CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site

This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • General Discussion (please no support requests here!) (Moderator: Michał Mach) »
  • security updates for 3.4
Pages: [1]

Author Topic: security updates for 3.4  (Read 1025 times)

jtbayly

  • I post occasionally
  • **
  • Posts: 43
  • Karma: 0
security updates for 3.4
May 02, 2011, 09:41:07 am
What is the policy concerning security updates?

In other words, since 3.4 is the final D6 version, are we going to see security updates to 3.4? And if so, for how long?

Thanks,
-Joseph

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: security updates for 3.4
May 02, 2011, 11:40:25 am


Our current policy is to support the latest release only. This means that 3.4 will not have any critical bugs / security updates once 4.1 is released (Aug/Sept timeframe). However we do recognize that this is a bit different than most point releases, so the following options are in play:

1. There is an existing MIH: http://civicrm.org/mih#35 to continue the 3.x branch. This seems unlikely to be met, so we are considering modifying the MIH to extend support for v3.4 till v4.2 is released (end of 2011/1Q 2012). security updates and criticial bug fixes only, no new features.

2. There has been talk on IRC about a self organized community group providing support and back ports of critical bug fixes once v4.1 is released.

Bottom line is, we strongly encourage folks interested in this to help with either option 1 or option 2.

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

jtbayly

  • I post occasionally
  • **
  • Posts: 43
  • Karma: 0
Re: security updates for 3.4
May 02, 2011, 12:02:55 pm
I think the community needs to consider switching to the way that Drupal handles security updates. They are backported to the previous major version. In this case, we really *should* provide security patches for 3.x for much longer than the plan is currently. Maybe instead of providing security updates for the previous major version (which would often be pointless, since people could/should just upgrade), we should provide security updates for the last version that supports the previous version of Drupal or Joomla!.

The reason is simple: Do we really expect all of the non-profits and other organizations who have settled on CiviCRM to suddenly cough up the money to upgrade their site from D6 to D7 (or Joomla! 1.5 to 1.6)? They don't have the money for that. They aren't planning on it. And they don't have a clue that they are about to have an insecure site.

We need to provide security patches for a good long time for those organizations stuck on D6 or J1.5.

Maybe the MIH should be switched to just funding the security updates. But I also think that we should switch the official policy of providing security updates.

I can't tell a client, "Well, there is this ad-hoc group of people that *might* patch security bugs." Nor can I tell them, "As long as you and other organizations keep bribing the developers every 6 months with large sums of money, they will consider helping you by keeping the site you *just* put online last month secure."

I'm not being very nice in my language, I know. But my point is that this is egg on the face of the entire CiviCRM community. Seriously, big projects are just now being deployed on 3.x and will be *after* we have officially stopped providing security patches. That's not good for business. You know what I mean?

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: security updates for 3.4
May 02, 2011, 12:40:12 pm

I dont think there are lots of people who will disagree with you.

yes, having a group of people who are willing to help with providing security patches for D6/J1.5 for a good long time would be great and beneficial to the project. Would be great if you can get on IRC and ping folks like dharmatech, yjkchicago etc and help form that group of people.

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • General Discussion (please no support requests here!) (Moderator: Michał Mach) »
  • security updates for 3.4

This forum was archived on 2017-11-26.