RFC - n/a
Other Related Resources
LTS Recommendation as of January 2022: https://docs.google.com/document/d/1Un5OlutEh7M2p3AzxE8g20NmdeEhrC0KCNkfd_QLkRw/edit
This ADR has been created by the FOLIO security team on 2022-04-21 Meeting notes, 2022-04-28 Meeting notes, 2022-05-05 Meeting notes, 2022-05-12 Meeting notes, 2022-05-19 Meeting notes, 2022-05-26 Meeting notes, 2022-06-02 Meeting notes, 2022-06-09 Meeting notes
Contributors
- FOLIO Security Team
Approvers
- PC published "Regular release recommendations" at PC Supports long-term release and regular release recommendations on July 5, 2022. This indirectly approves this ADR and makes this ADR obsolete.
Background/Context
As a sysop I need to schedule the migration of my production installation of FOLIO.
As a FOLIO security team member I have limited time to monitor FOLIO for security issues.
As a FOLIO software developer I have limited time to fix and back-port security issues.
Therefore FOLIO
- should limit the number of flower releases that get security fixes for critical vulnerabilities and
- should publish the support period on the release notes.
Assumptions
Implementers can upgrade within 8 months after the official Morning Glory release
Constraints
Resources to maintain old flower releases.
To comply with policies and law a sysop must upgrade from a version that is no longer supported to maintain privacy and security.
To speed up this ADR support periods of other releases (Nolana, Orchid, ...) are out of scope.
Decision
The TC forwards this decision proposal to the PC:
Morning Glory will receive security fixes for critical issues until Orchid is released (est. Spring 2023).
Detailed information on particular issues will be provided by the security team. With this release there will be no other security hotfixes on Kiwi.This is to be published on the Morning Glory release notes.
Implications
- Pros
- Approves the "LTS Recommendation as of January 2022" for Morning Glory and for the end-of-life of Kiwi.
- Cons
- Tight time frame for sysops.
5 Comments
Marc Johnson
Julian Ladisch
I don't think this is an appropriate topic for an ADR.
As I understand it, the decision about which flower releases are supported has not been made yet. I believe that is a cross council decision (although there was a proposal made by the TC I believe).
How did the security group come to the decision to raise this as an ADR (which is really still a draft process at this stage) rather than as a topic for the Technical (or other) Council to discuss?
Julian Ladisch
This is to formally approve the "LTS Recommendation as of January 2022" for Morning Glory.
Quote from Decision Log: "An architecturally significant requirement is something that has a measurable effect on the application architecture's llities such as" ... "Maintainability" ... "Supportability" ... "Security".
The FOLIO security team has recently used the https://wiki.folio.org/display/DD for Tenant Id and Module Name but was told to use ADRs instead.
Marc Johnson
Julian Ladisch Thank you for the explanation.
I don't believe the TC can undertake that decision.
I understand that. To me, that is a technical policy decision that affects the behaviour of the system. I personally wouldn't consider how long support is offered for to be an architectural decision.
I suspect I have a different understanding of the cross-functional characteristics defined in the ADR documentation to others. I'll let other folks provide their own feedback.
Julian Ladisch
The TC may approve the support period as a suggestion to be forwarded to the PC for the final decision.
The FOLIO security team want this to be decided. The TC may do this with or without the ADR framework.
Marc Johnson
I think it could have been more appropriate for the security group to contact the TC to ask for their thoughts on how to move this forward, prior, to raising an ADR
Anyway. I'm going to leave this up to the TC to decide what to do.