Project

General

Profile

Misc #9216

Backport Maintenance Policy for 1.8.7, 1.9.2

Added by hone (Terence Lee) almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
[ruby-core:58867]

Description

TL;DR
Backporting security fixes to 1.8.7, 1.9.2 in increments of 6 month terms with optional continuation upon term expiration.

Context
Many vendors like Linux distros including Red Hat, Debian, Canonical and platforms like Heroku need to maintain support for old Ruby versions past it’s end of life cycle for its customers. In order to stop duplicating our efforts, it’d be great to push these security fixes upstream. This way each vendor can base their changes on this work.

For each security incident that is proposed and considered a threat in the ruby-security mailing list, there can be gatekeepers who can verify that the rubies are vulnerable, test patches, and push code the upstream so vendors and users of those products can build rubies that match those released by their vendor.

Since vendors are on the ruby-security mailing list and will already be doing this work, there can be a volunteer service for this gatekeeper work. Volunteers can commit to a reasonable time frame like 6 months. During the last month, another 6 month commitment can be made either by the same volunteers or others looking to take over the maintainership. Even for non end of life Rubies, ruby-core should not be afraid to look to these vendors for help in maintaining current Rubies.

Heroku will be announcing it’s support plans soon, but we will probably be supporting Ruby 1.8.7 / 1.9.2 for 6 months after this announcement. Sam Kottler and I (Terence Lee) will be happy to play gatekeeper for the first 6 months (until June 2014).

In summary, I think establishing well defined dates will help out Ruby users pick and decide what they can expect to use safely. The coming Ruby 2.1.0 release announcement would be a great time to announce what happened to Ruby 1.9.2 and any of these potential changes.

History

Updated by zzak (Zachary Scott) almost 6 years ago

We have discussed this and decided its ok to maintain (security fixes only) 1.8.7 and 1.9.2 for at least 6 months. This does allow for some backports that will help with running tests and merger.

We also decided that performing security releases in this time is acceptable.

This will give 1.8.7 and 1.9.2 an EOL of June 2014, at this time the current maintainer is welcome to continue security maintenance of these versions. If a new contributor wants to maintain the security release for this version after 6 months, we can decide using the maintainer appointment process ( #9218 )

Updated by naruse (Yui NARUSE) almost 6 years ago

As a Programming Language developer, people should use trunk! ;-)

Anyway, I know business people needs more support for older ruby.
Such people can support them with their own resource as heroku or ruby-lang.org official
even if so-called ruby-core team finished the support.

I want only one thing, announce it when the support is finished.

Updated by vo.x (Vit Ondruch) almost 6 years ago

As Ruby 1.8.7 are part of Red Hat Enterprise Linux, we at Red Hat, are committed to support Ruby 1.8.7 for at least next 7 years [1]. I am backporting security fixes and also fixes, which ensures compatibility with some crucial libraries, such as OpenSSL. Since I am doing this work anyway, I am willing to keep Ruby 1.8.7 branch updated with these patches as long as I'll stay Ruby maintainer in Red Hat.

[1] https://access.redhat.com/site/support/policy/updates/errata/

#4

Updated by zzak (Zachary Scott) almost 6 years ago

  • Status changed from Open to Closed

As discussed, Terence and I will maintain security fixes for 1.8.7 and 1.9.2 for 6 months, until June 2014.

During this time we will not support official backport releases on ruby-lang.org, except in case a 1.9.2 release is explicitly requested.

Should an additional 6 month maintenance period be required, we will discuss again in June.

Also available in: Atom PDF