Issue #9216 has been updated by zzak (Zachary Scott).


We have discussed this and decided its ok to maintain (security fixes only) 1.8.7 and 1.9.2 for at least 6 months. This does allow for some backports that will help with running tests and merger.

We also decided that performing security releases in this time is acceptable.

This will give 1.8.7 and 1.9.2 an EOL of June 2014, at this time the current maintainer is welcome to continue security maintenance of these versions. If a new contributor wants to maintain the security release for this version after 6 months, we can decide using the maintainer appointment process ( #9218 )
----------------------------------------
misc #9216: Backport Maintenance Policy for 1.8.7, 1.9.2
https://bugs.ruby-lang.org/issues/9216#change-43448

Author: hone (Terence Lee)
Status: Open
Priority: Normal
Assignee: 
Category: Project
Target version: 


TL;DR
Backporting security fixes to 1.8.7, 1.9.2 in increments of 6 month terms with optional continuation upon term expiration.

Context
Many vendors like Linux distros including Red Hat, Debian, Canonical and platforms like Heroku need to maintain support for old Ruby versions past it???s end of life cycle for its customers. In order to stop duplicating our efforts, it???d be great to push these security fixes upstream. This way each vendor can base their changes on this work.

For each security incident that is proposed and considered a threat in the ruby-security mailing list, there can be gatekeepers who can verify that the rubies are vulnerable, test patches, and push code the upstream so vendors and users of those products can build rubies that match those released by their vendor.

Since vendors are on the ruby-security mailing list and will already be doing this work, there can be a volunteer service for this gatekeeper work. Volunteers can commit to a reasonable time frame like 6 months. During the last month, another 6 month commitment can be made either by the same volunteers or others looking to take over the maintainership. Even for non end of life Rubies, ruby-core should not be afraid to look to these vendors for help in maintaining current Rubies.

Heroku will be announcing it???s support plans soon, but we will probably be supporting Ruby 1.8.7 / 1.9.2 for 6 months after this announcement. Sam Kottler and I (Terence Lee) will be happy to play gatekeeper for the first 6 months (until June 2014).

In summary, I think establishing well defined dates will help out Ruby users pick and decide what they can expect to use safely. The coming Ruby 2.1.0 release announcement would be a great time to announce what happened to Ruby 1.9.2 and any of these potential changes.


-- 
http://bugs.ruby-lang.org/