httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <warp-...@usa.net>
Subject Re: End of Life Policy
Date Sat, 20 Nov 2004 20:56:14 GMT
> Paul Querna, Saturday, November 20, 2004 13:32
>
> I would like to have a semi-official policy on how long we will
provide
> security backports for 2.0 releases.
>
> I suggest a value between 6 and 12 months.

Support 2.0 for the lesser of:

*) Until the next stable release after 2.2 (2.4 or 3.0)
*) 12-24 months from 2.2 release

Rationale: Don't stop supporting 2.0 until 2.2 is widely used.  Getting
usage statistics is tricky, with people disabling server version string.
Have a poll?  ;-)  "Widely used" should be quantifiable, the definition
is debatable and the timeframe may not be predictable.  Say over 50%,
like 2/3 of the combined users of 2.0 and 2.2 use 2.2, 1/3 use 2.0.  Or
75/25.  Or shall we still include 1.3?  ;-)

> Many distrobutions will provide their own security updates anyways, so
> this would be a service to only a portion of our users.


I use a distribution, but I prefer tarballs to package hell for things
like Apache.  The distributions may patch something as quickly, but on
an older version.  It can take some months or even years before the
package uses the newer version which may have a non-security bugfix.

Anything less than a year seems like pulling the rug out from under
people.  Why stop supporting the software before it even gets widely
adopted?  How long since 2.0 came out, and there are people still stuck
with 1.3, due to valid concerns.

> As always, this is open source, and I would not stop anyone from
> continuing support for the 2.0.x branch. My goal is to help set our
end
> user's expectations for how long they have to upgrade to 2.2.

Maybe it can be done with communication through the available channels
(web, mail, tarballs)?  "We strongly urge you to migrate those old 2.0.x
or (ack) 1.3.x modules to 2.2.x within the first ( 6 < M < 24 ) months
after the 2.2.x release!"  Maybe put a timed nag message at the end of
the ./configure script: alert people of the support window, advise them
to upgrade modules.  Not necessarily explicitly dropping security
backports, which makes it look like the developers drop the ball, but
turning it around on the user, to let them know that it's them who chose
to drop the ball.

24 months is a ******* eternity though...  :p

Leif




Mime
View raw message