28 May
2020
28 May
'20
4:32 p.m.
On 2020-05-28 14:37:00 -0700 (-0700), Michael Johnson wrote:
Considering recent OSSA issues did not release fixes for Ocata[1][2], I think we should really consider making the maintenance status more clear and/or per project. [...]
In some cases this can be because the vulnerability was only introduced after the Ocata release and so the stable/ocata branch was not affected (I don't recall nor can I immediately spot whether that was the scenario with any recent advisories we've issued). In general though, I agree, if nobody steps forward to at least backport security fixes and keep jobs working sufficiently to merge those, then the branch is already in a de facto unmaintained state. -- Jeremy Stanley