You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/02/01 00:16:40 UTC

[GitHub] [pulsar] michaeljmarshall commented on a change in pull request #10829: [SECURITY] Add SECURITY.md with explicit dates for version support

michaeljmarshall commented on a change in pull request #10829:
URL: https://github.com/apache/pulsar/pull/10829#discussion_r796173101



##########
File path: SECURITY.md
##########
@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+Feature release branches will, generally, be maintained with security fix and bug fix releases for a period of 12 months
+after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after
+the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even for security fixes.
+
+Security fixes will be given priority when it comes to back porting fixes to older versions that are within the
+supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest
+versions will have the most bug fixes.
+
+When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor
+release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided.
+
+The following table shows version support timelines and will be updated with releases.
+
+| Version | Supported          | Initial Release | Until         |
+|:-------:|:------------------:|:---------------:|:-------------:|
+| 2.7.x   | :white_check_mark: | November 2020   | November 2021 |
+| 2.6.x   | :white_check_mark: | June 2020       | June 2021     |
+| 2.5.x   | :x:                | January 2020    | January 2021  |
+| 2.4.x   | :x:                | July 2019       | July 2020     |
+| < 2.3.x | :x:                | -               | -             |
+
+## Release Frequency
+
+With the acceptance of [PIP-47 - A Time Based Release Plan](https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan),
+the Pulsar community aims to complete 4 minor releases each year.
+
+## Reporting a Vulnerability
+
+The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/.
+
+## Using Pulsar's Security Features
+
+You can find documentation on Pulsar's available security features and how to use them here: 
+https://pulsar.apache.org/docs/en/security-overview/.

Review comment:
       Does this still apply? Why have we added the `/next` in the url?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org