DR-000003 - Morning Glory support period

Owned by Julian Ladisch
Last updated: Nov 22, 2022 by Radhakrishnan Gopalakrishnan
2 min read
Submitted Date

 

Approved Date

 

StatusACCEPTED
ImpactMEDIUM

RFC - n/a

Other Related Resources

LTS Recommendation as of January 2022:  https://docs.google.com/document/d/1Un5OlutEh7M2p3AzxE8g20NmdeEhrC0KCNkfd_QLkRw/edit

This ADR has been created by the FOLIO security team on 2022-04-21 Meeting notes, 2022-04-28 Meeting notes, 2022-05-05 Meeting notes, 2022-05-12 Meeting notes, 2022-05-19 Meeting notes, 2022-05-26 Meeting notes, 2022-06-02 Meeting notes, 2022-06-09 Meeting notes

Contributors

  • FOLIO Security Team

Approvers

Background/Context

As a sysop I need to schedule the migration of my production installation of FOLIO.

As a FOLIO security team member I have limited time to monitor FOLIO for security issues.

As a FOLIO software developer I have limited time to fix and back-port security issues.

Therefore FOLIO

  • should limit the number of flower releases that get security fixes for critical vulnerabilities and
  • should publish the support period on the release notes.

Assumptions

Implementers can upgrade within 8 months after the official Morning Glory release

Constraints

Resources to maintain old flower releases.

To comply with policies and law a sysop must upgrade from a version that is no longer supported to maintain privacy and security.

To speed up this ADR support periods of other releases (Nolana, Orchid, ...) are out of scope.

Decision

The TC forwards this decision proposal to the PC:

Morning Glory will receive security fixes for critical issues until Orchid is released (est. Spring 2023). 
Detailed information on particular issues will be provided by the security team. With this release there will be no other security hotfixes on Kiwi.

This is to be published on the Morning Glory release notes.

Implications

  • Pros
    • Approves the "LTS Recommendation as of January 2022" for Morning Glory and for the end-of-life of Kiwi.
  • Cons
    • Tight time frame for sysops.