On Thu, Apr 30, 2020 at 12:47 PM Daniel Shahaf <d...@daniel.shahaf.name> wrote:
> danie...@apache.org wrote on Thu, 30 Apr 2020 16:21 -0000: > I just copied the text we use for 1.9, but there's a distinction: users > of 1.9 have had time to upgrade to 1.10 before 1.14.0 becomes GA, > whereas users of 1.13 have not. So, should we promise some sort of > grace period for users of 1.13.x — i.e., a period following the release > of 1.14.0 during which we'll still fix security bugs in 1.13.0? Before I can offer an opinion on that, I have to ask: If that scenario actually occurs, where a security issue is discovered in a release line very soon after it goes EOL, does the fix have to be an actual *release* with all the process that implies, or can it just be a (signed) patch? Nathan
