This repository has been archived by the owner on Apr 1, 2024. It is now read-only.
forked from apache/pulsar
-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SECURITY] Add Security Policy and Supported Versions page to website (…
…apache#10829) * Add SECURITY.md with explicit dates for version support * Add Security and Versioning Policy page to website * Clarify that a version can be supported longer than 12 months * Clean up; Add announcement section * Improve title for better clarity * Add note about upgrade compatibility * Copy doc to site2/website-next/docs The original context for this PR is on the dev mailing list here: https://lists.apache.org/thread.html/ra2db06e8da85bff67d8d588dc1e93d965f2e1d70c95bda2f08d14138%40%3Cdev.pulsar.apache.org%3E ### Motivation The Pulsar project does not explicitly declare version support time lines. By declaring support time lines, we can give our users more confidence that they will receive relevant security fixes before vulnerabilities are announced. Additionally, these time lines will guide the PMC when determining which branches need to receive security fixes. I decided to start with a 12 month support window instead of 18. If we use 18 months, 2.5.x should still technically be supported. Additionally, PIP-47 indicates that we should be doing 4 minor releases a year. If we tried to support releases for 18 months, that could mean a _lot_ of extra releases if there are security vulnerabilities discovered in all active branches. I am open to debate/feedback on this point. ### Modifications Add a `SECURITY.md` file and pages on the website. ### Release Process If this PR is accepted, I'll follow up with a change to the pulsar wiki to update the release process. Each minor and major release will require an update to the table in the `SECURITY.md` file. ### Other Changes It might be worth adding the content in this PR to a page on the pulsar website. I'm not sure where to add that yet, so I'd like to get feedback on this content before duplicating it to the website. ### Reference I used the Apache Spark version policy (https://spark.apache.org/versioning-policy.html) as a guide for creating this doc.
- Loading branch information
1 parent
bd15441
commit 8242275
Showing
5 changed files
with
139 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # Security Policy | ||
|
|
||
| The security policy and supported versions are outlined on the Pulsar website here: https://pulsar.apache.org/docs/security-policy-and-supported-versions/. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| --- | ||
| id: security-policy-and-supported-versions | ||
| title: Security Policy and Supported Versions | ||
| sidebar_label: Security Policy and Supported Versions | ||
| --- | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/. When reporting a | ||
| vulnerability to [email protected], you can copy your email to [[email protected]](mailto:[email protected]) | ||
| to send your report to the Apache Pulsar Project Management Committee. This is a private mailing list. | ||
|
|
||
| ## Using Pulsar's Security Features | ||
|
|
||
| You can find documentation on Pulsar's available security features and how to use them here: | ||
| https://pulsar.apache.org/docs/en/security-overview/. | ||
|
|
||
| ## Security Vulnerability Announcements | ||
|
|
||
| The Pulsar community will announce security vulnerabilities and how to mitigate them on the [[email protected]](mailto:[email protected]). | ||
| For instructions on how to subscribe, please see https://pulsar.apache.org/contact/. | ||
|
|
||
| ## Versioning Policy | ||
|
|
||
| The Pulsar project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). Existing releases can expect | ||
| patches for bugs and security vulnerabilities. New features will target minor releases. | ||
|
|
||
| When upgrading an existing cluster, it is important to upgrade components linearly through each minor version. For | ||
| example, when upgrading from 2.8.x to 2.10.x, it is important to upgrade to 2.9.x before going to 2.10.x. | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| Feature release branches will be maintained with security fix and bug fix releases for a period of at least 12 months | ||
| after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after | ||
| the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even to fix security | ||
| vulnerabilities. | ||
|
|
||
| Note that a minor version can be maintained past it's 12 month initial support period. For example, version 2.7 is still | ||
| actively maintained. | ||
|
|
||
| Security fixes will be given priority when it comes to back porting fixes to older versions that are within the | ||
| supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest | ||
| versions will have the most bug fixes. | ||
|
|
||
| When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor | ||
| release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided. | ||
|
|
||
| The following table shows version support timelines and will be updated with each release. | ||
