On 05/22/2012 11:29 AM, Thorsten Glaser wrote:
How _does_ Mediawiki want to handle this? Personally, if I’m a packager of something, and that something has an identified security issue, I’d be glad if there were some sort of issue tracker with a reference to the CVE number, the commit(s) fixing it, and possible versions affected and commit(s) with a backported fix to versions currently supported by upstream, for adding to the packaged version.
Sam Reed has been supporting versions back to 1.17 lately, but there is no official policy.
I'm looking at what to do going forward. Rob Laphnier, as Platform Director for MediaWiki, has said he thinks WMF shouldn't be in the tarball publishing business.
Since I'm leaving Wikimedia and I've developed some good relationships with WMF's developers as well as the MediaWiki community, I've been talking to Sam and Rob (mostly Sam) about what how to handle this *without* forking MediaWiki.
Is there any interest from MW side to support a specific version (which would have to be released within the next two to three weeks) for a long(er) time?
If I do end up taking over the tarball distribution, I plan on working with a team of volunteers to manage this. This team may include WMF employees like Sam, Chad Horohoe and Tim, to help the transition.
Sam has said that handling multiple versions is problematic and time consuming, but if we have people interested in supporting older versions (like Debian Stable's 1.15), then I think it makes sense to include those in the "official" updates. If we can find someone (you, Thorsten?) to support 1.15 then adding support for 1.16 seems straightforward.
Of course, if we can do our share to backport fixes, sure, but help from actual developers would be better.
The great thing about the WMF's move to git is that we can easily maintain a branch for 1.15 and 1.16. With Gerrit, you can contribute patches or review other volunteer's patches. As the old adage says: "Many hands make light work."
Of course pending the mediawiki-math is missing issue
I've seen the discussion, but not followed it closely. I'll try to look in today and figure out what the issues are and if I can help.