@Bawolff I put you in here since you were the author of these security fixes. Perhaps they were not about security after all?

For e1160113 & ae2938b765 - They were backported but didn't trigger a security release, because they were considered a hardening patch, and not a vulnerability fix. The thing they fix is not a security vulnerability per-se but only preventing the user from doing a behaviour that's a bad idea.

It's worth noting this isn't 1.27 specific either; https://gerrit.wikimedia.org/r/#/q/I741736e12b0ed49e95f22c869a2b53e2c97b31f0 - these were backported to all supported branches too

I am on the brink of accepting that maintenance releases are no longer done for the public

I think every point release has usually included some amount of security fixes and maintenance fixes, but granted, we don't tend to just do maintenance only releases (there are some exceptions, like T213595: Release 1.32.1 as a maintenance release if it doesn't get rolled into a security release, will be a maintenance release to fix up various issues and spammy logs)

I do note on https://www.mediawiki.org/wiki/Version_lifecycle#Release_policy we don't say we will specifically do maintenance releases

It's worth noting this isn't 1.27 specific either; https://gerrit.wikimedia.org/r/#/q/I741736e12b0ed49e95f22c869a2b53e2c97b31f0 - these were backported to all supported branches too

Well yeah, and I could have opened an issue for all branches respective branches.

For me it was most important to clarify if I should look for important changes such as security changes on my own on a regular basis and update without waiting for a point release. Up till now I trusted in point releases being made to make me aware of an immediate need to update.

To me commits labeled with "security" always look worth releasing rather soon than later. This time it turns out that the security patch is "just" a hardening patch but I still think that this was not just labelled "security" for the fun of it.

I do note on https://www.mediawiki.org/wiki/Version_lifecycle#Release_policy we don't say we will specifically do maintenance releases

Well, ok no worries. What I learned here is that I should probably check for changes on my own on a regular basis and update the wikis I take care of. And in case there is a real security problem I still trust on point releases being done.

I guess this issue may be closed.

In T216486#4964454, @Kghbln wrote:

I do note on https://www.mediawiki.org/wiki/Version_lifecycle#Release_policy we don't say we will specifically do maintenance releases

Well, ok no worries. What I learned here is that I should probably check for changes on my own on a regular basis and update the wikis I take care of. And in case there is a real security problem I still trust on point releases being done.

Yeah, exactly. There might be backports of useful fixes, but as Brian said, it may not always result in an immediate security release. Chances are if it's in public like this, it's not going to be major issues, but things like hardening, or fixing long standing issues that people using MW for years are likely to know occurs etc :)