Author Topic: security updates for 3.4 (Read 1025 times)

jtbayly · May 02, 2011, 09:41:07 am

What is the policy concerning security updates?

In other words, since 3.4 is the final D6 version, are we going to see security updates to 3.4? And if so, for how long?

Thanks,
-Joseph

Donald Lobo · May 02, 2011, 11:40:25 am

Our current policy is to support the latest release only. This means that 3.4 will not have any critical bugs / security updates once 4.1 is released (Aug/Sept timeframe). However we do recognize that this is a bit different than most point releases, so the following options are in play:

1. There is an existing MIH: http://civicrm.org/mih#35 to continue the 3.x branch. This seems unlikely to be met, so we are considering modifying the MIH to extend support for v3.4 till v4.2 is released (end of 2011/1Q 2012). security updates and criticial bug fixes only, no new features.

2. There has been talk on IRC about a self organized community group providing support and back ports of critical bug fixes once v4.1 is released.

Bottom line is, we strongly encourage folks interested in this to help with either option 1 or option 2.

lobo

jtbayly · May 02, 2011, 12:02:55 pm

I think the community needs to consider switching to the way that Drupal handles security updates. They are backported to the previous major version. In this case, we really *should* provide security patches for 3.x for much longer than the plan is currently. Maybe instead of providing security updates for the previous major version (which would often be pointless, since people could/should just upgrade), we should provide security updates for the last version that supports the previous version of Drupal or Joomla!.

The reason is simple: Do we really expect all of the non-profits and other organizations who have settled on CiviCRM to suddenly cough up the money to upgrade their site from D6 to D7 (or Joomla! 1.5 to 1.6)? They don't have the money for that. They aren't planning on it. And they don't have a clue that they are about to have an insecure site.

We need to provide security patches for a good long time for those organizations stuck on D6 or J1.5.

Maybe the MIH should be switched to just funding the security updates. But I also think that we should switch the official policy of providing security updates.

I can't tell a client, "Well, there is this ad-hoc group of people that *might* patch security bugs." Nor can I tell them, "As long as you and other organizations keep bribing the developers every 6 months with large sums of money, they will consider helping you by keeping the site you *just* put online last month secure."

I'm not being very nice in my language, I know. But my point is that this is egg on the face of the entire CiviCRM community. Seriously, big projects are just now being deployed on 3.x and will be *after* we have officially stopped providing security patches. That's not good for business. You know what I mean?

Donald Lobo · May 02, 2011, 12:40:12 pm

I dont think there are lots of people who will disagree with you.

yes, having a group of people who are willing to help with providing security patches for D6/J1.5 for a good long time would be great and beneficial to the project. Would be great if you can get on IRC and ping folks like dharmatech, yjkchicago etc and help form that group of people.

lobo

CiviCRM Community Forums (archive)

News:

Author Topic: security updates for 3.4 (Read 1025 times)

jtbayly

security updates for 3.4

Donald Lobo

Re: security updates for 3.4

jtbayly

Re: security updates for 3.4

Donald Lobo

Re: security updates for 3.4