> On Thu, 1 Nov 2018 at 11:57, Mirko Friedenhagen <[hidden email] <mailto:[hidden email]>>
>> # Meaning of life - for Maven Core
>> * For Maven 2 there is a dedicated page what EOL does mean.
>> * I think maybe we (I am not very active currently, sorry) should at least
>> manifest somewhere the meaning of life of a Maven core release as well.
>> * Some ideas follow, YMMV :-)
>> ## Core gets patched!
>> * Looking at Maven's history page, I found no minor release was ever
>> updated to a new micro version after a new minor was released.
>> * So obviously a core version being not in the EOL state does not mean
>> that anything will be patched in a micro release (Or does it? Would a
>> „blocker" bug found in 3.0.5 lead to a 3.0.6?).
> A critical security issue *might* be assessed by the PMC as warranting an
> update to some of the older release lines, but that would really require
> known compatibility issues that seriously block users upgrading to the
> latest and greatest Maven Core and a very serious security issue.
> Until we hit Maven 4.x and 5.x this should be mostly unlikely to occur...
> but I would not hold my breath
So for the practical issue of Homebrew, I would suggest to drop 3.0 and 3.1 as they are not even tested nowadays for compatibility with current plugins’ masters anyways.
Is the idea of having a page where your statement in regards of patching as decided by a PMC is written down, so people know what to expect (or not) a good one or is this administrative overkill?
At least something like a standard test matrix page could be added to the Maven site, where the matrices are outlined. Anyone looking at the page may then decide how risky using an outdated version is.
On Thu, 01 Nov 2018 12:57:20 +0100, Mirko Friedenhagen
<[hidden email]> wrote:
> # Preambel
> * I just opened a PR at Homebrew, a package manager for macOS, to
> update Maven to 3.6.0.
> * First thing was, the Download page still states 3.5.4 as latest and
> greatest, which is a bit confusing given the change-date tells me it
> changed just changed today.
> * And as Homebrew supports versioned packages, users may easily install
> the latest micro-versions of minors 3.0, 3.1, 3.2, 3.3 and now of course
> I wanted to add 3.5 to the mix.
> * One of the Homebrew maintainers now wants to remove at least one older
> version. I agreed to start a discussion on this list :-)
> * After some searching I found the 3.0.5 EOL discussion, but could
> not get a real conclusion. And today being a public holiday in the
> catholic states of Germany I could not hinder myself to think about the:
> # Meaning of life - for Maven Core
> * For Maven 2 there is a dedicated page what EOL does mean.
IMO we should only talk about EOL for the major versions. Once Maven 3 is
EOL, this maven-2-eol page will be replaced.
I don't intent to do this for every release saying explicitly: with this
release we'll mark the previous as EOL.
Up until now nobody has asked to backport specific issues to a minor
release of Maven3.
> * I think maybe we (I am not very active currently, sorry) should at
> least manifest somewhere the meaning of life of a Maven core release as
> * Some ideas follow, YMMV :-)
> ## Core gets patched!
> * Looking at Maven's history page, I found no minor release was ever
> updated to a new micro version after a new minor was released.
> * So obviously a core version being not in the EOL state does not mean
> that anything will be patched in a micro release (Or does it? Would a
> „blocker" bug found in 3.0.5 lead to a 3.0.6?).
> * After a quick look into Jenkins I only found one job for master but
> not for older „stable“ branches. master itself is built with 3.5.4.
> * Are there jobs which still build the older 3.x releases nowadays? Are
> the old tags buildable?
> ## All Apache plugins and components are working with all cores!
> * Does it mean all Maven plugins and components developed by us are
> tested against 3.0, 3.1, 3.2 and 3.3 and now 3.5 as well as 3.6?
> * Surefire does have an impressing matrix, but I only see 3.5, 3.3
> and 3.2 but not 3.1 or 3.0.
> * asfMavenTlpPlgnBuild does not include 3.0 or 3.1 either.
IIRC 3.1 is not available on the Jenkins of builds.a.o