Mitre tried to assign us two separate CVEs for the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1047577, on the grounds that the fixes were separated by more than an hour and thus triggered different hourly snapshots. But we explicitly do NOT want to treat transient security bugs as CVEs if they can only be triggered by patches in libvirt.git but where the problem is cleaned up before a formal release. Meanwhile, I noticed that while our wiki mentioned maintenance branches and releases, our formal documentation did not. * docs/downloads.html.in: Contrast hourly snapshots with maintenance branches. Signed-off-by: Eric Blake <eblake@xxxxxxxxxx> --- Doc only, so suitable for 1.2.1 if it gets reviewed in time. docs/downloads.html.in | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/docs/downloads.html.in b/docs/downloads.html.in index 83b8751..ef03567 100644 --- a/docs/downloads.html.in +++ b/docs/downloads.html.in @@ -22,7 +22,9 @@ <p> Once an hour, an automated snapshot is made from the git server source tree. These snapshots should be usable, but we make no guarantees - about their stability: + about their stability; furthermore, they should NOT be + considered formal releases, and they may have transient security + problems that will not be assigned a CVE: </p> <ul> @@ -30,6 +32,27 @@ <li><a href="http://libvirt.org/sources/libvirt-git-snapshot.tar.gz">libvirt.org HTTP server</a></li> </ul> + <h2><a name="maintenance">Maintenance releases</a></h2> + <p> + In the git repository are several stable maintenance branches, + matching the + pattern <code>v<i>major</i>.<i>minor</i>.<i>micro</i>-maint</code>; + these branches are forked off the corresponding + <code>v<i>major</i>.<i>minor</i>.<i>micro</i></code> formal + release, and may have further releases of the + form <code>v<i>major</i>.<i>minor</i>.<i>micro</i>.<i>rel</i></code>. + These maintenance branches should only contain bug fixes, and no + new features, backported from the master branch, and are + supported. These maintenance branches are considered during + CVE analysis. + </p> + + <p> + For more details about contents of maintenance releases, see + <a href="http://wiki.libvirt.org/page/Maintenance_Releases">the + wiki page</a>. + </p> + <h2><a name="git">GIT source repository</a></h2> <p> -- 1.8.4.2 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list