
+
+The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/.
+
+## Using Pulsar's Security Features
+
+You can find documentation on Pulsar's available security features and how to use them here:
+https://pulsar.apache.org/docs/en/security-overview/.
Review comment:
I just saw your other comment about `site2/docs/next`. I didn't know about those docs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-1027038494
> LGTM
>
> The only concern is that pages like this, with dates, tend to become obsolete if the community does not care of them (like it is happening on bookkeeper.apache.org)
>
> I suggest to update the Release Procedure to ask to the Release Manager to Update this page when needed
@eolivelli - yes, there is always a risk of these tables becoming out of date. I think the specificity that these tables provide is very valuable to users, though. I will update the release guide on the wiki once this PR is merged.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Anonymitaet commented on a change in pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
Anonymitaet commented on a change in pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#discussion_r646221680
##########
File path: SECURITY.md
##########
@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+Feature release branches will, generally, be maintained with security fix and bug fix releases for a period of 12 months
+after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after
+the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even for security fixes.
+
+Security fixes will be given priority when it comes to back porting fixes to older versions that are within the
+supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest
+versions will have the most bug fixes.
+
+When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor
+release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided.
+
+The following table shows version support timelines and will be updated with releases.
+
+| Version | Supported | Initial Release | Until |
+|:-------:|:------------------:|:---------------:|:-------------:|
+| 2.7.x | :white_check_mark: | November 2020 | November 2021 |
+| 2.6.x | :white_check_mark: | June 2020 | June 2021 |
+| 2.5.x | :x: | January 2020 | January 2021 |
+| 2.4.x | :x: | July 2019 | July 2020 |
+| < 2.3.x | :x: | - | - |
+
+## Release Frequency
+
+With the acceptance of [PIP-47 - A Time Based Release Plan](https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan),
+the Pulsar community aims to complete 4 minor releases each year.
+
+## Reporting a Vulnerability
+
+The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/.
+
+## Using Pulsar's Security Features
+
+You can find documentation on Pulsar's available security features and how to use them here:
+https://pulsar.apache.org/docs/en/security-overview/.
Review comment:
```suggestion
https://pulsar.apache.org/docs/en/next/security-overview/.
```
Suggest using the latest info
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-856277794
> Currently, the security section on Pulsar redirects to https://www.apache.org/security/. Is it required? Can we modify it?
@Anonymitaet - I believe it is required for us to point to the Apache security process. This wiki document references some details: https://github.com/apache/pulsar/wiki/Apache-Maturity-Model-Assessment-for-Pulsar#maturity-model-assessment. It looks like Apache Spark has two different "Security" links available in their top bar. One that goes to Apache's docs and one that goes to the Spark specific docs. They too follow the Apache protocol for security vulnerabilities, so we could follow their pattern here.
> This should be a page in the website not a README file in the Github repo.
@sijie - sure, makes sense to me.
I'll submit a new commit with the main contents of this PR on the pulsar website.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] michaeljmarshall commented on pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#issuecomment-1035252027
I just updated the release process on our wiki to guide the release manager to update the supported version template: https://github.com/apache/pulsar/wiki/Release-process.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] dave2wave commented on a change in pull request #10829: [SECURITY] Add Security Policy and Supported Versions page to website
Posted by GitBox <gi...@apache.org>.
dave2wave commented on a change in pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#discussion_r799696104
##########
File path: SECURITY.md
##########
@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+Feature release branches will, generally, be maintained with security fix and bug fix releases for a period of 12 months
+after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after
+the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even for security fixes.
+
+Security fixes will be given priority when it comes to back porting fixes to older versions that are within the
+supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest
+versions will have the most bug fixes.
+
+When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor
+release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided.
+
+The following table shows version support timelines and will be updated with releases.
+
+| Version | Supported | Initial Release | Until |
+|:-------:|:------------------:|:---------------:|:-------------:|
+| 2.7.x | :white_check_mark: | November 2020 | November 2021 |
+| 2.6.x | :white_check_mark: | June 2020 | June 2021 |
+| 2.5.x | :x: | January 2020 | January 2021 |
+| 2.4.x | :x: | July 2019 | July 2020 |
+| < 2.3.x | :x: | - | - |
+
+## Release Frequency
+
+With the acceptance of [PIP-47 - A Time Based Release Plan](https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan),
+the Pulsar community aims to complete 4 minor releases each year.
+
+## Reporting a Vulnerability
+
+The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/.
+
+## Using Pulsar's Security Features
+
+You can find documentation on Pulsar's available security features and how to use them here:
+https://pulsar.apache.org/docs/en/security-overview/.
Review comment:
Did you change this? IIRC the /next site is going towards the updated site which should roll out soon.
However since this page is now in the /docs part of the repository. It may need to duplication in /next/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org