Open SSH End-of-Life Schedule?

Jeremy Guthrie Jeremy.Guthrie at cdw.com
Tue Oct 17 01:54:31 AEDT 2023


> On Oct 13, 2023, at 2:55 PM, hvjunk <hvjunk at gmail.com> wrote:
> 
> What I guess the OP "wants" is to say that version 9.5  will be supported for the next 3-5 years, and all the security patches be backported from versions 11,12,13,14,15 to 9.5.3-patch1234 etc. Since OpenSSH/etc. haven't changed the wire protocol in like 20odd years, I don't personally see a reason to require such, given the RFC standards for the protocol, given the number of competitors out there.
> 
> That said,perhaps the OpenSSH devs could state something like this to clear the "EOL" problem easily: the latest version will be the version we'll patch for security, any version before that we deemed EOL and won't support and ask you to first upgrade and test before making the bug submission.
> 

Yes, I would say above is the ballpark I was hoping to get clarification on.  In the end if a security bug came out, having a clear EOL policy lets you clearly tell your user-base when to expect versions will be retired and no longer taken care of.  The longer the tail on software fixes the more effort it will take and technical debt you’re maintaining.  

Swag Example:   We provide fixes only for the latest releases of the last two major versions.  e.g. 8.X, and 9.X.  Once 10.X, comes out, we stop supporting 8.X, etc…  I am not asking for a year commit, just trying to understand what the community feels like would be a good level of backward porting of fixes until some EOL date.  It is okay if people do not have an answer, just wanted to see if this had been discussed before.

Those other examples I had below (sorry about the URL defense links), were just examples of what others have done to manage technical debt.  They were not meant to be 1-to-1s, just ideas.

> 
> 
>> On 13 Oct 2023, at 19:10, Jeremy Guthrie <Jeremy.Guthrie at cdw.com> wrote:
>> 
>> Sorry, I should have been more clear.  Just wondering in general if there is a policy, not as any kind of library.  Below are more examples from that website of tools, servers and services.  It’s possible there still isn’t a timeframe but wondering about general end-of-life expectations even if there have been only cursory discussions.
>> 
>> https://urldefense.com/v3/__https://endoflife.date/ansible-core__;!!HUqgN_M!rCGGnCORBI7CVVWQOSh_jkSqXsP6Y2z3efMdI9pVehBkESh6qzfOCZ4uGlVf0jNtVhV2wg9j1fpbtjvM$
>> https://urldefense.com/v3/__https://endoflife.date/tomcat__;!!HUqgN_M!rCGGnCORBI7CVVWQOSh_jkSqXsP6Y2z3efMdI9pVehBkESh6qzfOCZ4uGlVf0jNtVhV2wg9j1WK8PiiM$
>> https://urldefense.com/v3/__https://endoflife.date/postgresql__;!!HUqgN_M!rCGGnCORBI7CVVWQOSh_jkSqXsP6Y2z3efMdI9pVehBkESh6qzfOCZ4uGlVf0jNtVhV2wg9j1T3JTsIT$
>> 
>> Example PostgreSQL Versioning policy:
>> https://urldefense.com/v3/__https://www.postgresql.org/support/versioning/__;!!HUqgN_M!rCGGnCORBI7CVVWQOSh_jkSqXsP6Y2z3efMdI9pVehBkESh6qzfOCZ4uGlVf0jNtVhV2wg9j1b7EXoJJ$
>> "The PostgreSQL Global Development Group supports a major version for 5 years after its initial release. After its five year anniversary, a major version will have one last minor release containing any fixes and will be considered end-of-life (EOL) and no longer supported."
>> 
> 



More information about the openssh-unix-dev mailing list