Indicate if there are security issues in the Release Notes

Hi devs,

It would be interesting for our users to know releases which have security issues since that makes it more compelling to them to upgrade. It also allows them to not upgrade if the new versions don’t have security issues fixed. See LTS updates with security issues

So here are 3 choices:

  1. Just indicate that the release contains security issues fixed
  2. Indicate the number of security issues fixed
  3. Indicate the number the number of high, medium and low security issues fixed

On my side, I’m fine with the 3 options. I think that 3) is acceptable.



I prefer 1.

-0 for 2 and 3.

Note that the reason I think 2 and 3 are not a problem is because anyone who wants to find and exploit security flaws in XWiki doesn’t need to look at the release notes: they just need to look at the commits and the source code. Thus I don’t think it matters that we mention the # of issues and severities in the release notes. Actually I think it does matter that we do as it’ll definitely help users to be motivated to upgrade if they know that, say, an important security flaw has been fixed in a given version.

1 Like