envoyproxy/envoy

Cadence of security release does not match documentation

Open

#25.559 geöffnet am 14. Feb. 2023

Auf GitHub ansehen
 (3 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)C++ (5.373 Forks)batch import
area/releasearea/securityenhancementhelp wanted

Repository-Metriken

Stars
 (27.997 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 8T) (378 gemergte PRs in 30 T)

Beschreibung

It takes a lot of hard for from volunteers on the security team to put out a security release. The documentation in RELEASES.md suggest that security releases will happen quarterly. However the most recent security release was in June of 2022, which was 8 months ago. This leave the project in a position where there are open security bugs which have been unreleased for 9 months. This is not ideal.

This was discussed at the most recent Envoy Community meeting. The core issue seems to be that running the security release is a volunteer position. It seems likely that unless someone is hired specifically for this purpose, we will continue to see long periods between release. There were a couple of proposal for how to mitigate this situation.

  • Only kick off a security release for Critical or High impact issues.
  • Only backport fixes to the most recent stable branch

It would be a good idea to get consensus within the project for how we'd like to handle this.

Contributor Guide