Mitre tried to assign us two separate CVEs for the fix for
https://bugzilla.redhat.com/show_bug.cgi?id=1047577, on the
grounds that the fixes were separated by more than an hour
and thus triggered different hourly snapshots. But we
explicitly do NOT want to treat transient security bugs as
CVEs if they can only be triggered by patches in libvirt.git
but where the problem is cleaned up before a formal release.
Meanwhile, I noticed that while our wiki mentioned maintenance
branches and releases, our formal documentation did not.
* docs/downloads.html.in: Contrast hourly snapshots with
maintenance branches.
Signed-off-by: Eric Blake <eblake(a)redhat.com>
---
Doc only, so suitable for 1.2.1 if it gets reviewed in time.
docs/downloads.html.in | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/docs/downloads.html.in b/docs/downloads.html.in
index 83b8751..ef03567 100644
--- a/docs/downloads.html.in
+++ b/docs/downloads.html.in
@@ -22,7 +22,9 @@
<p>
Once an hour, an automated snapshot is made from the git server
source tree. These snapshots should be usable, but we make no guarantees
- about their stability:
+ about their stability; furthermore, they should NOT be
+ considered formal releases, and they may have transient security
+ problems that will not be assigned a CVE:
</p>
<ul>
@@ -30,6 +32,27 @@
<li><a
href="http://libvirt.org/sources/libvirt-git-snapshot.tar.gz"&g...
HTTP server</a></li>
</ul>
+ <h2><a name="maintenance">Maintenance
releases</a></h2>
+ <p>
+ In the git repository are several stable maintenance branches,
+ matching the
+ pattern
<code>v<i>major</i>.<i>minor</i>.<i>micro</i>-maint</code>;
+ these branches are forked off the corresponding
+
<code>v<i>major</i>.<i>minor</i>.<i>micro</i></code>
formal
+ release, and may have further releases of the
+ form
<code>v<i>major</i>.<i>minor</i>.<i>micro</i>.<i>rel</i></code>.
+ These maintenance branches should only contain bug fixes, and no
+ new features, backported from the master branch, and are
+ supported. These maintenance branches are considered during
+ CVE analysis.
+ </p>
+
+ <p>
+ For more details about contents of maintenance releases, see
+ <a
href="http://wiki.libvirt.org/page/Maintenance_Releases">the
+ wiki page</a>.
+ </p>
+
<h2><a name="git">GIT source repository</a></h2>
<p>
--
1.8.4.2