|
|
||
| | Version | Supported | Initial Release | At Least Until | | ||
| |:-------:|:------------------:|:---------------:|:--------------:| | ||
| | 2.9.x | :white_check_mark: | November 2021 | November 2022 | | ||
| | 2.8.x | :white_check_mark: | June 2021 | June 2022 | | ||
| | 2.7.x | :white_check_mark: | November 2020 | November 2021 | | ||
| | 2.6.x | :x: | June 2020 | June 2021 | | ||
| | 2.5.x | :x: | January 2020 | January 2021 | | ||
| | 2.4.x | :x: | July 2019 | July 2020 | | ||
| | < 2.3.x | :x: | - | - | | ||
|
|
||
| If there is ambiguity about which versions of Pulsar are actively supported, please ask on the [[email protected]](mailto:[email protected]) | ||
| mailing list. | ||
|
|
||
| ## Release Frequency | ||
|
|
||
| With the acceptance of [PIP-47 - A Time Based Release Plan](https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan), | ||
| the Pulsar community aims to complete 4 minor releases each year. Patch releases are completed based on demand as well | ||
| as need, in the event of security fixes. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| --- | ||
| id: security-policy-and-supported-versions | ||
| title: Security Policy and Supported Versions | ||
| sidebar_label: Security Policy and Supported Versions | ||
| --- | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| The current process for reporting vulnerabilities is outlined here: https://www.apache.org/security/. When reporting a | ||
| vulnerability to [email protected], you can copy your email to [[email protected]](mailto:[email protected]) | ||
| to send your report to the Apache Pulsar Project Management Committee. This is a private mailing list. | ||
|
|
||
| ## Using Pulsar's Security Features | ||
|
|
||
| You can find documentation on Pulsar's available security features and how to use them here: | ||
| https://pulsar.apache.org/docs/en/security-overview/. | ||
|
|
||
| ## Security Vulnerability Announcements | ||
|
|
||
| The Pulsar community will announce security vulnerabilities and how to mitigate them on the [[email protected]](mailto:[email protected]). | ||
| For instructions on how to subscribe, please see https://pulsar.apache.org/contact/. | ||
|
|
||
| ## Versioning Policy | ||
|
|
||
| The Pulsar project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). Existing releases can expect | ||
| patches for bugs and security vulnerabilities. New features will target minor releases. | ||
|
|
||
| When upgrading an existing cluster, it is important to upgrade components linearly through each minor version. For | ||
| example, when upgrading from 2.8.x to 2.10.x, it is important to upgrade to 2.9.x before going to 2.10.x. | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| Feature release branches will be maintained with security fix and bug fix releases for a period of at least 12 months | ||
| after initial release. For example, branch 2.5.x is no longer considered maintained as of January 2021, 12 months after | ||
| the release of 2.5.0 in January 2020. No more 2.5.x releases should be expected at this point, even to fix security | ||
| vulnerabilities. | ||
|
|
||
| Note that a minor version can be maintained past it's 12 month initial support period. For example, version 2.7 is still | ||
| actively maintained. | ||
|
|
||
| Security fixes will be given priority when it comes to back porting fixes to older versions that are within the | ||
| supported time window. It is challenging to decide which bug fixes to back port to old versions. As such, the latest | ||
| versions will have the most bug fixes. | ||
|
|
||
| When 3.0.0 is released, the community will decide how to continue supporting 2.x. It is possible that the last minor | ||
| release within 2.x will be maintained for longer as an “LTS” release, but it has not been officially decided. | ||
|
|
||
| The following table shows version support timelines and will be updated with each release. | ||
|
|
||
| | Version | Supported | Initial Release | At Least Until | | ||
| |:-------:|:------------------:|:---------------:|:--------------:| | ||
| | 2.9.x | :white_check_mark: | November 2021 | November 2022 | | ||
| | 2.8.x | :white_check_mark: | June 2021 | June 2022 | | ||
| | 2.7.x | :white_check_mark: | November 2020 | November 2021 | | ||
| | 2.6.x | :x: | June 2020 | June 2021 | | ||
| | 2.5.x | :x: | January 2020 | January 2021 | | ||
| | 2.4.x | :x: | July 2019 | July 2020 | | ||
| | < 2.3.x | :x: | - | - | | ||
|
|
||
| If there is ambiguity about which versions of Pulsar are actively supported, please ask on the [[email protected]](mailto:[email protected]) | ||
| mailing list. | ||
|
|
||
| ## Release Frequency | ||
|
|
||
| With the acceptance of [PIP-47 - A Time Based Release Plan](https://github.com/apache/pulsar/wiki/PIP-47%3A-Time-Based-Release-Plan), | ||
| the Pulsar community aims to complete 4 minor releases each year. Patch releases are completed based on demand as well | ||
| as need, in the event of security fixes. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters