[GH-487] Declare past releases as unsupported

[rettichschnidi]

Nobody stepped up to assemble a new 1.0 based maintenance/security
release. At the very least our users should know that.

[rettichschnidi]

@qleisan @tuve @sbernard31 any words from you? Would rather not merge something like this without getting your inputs.

[tuve]

@rettichschnidi I think you should merge this and close #487 since it is the de facto state.

[sbernard31]

As I said at (https://bugs.eclipse.org/bugs/show_bug.cgi?id=577968#c13) :

Generally, I would say that at least the last stable release should get bug fixes / security fixes. But Wakaama project situation is a bit different as the project was abandoned and is in a revival process. So I could understand that the team prefer to focus on making the project back on track and so don't invest much time in very old release.

You should also consider your perception of current community needs to take this decision. Does the community ask for this kind of 1.x support or does everybody seems to switch to master.

Note that I feel it's OK to say you don't support 1.x version, then change your mind later if there is strong community request for this and if the team is able to support this.

From #487 (comment), nobody seems to react , so I understand your choice 🙂
Note this is only 16 days ago when I write this line, so maybe you should wait a little bit ? (except if you already know that you will really not able to handle this support)

[rettichschnidi]

Note this is only 16 days ago when I write this line, so maybe you should wait a little bit ? (expect if you already know that you will really not able to handle this support)

While backporting those specific CVE fixes to 1.0 is certainly possible, I can not justify the time needed to do crank out a proper release (tested, all know issues fixed, etc). I'd rather have no release than one that gives the user a false of security.

What bothers me a bit is this prominent display of version 1.0 on the GH landing page:

I have not read up if and how lightweight a snapshot release could be done within the Eclipse rule set, but such one might make the 1.0 release less prominent.

[sbernard31]

I have not read up if and how lightweight a snapshot release could be done within the Eclipse rule set, but such one might make the 1.0 release less prominent.

For milestones release, AFIAK there is nothing special.
At least for Leshan we just do a release without any eclipse process.
Indeed, this will allow you to hide the 1.0.0 version.

In Leshan we have this kind of documentation and I add this kind of banner :

❗☠️❗ Affected by security issue❗☠️❗

to all affected milestone or stable release, e.g : https://github.com/eclipse/leshan/releases/tag/leshan-2.0.0-M3

[sbernard31]

Eventually you can also add a big warning about the 1.0.0 version in the README with a link to the reason behind this and what user should do ?

[rettichschnidi]

Updated the 1.0 release page, will update the README too.

[rettichschnidi]

@sbernard31 I finally updated the readme. What do you think?

Merging now. We can still improve later on.