Systematic check of minimal impacted version in case of fixing a security issue

Development
#1

Hi everyone,

I propose to add and enforce a new rule when we fix a security bug, which is to always check for the first XWiki version on which the security issue started and to add the information on the issue.

We generally perform this check as a best practice, but I suggest that we make it mandatory for the security issues since we might then want to be exhaustive on which version is impacted. The proposal is to us as committers to enforce this rule and to write this rule on dev.xwiki.org.

The vote is opened for one week until the 17th of february.
I’m +1 for it.

#2

+1

#3

+1

#4

Note that this proposal goes contrary to our support rule which is that we only support 3 branches.

So I’m +1 for checking in the LTS version but I’m I don’t think that we should make it mandatory to check all past versions till we find one where the issue doesn’t happen. I’m actually -1 to do that.

We’re already telling users that they should upgrade to the LTS since it contains important bugfixes. For me that’s enough. If the users need support for an older version they could contact one of the sponsoring companies, which, I’m sure would provide such dedicated support.

Thanks

#5

BTW, what’s your proposal to enforce it? I haven’t seen a strategy in your email about that.

#6

That’s a different subject: I’m not talking about fixing the bug in all possible versions, but “just” to know in which version the bug started. So I’m not proposing to change what are the version we support, but to be able to inform users about all the versions that are impacted by a security issue.

I don’t have one, I propose to write down the rule, so we can rely on it, and to individually as committers be careful to do it. I don’t think we can have an automated way to enforce this, other than being careful to properly check it.

#7

I understood that but that’s a lot of work (I did it several times in the past - finding the earliest version of XWiki when a problem started occurring and it’s extremely time-consuming). I also don’t see the need to do it since we’re already asking our users to upgrade fo the latest LTS. If they don’t, it means they’re accepting to have security issues. I would even go as far as saying that it’s better to not disclose if older versions of XWiki are affected since that would give potential attackers even more information and if the users haven’t upgraded, it means they cannot upgrade for some reason (or they’d have done it already).

So FTM I stand by my opinion of +1 for LTS but -1 as a systematic rule for finding older-than-LTS versions that are affected.

#8

I’m +1 to stress this even more in our docs in case it’s not mentioned enough.