Hi devs,
This is a vote about allowing the following:
- An xwiki.org core committer can decide, at any time, to release a N-P.10.x release (where P>1), with the goal of providing some backports of security issues.
- There’s no guarantee that these releases will contain all security fixes found since the previous release on that branch. And globally there’s no guarantee on the quality of those releases.
- These releases are not advertised as we want users to use the latest and best quality releases, which are the ones documented and provided as downloads.
- These releases are done following the standard release process of the XWiki product (apart from the non-advertising parts: download page, external web site updates, mastodon). This means for example, a docker packaging and the indication of this release version in security advisories.
- These releases are not supported by the xwiki.org project (only the dev(s) who did their releases may (or may not) support them. By support we mean reply to questions about them, reply to requests to backport more stuff in them, etc.
- Document this under https://www.xwiki.org/xwiki/bin/view/Main/Support#HSupportedVersions
Note that there’s an open question about whether these releases would impact the public disclosure dates from https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/. This is being discussed in https://forum.xwiki.org/t/disclosure-delay-in-recent-security-advisories/18548 . Whatever is the outcome, it would be added to https://www.xwiki.org/xwiki/bin/view/Main/Support#HSupportedVersions or https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.
Here’s my +1.
The vote is open for the usual 72 hours.
Thanks