Ruby » Ruby master

TL;DR
Backporting security fixes to 1.8.7, 1.9.2 in increments of 6 month terms with optional continuation upon term expiration.

Context
Many vendors like Linux distros including Red Hat, Debian, Canonical and platforms like Heroku need to maintain support for old Ruby versions past it’s end of life cycle for its customers. In order to stop duplicating our efforts, it’d be great to push these security fixes upstream. This way each vendor can base their changes on this work.

For each security incident that is proposed and considered a threat in the ruby-security mailing list, there can be gatekeepers who can verify that the rubies are vulnerable, test patches, and push code the upstream so vendors and users of those products can build rubies that match those released by their vendor.

Since vendors are on the ruby-security mailing list and will already be doing this work, there can be a volunteer service for this gatekeeper work. Volunteers can commit to a reasonable time frame like 6 months. During the last month, another 6 month commitment can be made either by the same volunteers or others looking to take over the maintainership. Even for non end of life Rubies, ruby-core should not be afraid to look to these vendors for help in maintaining current Rubies.

Heroku will be announcing it’s support plans soon, but we will probably be supporting Ruby 1.8.7 / 1.9.2 for 6 months after this announcement. Sam Kottler and I (Terence Lee) will be happy to play gatekeeper for the first 6 months (until June 2014).

In summary, I think establishing well defined dates will help out Ruby users pick and decide what they can expect to use safely. The coming Ruby 2.1.0 release announcement would be a great time to announce what happened to Ruby 1.9.2 and any of these potential changes.