HDDS-10214. Update supported versions in security policy up to 1.4.0 #6100
Conversation
|
Thanks @ivandika3 for updating this doc. Adding new versions is definitely needed. 1.2.0 should be omitted, since it is superseded by 1.2.1. More importantly, I think we should discuss (probably in the dev mailing list) which GA versions are really supported. With the exception of 1.2.1, there were no patch releases with security fixes. |
|
@adoroszlai Thank you for reviewing this.
Updated.
I see, I'm not quite clear what does "supported" really means. My understanding is that people can submit security reports only for the supported versions. |
fapifta
left a comment
fapifta
left a comment
There was a problem hiding this comment.
Hi @ivandika3 thank you for dealing with the documentation in this PR.
I did a quick search for CVEs, as we had a few in the past, according to this page:
https://www.opencve.io/cve?vendor=apache&product=ozone
we have fixed our CVEs in 1.2.0 so I suggest to support releases after 1.2.1, as 1.2.1 also is released to fix a security problem.
I think we also miss 1.2.0 from the table, we can add that as well as an already unsupported release superseded by 1.2.1.
@fapifta 1.2.0 was removed due to my comment. That release was pulled from the website completely, even the 1.2.0 release page redirects to 1.2.1. So not only is it unsupported, it is unavailable. Should we still list it here? |
|
Hmm... sorry for my ignorance, I did not know that 1.2.0 was that seriously purged from everywhere... in this case we should not put back it in here either, you are right. |
fapifta
left a comment
fapifta
left a comment
There was a problem hiding this comment.
Hi @adoroszlai, @ivandika3,
considering the recent CVE, that affects 1.2.1 and 1.3.0 should we consider removing those also from supported versions, and leave 1.4.0 as supported?
Maybe an other option is to keep 1.3.0 supported, I am not sure if that would create an obligation to release 1.3.1 with the fix for the CVE, or we can leave it as it is?
|
Thanks @ivandika3 for the patch, @fapifta for the review.
I agree, patch is updated accordingly. I think anyone proposing support for 1.3.x should start by backporting the security fix and volunteering to be release manager. |
|
Thank you @adoroszlai @fapifta for the in-depth discussions here and in the dev mailing list. I learnt quite a bit about Ozone security policy. |
…pache#6100) (cherry picked from commit df68290)
3 participants
What changes were proposed in this pull request?
Currently Security.md only contains Ozone version up to 1.1
This patches include version up to 1.4.
It is also a good idea to add information to the Ozone wiki release guide to update the security.md during the release process.
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-10214
How was this patch tested?
NA