docs: mention maintenance branches

Mitre tried to assign us two separate CVEs for the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1047577, on the grounds that the fixes were separated by more than an hour and thus triggered different hourly snapshots. But we explicitly do NOT want to treat transient security bugs as CVEs if they can only be triggered by patches in libvirt.git but where the problem is cleaned up before a formal release. Meanwhile, I noticed that while our wiki mentioned maintenance branches and releases, our formal documentation did not. * docs/downloads.html.in: Contrast hourly snapshots with maintenance branches. Signed-off-by: Eric Blake <eblake@redhat.com>
2024-07-11 12:25:52 +00:00 · 2014-01-14 09:49:50 -07:00 · 2014-01-14 09:49:50 -07:00 · 908903b317
commit 908903b317
parent e8eb8d8497
1 changed files with 25 additions and 1 deletions
--- a/docs/downloads.html.in
+++ b/docs/downloads.html.in
@ -22,7 +22,9 @@
    <p>
      Once an hour, an automated snapshot is made from the git server
      source tree. These snapshots should be usable, but we make no guarantees
-      about their stability:
+      about their stability; furthermore, they should NOT be
+      considered formal releases, and they may have transient security
+      problems that will not be assigned a CVE.
    </p>

    <ul>
@ -30,6 +32,28 @@
      <li><a href="http://libvirt.org/sources/libvirt-git-snapshot.tar.gz">libvirt.org HTTP server</a></li>
    </ul>

+    <h2><a name="maintenance">Maintenance releases</a></h2>
+    <p>
+      In the git repository are several stable maintenance branches,
+      matching the
+      pattern <code>v<i>major</i>.<i>minor</i>.<i>micro</i>-maint</code>;
+      these branches are forked off the corresponding
+      <code>v<i>major</i>.<i>minor</i>.<i>micro</i></code> formal
+      release, and may have further releases of the
+      form <code>v<i>major</i>.<i>minor</i>.<i>micro</i>.<i>rel</i></code>.
+      These maintenance branches should only contain bug fixes, and no
+      new features, backported from the master branch, and are
+      supported as long as at least one downstream distribution
+      expresses interest in a given branch.  These maintenance
+      branches are considered during CVE analysis.
+    </p>
+
+    <p>
+      For more details about contents of maintenance releases, see
+      <a href="http://wiki.libvirt.org/page/Maintenance_Releases">the
+      wiki page</a>.
+    </p>
+
    <h2><a name="git">GIT source repository</a></h2>

    <p>