[asterisk-dev] Asterisk 1.6 Release Management Proposal

Steven Critchfield critch at basesys.com
Wed Oct 17 15:04:23 CDT 2007


On Wed, 2007-10-17 at 14:29 -0500, Russell Bryant wrote:
> Russell Bryant wrote:
> > 3.2.5   Security Fix
> > 
> >    1. Commit to the 1.2 branch
> >    2. Merge to the 1.4 branch
> >    3. Merge to the current 1.6.X branch that is in testing, as well as the
> >       past three 1.6.X release branches so that sub releases of those can be
> >       made that include the fix.
> >         • Note that the number three here is arbitrary. It may change based
> >            on what community members would like to see.
> >    4. Merge to trunk.
> 
> This is one section I would like to bring special attention to.  This part is
> still a little bit up in the air.
> 
> The question is, what should the rule be as far as security issues are
> concerned?  Should we supply patches for
>   --> _all_ 1.6.X versions?
>   --> only the last N number of 1.6.X versions?
>   --> any 1.6.X release made in the past 2 years?
> 
> I want to keep everyone happy, but also make sure we don't place an unnecessary
> burden on ourselves.  One thing to keep in mind is that security issues don't
> come up very often, and the patches for them are generally fairly trivial.

How would you suggest properly numbering patched releases to signify
that security patching had been done? Not signifying that it had been
patched is a further headache to support.

Would we end up with something like
1.6.x.AST-2007-023 To denote that it was a specific release of 1.6.x
with security patches up to the string on the end applied? 

Or would we basically say that patches would only be applied to the head
of a branch and that head would get released as a new minor release?

Do we even have a precident for going back and patching a non major
release head?
-- 
Steven Critchfield <critch at basesys.com>




More information about the asterisk-dev mailing list