Re: OFBiz releases EOL (End Of Life) announcement

[Jacques Le Roux <ja...@les7arts.com>]

Hi,

I forgot the obvious: we should make an announcement not only on user ML but also on announce@a.o

Struts is a good example: https://s.apache.org/qr8ci

They even have announcements@struts.apache.org, not sure we need that.

I'll inspire from them to create our 1st announcement for EOL of the 18.12 branch with 17.12.08. Next time we will, like Struts, announce 6 months ago 
before the definitive announcement.

I have created

Jacques

Le 04/01/2022 à 16:04, Jacques Le Roux a écrit :
> Hi All,
>
> I'd like to discuss about OFBiz releases EOL (End Of Life) announcement.
>
> For instance R17.12 is EOL with 17.12.08. I suggest to make it clear on site (if that's not already enough, eg*), to send an email to user ML and 
> maybe talk about it in social-media and the blog.
>
> Maybe we could also have a special site page for EOL dates and version of our releases? And some words in https://ofbiz.apache.org/security.html...
>
> * https://ofbiz.apache.org/release-notes-17.12.08.html (maybe the de facto standard term EOL (End Of Life) is missing?)
>
> Opinions?
>
> Jacques
>
> Le 04/01/2022 à 11:52, Jacques Le Roux a écrit :
>> I agree Jacopo,
>>
>> Will you handle it?
>>
>> I made those tiny changes after an answer Mark J. Cox made to Mark Thomas in a discussion I read on security-discuss@community.apache.org :
>>
>>    MT:  <<We need to consider whether projects that are not releasing
>>    regularly really are healthy. Could they realistically respond to a
>>    security vulnerability in a reasonable time frame? If not, we need to
>>    move them to the attic.>>
>>
>>    MC: <<And we need a clear way to communicate that, and EOL releases, to users so
>>    they know the status of what they're using.  There are quite a number of
>>    examples where a project has responded to a vulnerability reporter that
>>    some version is EOL but it's not been clear enough on their pages, nor any
>>    real announcement ever having being made.  We need a consistent policy on
>>    what to do about vulnerabilities that come up in EOL versions, and when to
>>    allocate them CVE names ('there's an unfixed issue in X") in order to help
>>    users with scanning tools also notice when they're using out of date and
>>    now insecure projects.>>
>>
>> There are at least 340+ TLPs*. So I guess it becomes worrying for the ASF.
>>
>> I don't think we are concerned by those worries. So was just a small effort in this direction.
>> I think though that we should discuss about how to handle EOL announcements.
>>
>> * https://blogs.apache.org/foundation/entry/apache-software-foundation-security-report1
>>
>> Jacques
>>
>> Le 04/01/2022 à 10:45, Jacopo Cappellato a écrit :
>>> Thank you Jacques for adding the statement: however I think it is  > time to remove the entire section of 17.12.08 since we have enough > releases 
>>> out of 18.12 already. The release 17.12.08 will always be > 
>> available in the archive. > > Jacopo
>

Re: OFBiz releases EOL (End Of Life) announcement

[Jacques Le Roux <ja...@les7arts.com>]

Le 10/01/2022 à 14:55, Jacopo Cappellato a écrit :
> On Mon, Jan 10, 2022 at 11:26 AM Jacques Le Roux
> <ja...@les7arts.com> wrote:
>> Hi Jacopo,
>>
>> Would you be available soon to start the release work?
> Yes, I can work on it later today.

Great!


>
>> Also what about freezing a 22.01 branch?
> For the freezing of 22.01, we can proceed anytime: is there a
> volunteer to create the reales branches?

Sure I can do it

Jacques

>
> Jacopo

Re: OFBiz releases EOL (End Of Life) announcement

[Jacopo Cappellato <ja...@gmail.com>]

On Mon, Jan 10, 2022 at 11:26 AM Jacques Le Roux
<ja...@les7arts.com> wrote:
>
> Hi Jacopo,
>
> Would you be available soon to start the release work?

Yes, I can work on it later today.

>
> Also what about freezing a 22.01 branch?

For the freezing of 22.01, we can proceed anytime: is there a
volunteer to create the reales branches?

Jacopo

Re: OFBiz releases EOL (End Of Life) announcement

[Jacques Le Roux <ja...@les7arts.com>]

Hi Jacopo,

Would you be available soon to start the release work?

Also what about freezing a 22.01 branch? I'd like to then discuss the demos restart with Infra...

TIA

Jacques

Le 07/01/2022 à 17:26, Jacques Le Roux a écrit :
> Hi,
>
> Jacopo and I came to an agreement at OFBIZ-12479.
>
> You can still modify the draft if you feel so.
>
> I propose to start the release work after the weekend. It's a security issue.
>
> Jacques
>
> Le 05/01/2022 à 20:57, Jacques Le Roux a écrit :
>> Le 05/01/2022 à 09:18, Jacques Le Roux a écrit :
>>> Le 05/01/2022 à 09:14, Jacques Le Roux a écrit :
>>>> I have created https://issues.apache.org/jira/browse/OFBIZ-12479 for that
>>
>> I have updated the Jira with a draft proposal, please comment there
>>
>> TIA
>>
>> Jacques
>>

Re: OFBiz releases EOL (End Of Life) announcement

[Jacques Le Roux <ja...@les7arts.com>]

Hi,

Jacopo and I came to an agreement at OFBIZ-12479.

You can still modify the draft if you feel so.

I propose to start the release work after the weekend. It's a security issue.

Jacques

Le 05/01/2022 à 20:57, Jacques Le Roux a écrit :
> Le 05/01/2022 à 09:18, Jacques Le Roux a écrit :
>> Le 05/01/2022 à 09:14, Jacques Le Roux a écrit :
>>> I have created https://issues.apache.org/jira/browse/OFBIZ-12479 for that
>
> I have updated the Jira with a draft proposal, please comment there
>
> TIA
>
> Jacques
>

Re: OFBiz releases EOL (End Of Life) announcement

[Jacques Le Roux <ja...@les7arts.com>]

Le 05/01/2022 à 09:18, Jacques Le Roux a écrit :
> Le 05/01/2022 à 09:14, Jacques Le Roux a écrit :
>> I have created https://issues.apache.org/jira/browse/OFBIZ-12479 for that

I have updated the Jira with a draft proposal, please comment there

TIA

Jacques

Re: OFBiz releases EOL (End Of Life) announcement

[Jacques Le Roux <ja...@les7arts.com>]

Le 05/01/2022 à 09:14, Jacques Le Roux a écrit :
> I have created https://issues.apache.org/jira/browse/OFBIZ-12479 for that