Feature Proposal: We should have a policy on how far back we go with packages for old Foswiki installers

Motivation

Mainly I have an issue with continuing to supply releases in "easy-to-install" packages, with known, published CVE vulnerabilities. In addition, it just doesn't look good for us to let versions lag so far behind the current release. We continue to "advertise" packages going back to 1.0.10 - 3 years old with many known vulnerabilities

Description and Documentation

Establish a policy or best practice for "OtherFoswikiInstallers:
  • Releases with known security vulnerabilities should be pushed to an archive page
  • Patch releases for the current version are listed with "2 most recent releases"
  • When a new Version is released (1.2 for ex), the final prior version (1.1.9 for ex) will remain available, not subject to the 2-most-recent restriction
  • Older versions get referenced from an Archive page that is linked to from the original.

This results in the following:
  • because 1.1.7 has a CVE, the only release we would currently link would be 1.1.8.
  • Once 1.1.9 releases, 1.1.8 and 1.1.9 would be listed.
  • When 1.2.0 releases, 1.1.9 would remain available until it is hit with a CVE or we choose to drop support.

The bottom line: The following installers get archived:
  • Mac OS X 10.5, 10.6 (1.1.2 is too old and has CVEs)
  • Mac OS X 10.7 (1.1.7 has CVE against it)
  • Windows installer (1.1.2 too old and has CVEs)
  • Windows Foswiki on a Stick (1.1.5 too old, and has CVEs)
  • Linux on Shared Host (1.0.10 too old, and has CVEs)
  • All 3 virtual machine images: 1.0.9, 1.1.2 and 1.1.5
Longer term, this really ought to be a wiki app. With a topic per "Other Installer". Populated onto this page from a search.

Examples

Impact

%WHATDOESITAFFECT%
edit

Implementation

-- Contributors: GeorgeClark - 18 Nov 2013

Discussion

I hate to push the timeframe on this. But it's not good for the OtherInstallers page to point to obsolete / vulnerable code. I'm going to remove the stale stuff. If anyone raises an objection, please revert the topic.

-- GeorgeClark - 19 Nov 2013

Please don't remove the links to the old installers completely! In the very least, please keep the old installers available via an archive page (which is mentioned above) that is accessible from OtherInstallers. Maybe the archive page should suggest applying upgrades after installation smile

-- MichaelTempest - 20 Nov 2013

Yes indeed. Already done that way.

I'll update the proposal.

-- GeorgeClark - 20 Nov 2013
 
Topic revision: r5 - 01 Apr 2014, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy