John Carlissi <johncarlissi@xxxxxxxxx> writes: > I noticed that with 2.16.6 development stopped whereas with the latest > security update, everything 2.17 and newer got the fix. Is there any > formal definition as to when a minor version is EOL and no longer gets > security updates? Nothing formal, but I try not to give a false sense of security by backmerging a fix to maintenance tracks that are too old. Unless a "fix" is quite trivial, it always risks introducing new bugs, given that most developers and testers work on the more modern codebase. A call to a helper that is made to "fix" an issue may be safe in today's codebase, but the same helper in the ancient maintenance track may not have been updated to match what the new callsite expects it to do, for example. Limiting backmerging also is a way to encourage people to update to the latest major releases. I currently aim to limit to at most four or five of maintenance tracks. Each development cycle usually lasts for 8-10 weeks, so that means the shelf life of a major release is about 8 months at the most---but sometimes people get greedy and demand backmerging to way older tracks. The last one for 2.17.x track was an example. Of course, the above does not mean distro packagers and managers of platform specific ports are not allowed to backport the fixes to older codebase than I cut "official" maitenance releases for.
