[TYPO3-core] Combining security and bugfix releases

Christian Lerrahn (Cerebrum) christian.lerrahn at cerebrum.com.au
Wed Dec 21 03:04:32 CET 2011 

Hi Ernesto,

On Tue, 20 Dec 2011 09:55:08 +0100
"Ernesto Baschny [cron IT]" <ernst at cron-it.de> wrote:
> If we would consider this kind of approach, I would suggest the
> following:
> 
> - 4.5.x is considered vulnerable
> - 4.5.x-sec1 is released with the sec fix only
> - 4.5.x+1 is released with the sec fix PLUS all other pending bug
> fixes
> 
> People scared about potential regressions install the "x-sec1"
> release. People wanting "cutting edge bug fixes" apply the "x+1"
> release.
> 
> For our GIT strategy, that would mean that we need to branch on
> specific tags (to apply the sec-fixes), changes in the release
> scripts, ... etc!
> 
> What do you think?

That sounds a lot like what I already suggested in my original mail,
just a little bit more detailed. I definitely think that it should be
possible to limit updates to security only and never being forced into
getting bugfixes as well.

In regards to the process making it hard to have security updates
decoupled from the bugfix, I think I don't quite understand. Why does a
security release have to be a snapshot of the source tree? Wouldn't it
be much easier to take the security patch, apply it to the latest
release and then release that patched version as the security fix
release? In fact, that way you could even release the patch by itself
as well, so people can choose to download just the patch instead of
downloading a new source tree which is 99% the same as the one they
already have.

I do understand that even security fixes come with the risk of
regression. I don't think that can be helped even with as much man
power as you could think of. However, increasing that risk of
regression by adding unrelated bugfixes is a very different story.

Anyway, this was not to criticise any of you guys for not doing a great
job. I sincerely appreciate all your hard work and think that you're
doing a terrific job. And, if there is any need for man power that can
be outsourced to Down Under (despite time shifts, etc.), let me know. :)

Cheers,
Christian

More information about the TYPO3-team-core mailing list