Release cycles and security policies for Packagist packages

[Travis Carden]

Hi, all. Drupal core is adding the psr/http-factory and psr/http-message packages, and I need to document their release cycles and security policies (including issue reporting) and contacts. See https://www.drupal.org/core/dependencies. I didn't find any of this information in the repo or on the website. Can anyone help me out? Thanks!

[Larry Garfield]

PSR specs basically don't change at all. Sometimes we release a .z release to fix a comment typo or something like that, but that's about it.

We just recently approved a new process to release BC or almost entirely BC versions of an interface. So far it's not been used, although I am trying it out with PSR-13. Any new releases there would follow semver very conservatively.

We don't really have a security release process for them, as they're just interfaces.

The util packages might. For those... we don't really have a formal process right now. We might want to look into that at some point, but as the code is generally just the boring mundane stuff the odds of there being a security issue in one of those is slim.

--Larry Garfield

[Travis Carden]

Thanks, Larry. That's exactly what I needed. (Also, "Oh, hi, Larry!"* 😄)

*Lest you wonder, I don't believe we've met personally. I just know your name from years in the Drupal community.

I'll be unsubscribing from this list now that I have my answer. Thanks, everybody!

--
You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/0f344980-1c0f-4b05-9f7f-30b4a6866c8b%40www.fastmail.com.

--

Travis Carden

ACQUIA

Senior Software Engineer

m: 402-478-8728 | e: travis...@acquia.com

53 State St., 10th Floor | Boston, MA 02109

/ WE ARE THE OPEN SOURCE DIGITAL EXPERIENCE COMPANY.