Page MenuHomePhabricator

We are not even getting security releases any longer?
Closed, InvalidPublic

Description

When looking a the commits to the REL1_27 branch I see security fixes authored on October 21, 2018. The last point release was done on September 20, 2018 so I assume that these were jet officially released. I am on the brink of accepting that maintenance releases are no longer done for the public but I do not think that this should apply to security releases.

Event Timeline

Kghbln created this task.Feb 19 2019, 10:09 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 19 2019, 10:09 AM

@Bawolff I put you in here since you were the author of these security fixes. Perhaps they were not about security after all?

For e1160113 & ae2938b765 - They were backported but didn't trigger a security release, because they were considered a hardening patch, and not a vulnerability fix. The thing they fix is not a security vulnerability per-se but only preventing the user from doing a behaviour that's a bad idea.

Reedy added a subscriber: Reedy.Feb 19 2019, 12:55 PM

It's worth noting this isn't 1.27 specific either; https://gerrit.wikimedia.org/r/#/q/I741736e12b0ed49e95f22c869a2b53e2c97b31f0 - these were backported to all supported branches too

I am on the brink of accepting that maintenance releases are no longer done for the public

I think every point release has usually included some amount of security fixes and maintenance fixes, but granted, we don't tend to just do maintenance only releases (there are some exceptions, like T213595: Release 1.32.1 as a maintenance release if it doesn't get rolled into a security release, will be a maintenance release to fix up various issues and spammy logs)

Reedy added a comment.Feb 19 2019, 1:09 PM

I do note on https://www.mediawiki.org/wiki/Version_lifecycle#Release_policy we don't say we will specifically do maintenance releases

It's worth noting this isn't 1.27 specific either; https://gerrit.wikimedia.org/r/#/q/I741736e12b0ed49e95f22c869a2b53e2c97b31f0 - these were backported to all supported branches too

Well yeah, and I could have opened an issue for all branches respective branches.

For me it was most important to clarify if I should look for important changes such as security changes on my own on a regular basis and update without waiting for a point release. Up till now I trusted in point releases being made to make me aware of an immediate need to update.

To me commits labeled with "security" always look worth releasing rather soon than later. This time it turns out that the security patch is "just" a hardening patch but I still think that this was not just labelled "security" for the fun of it.

I do note on https://www.mediawiki.org/wiki/Version_lifecycle#Release_policy we don't say we will specifically do maintenance releases

Well, ok no worries. What I learned here is that I should probably check for changes on my own on a regular basis and update the wikis I take care of. And in case there is a real security problem I still trust on point releases being done.

I guess this issue may be closed.

Kghbln closed this task as Invalid.Feb 19 2019, 1:15 PM
Reedy added a comment.Feb 19 2019, 1:16 PM

I do note on https://www.mediawiki.org/wiki/Version_lifecycle#Release_policy we don't say we will specifically do maintenance releases

Well, ok no worries. What I learned here is that I should probably check for changes on my own on a regular basis and update the wikis I take care of. And in case there is a real security problem I still trust on point releases being done.

Yeah, exactly. There might be backports of useful fixes, but as Brian said, it may not always result in an immediate security release. Chances are if it's in public like this, it's not going to be major issues, but things like hardening, or fixing long standing issues that people using MW for years are likely to know occurs etc :)

sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 6:17 PM