On 14.01.2014 17:53, Eric Blake wrote: > Mitre tried to assign us two separate CVEs for the fix for > https://bugzilla.redhat.com/show_bug.cgi?id=1047577, on the > grounds that the fixes were separated by more than an hour > and thus triggered different hourly snapshots. But we > explicitly do NOT want to treat transient security bugs as > CVEs if they can only be triggered by patches in libvirt.git > but where the problem is cleaned up before a formal release. > > Meanwhile, I noticed that while our wiki mentioned maintenance > branches and releases, our formal documentation did not. > > * docs/downloads.html.in: Contrast hourly snapshots with > maintenance branches. > > Signed-off-by: Eric Blake <eblake@xxxxxxxxxx> > --- > > Doc only, so suitable for 1.2.1 if it gets reviewed in time. > > docs/downloads.html.in | 25 ++++++++++++++++++++++++- > 1 file changed, 24 insertions(+), 1 deletion(-) > > diff --git a/docs/downloads.html.in b/docs/downloads.html.in > index 83b8751..ef03567 100644 > --- a/docs/downloads.html.in > +++ b/docs/downloads.html.in > @@ -22,7 +22,9 @@ > <p> > Once an hour, an automated snapshot is made from the git server > source tree. These snapshots should be usable, but we make no guarantees > - about their stability: > + about their stability; furthermore, they should NOT be > + considered formal releases, and they may have transient security > + problems that will not be assigned a CVE: > </p> > > <ul> > @@ -30,6 +32,27 @@ > <li><a href="http://libvirt.org/sources/libvirt-git-snapshot.tar.gz";>libvirt.org HTTP server</a></li> > </ul> > > + <h2><a name="maintenance">Maintenance releases</a></h2> > + <p> > + In the git repository are several stable maintenance branches, > + matching the > + pattern <code>v<i>major</i>.<i>minor</i>.<i>micro</i>-maint</code>; > + these branches are forked off the corresponding > + <code>v<i>major</i>.<i>minor</i>.<i>micro</i></code> formal > + release, and may have further releases of the > + form <code>v<i>major</i>.<i>minor</i>.<i>micro</i>.<i>rel</i></code>. > + These maintenance branches should only contain bug fixes, and no > + new features, backported from the master branch, and are > + supported. These maintenance branches are considered during > + CVE analysis. > + </p> > + > + <p> > + For more details about contents of maintenance releases, see > + <a href="http://wiki.libvirt.org/page/Maintenance_Releases";>the > + wiki page</a>. > + </p> > + > <h2><a name="git">GIT source repository</a></h2> > > <p> > ACK & safe for the upcoming release. Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list