Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[platform-dev] Process for a security/bugfix release for the Eclipse Platform

Hello,
Eclipse platform has been releasing every three month for some time. I've been recently working on clarifying security processes and I could not find a description how the Eclipse Platform handles a security release.

Would a security fix need to wait for next 3-month release? This could be in conflict with the 90 days vulnerability release policy. Consider this scenario:
- A vulnerability is reported two weeks before the release and the team needs some time to prepare a fix.
- The fix is ready one month after the release
- 90 days will come two weeks BEFORE the next release
Releasing a vulnerability information to the public without a release fixing it is against best practices and it would be beneficial to avoid it.

Do you consider running a separate bugfix release?

Could you please point me to documentation/discussions on how you do handle or would handle such a situation?

Thanks in advance,
Marta

Back to the top