Backporting security fixes onto stable releases

I self-host discourse. But I do not like to deploy unstable releases (betas or even worse: from tests passing). However, it seems that discourse only includes security fixes in these unstable releases. So server administrators who prefer to deploy only from stable releases miss out on potentially critical security updates.

A recent example of this is the 2.7.0 beta5 which includes one security fix. The latest stable release was 29 days ago ( v2.6.3 ) but the release with the security fix was only made available on the v2.7.0.beta5 (published 23 days ago). Because of this I get the following warning on my dashboard:

And in order to receive this security fix I have no choice but to update to a beta…

Discourse is an awesome piece of software and I understand that CDCK deploys unstable branches (tests-passing) to their customers. However, I start this thread out of concern that some system administrators will miss out on critical updates…

With this, I would ask the discourse team for back-porting medium/high security updates, issuing a stable version with that security fix ASAP.

Stable builds do receive security fixes as warranted. Not every security fix mentioned in the beta release notes requires backporting, however. Some may be trivial/minor, and not worth the effort/risk to backport. Others may medium/critical, but are due to change from an earlier beta such that the security vulnerability doesn’t exist on stable.

In the current example from 2.7.0.beta5, the vulnerability could only be exploited under specific circumstances, on sites that had deviated from default secure site settings. As such, it was decided not to be backported, due the the risk of introducing unexpected bugs/change, which we try to avoid on the stable branch.

6 Likes

Fair enough. Thanks for the explanation.

I believe it’s you specified the stable branch then it wouldn’t be recommending the upgrade.

Many more sites run tests passed than stable or beta (including cdck hosting), so tests-passed is in some ways safer than stable. Because of that, I think it’s more work to run stable. That said, those who run stable frequently speak well here of how good they are at backporting critical fixes.

1 Like