In my opinion, although it's "nice" when everyone has clarity on all details of the process, it's just not important to decide this level of detail in advance. It's a fuzzy line and we'll make a reasonable decision if it happens, which it likely won't.
Re. issuing fixes as patches, I think there's no precedent and no grounds for doing so this time. The option of doing so in future for the general case should be raised in a separate thread. - Julian 1 May 2020 16:39:36 Nathan Hartman <hartman.nat...@gmail.com>: > On Thu, Apr 30, 2020 at 12:47 PM Daniel Shahaf < d...@daniel.shahaf.name > > wrote: > > > > danie...@apache.org wrote on Thu, 30 Apr 2020 16:21 -0000: > > > > > I just copied the text we use for 1.9, but there's a distinction: users > > of 1.9 have had time to upgrade to 1.10 before 1.14.0 becomes GA, > > whereas users of 1.13 have not. So, should we promise some sort of > > grace period for users of 1.13.x — i.e., a period following the release > > of 1.14.0 during which we'll still fix security bugs in 1.13.0? > > > Before I can offer an opinion on that, I have to ask: If that scenario > actually occurs, where a security issue is discovered in a release line very > soon after it goes EOL, does the fix have to be an actual *release* with all > the process that implies, or can it just be a (signed) patch? > > > Nathan > > > > > > >
