I understand that Rails is still a very young project and hasn't yet
had time to work out these policies, but the issue right now isn't
about the disclosure of the security hole. I've also read that
conversation and like many others think that the poster did everything
reasonable before disclosing the problem publicly. However, in a
situation like this I'd expect that a new branch would be created from
2.3.2 as of 15 March when it was released, and the security patch
applied and 2.3.2.1 released. If the current policy is that security
patches have to wait until the next release is stable, then I think
that policy should be reviewed.
I have no interest in re-litigating all those issues however if you'd
read the policy you'd see that we will, and have historically, pushed
releases simultaneously with disclosure.
For this particular case there have actually been 3 subsequent reports
which have been investigated and turned out to not be issues with
rails or issues at all. Each of those have pushed the release 'just
one more week'.
From the outside this is 5ish weeks of no progress, and people are
understandably annoyed.
If we find ourselves in this position again with a security release
that needs urgent attention and a non-ready stable branch, I think
your idea of a 2.3.2.1 is a good one. We'll do that.
Even now, I would encourage you to release 2.3.2.1. The json issue you
mention could be fixed tomorrow or it could take another fortnight
depending on the availability of the volunteers who maintain this
project.
This has been resolved as a non-issue and david will push the gems
'shortly'. How shortly is another question, and this is a
single-point-of-failure in our release process which we'll have to
resolve before 2.3.4.
Which takes us back to the Lighthouse question I asked. I can't find
this bug against 2.3.3, so I guess the answer is that Lighthouse is
not the definitive place to look for release notes, a list of what was
fixed in each version or what remains for that version. It is a little
hard for users like me to find the time to follow this list in detail
to understand what goes into each release and what is left to do.
I agree, 2.3.3 is a mess but this mess will be over shortly. I
should've reopened the json bug and set its milestone for 2.3.3.
We've done that in the past and will do it in the future.
For 2.3.4 if it's in the milestone list, it's intended to be fixed for
that release. Bugs can and will move in and out of that milestone,
and if you have something you want to block that milestone, you should
raise it on this mailing list
I find Lighthouse a bit limiting: it would be nice to see release
notes directly there a bit like another project I'm involved in [1].
I'm also finding lighthouse's limitations quite frustrating. It'd
probably be a good idea to figure out a list of 'missing features' so
we can either ask rick and co to fix them, or migrate somewhere else.
Release-notes generation being a big one.
I hope you consider some of the above ideas as constructive rather
than just critical, from someone who spends 95% of their time in the
Java world where many projects have had time to develop clear
processes.
I appreciate the feedback always, especially when it comes with
productive actions to take :).
This is a volunteer project which means some things will get messed
up. It's not deliberate and we're trying to learn, the best way to
help is to provide constructive advice like you've done here.
All the best