I thought this was interesting. The talk is about the Linux kernel, but I think applies more broadly to our ecosystem.
Summary: Only some CVEs are "real" security issues, only some real security issues get CVEs, and many ordinary bug fixes are not recognized as being security related at all (even if they are). Moreover, many patches are only secure or correct when in the presence of other nearby patches. The safe thing for downstreamers to do is to stay fully up to date with LTS releases of software in full (i.e. get all known fixes!), and you should consider "old release + cherry picked patches for CVEs only" to be insecure by definition.
It raises the question about whether we are fooling ourselves by back-porting primarily CVEs to 3 prior years of releases. If you buy into this speaker's thesis, not only would this be a false sense of security by only selectively applying patches, but those releases may be considerably less secure because those patches are "out of context" or lacking other patches that they subtly depend on.
I'm not necessarily proposing this, but merely putting it out as a point of discussion.
Some library releases break backwards compatibility, and thus are very difficult and unwise for a DCC to upgrade for a mid-year patch (concrete example: OpenEXR 2.5 -> 3.0). Other library releases can seamlessly be upgraded with no source code changes to the DCC (concrete example: OpenEXR 2.3 -> 2.4 -> 2.5, and also 3.0 -> 3.1). In fact, the library authors may strongly feel that upgrading Maya+exr2.4.0 to Maya+exr2.5 mid-year should be a snap and on the whole LESS risky for customers than patching only to Maya+exr2.4.1.
So another support approach for libraries that's worth discussing might look like the following:
* Library is really careful about not breaking source compatibility year-to-year, but does so only occasionally, and also ensures that the current release builds and runs correctly against the VFX Platform toolchain and dependencies up to 3 years back (or back to the last compatibility break, whichever is more recent).
* The last release before a break in source back-compatibility is considered a LTS (long term support) release and will get, to the greatest extent possible, all reasonable bug fixes and safe improvements for 3 years. The "current" release also gets full bug fixes, of course.
* Non-LTS releases are "as-is" -- that is, for releases that can be seamlessly upgraded to the next major release with only a recompile and not edits of downstream source code, they will not be routinely maintained after the next release, and instead the advice to downstream consumers is to fully upgrade to the latest maintained source-compatible release.
So just to make this clear, let us consider OpenEXR. The current endorsed practice is: New development happens in future/3.2, full support to 3.1, and fixes that we think are related to CVEs (and sometimes other critical fixes) are backported to 3.0, 2.5, and 2.4 (with rapidly increasing PITA for developers the farther we get down that list).
An alternate approach might be: New dev in future-3.2, "full support" to current release 3.1 and presumed LTS release 2.5, no support to 2.4 and 3.0 (which should be upgraded at earliest opportunity to 2.5 and 3.1, respectively, to pick up comprehensive fixes). In some ways, this is just pushing the peas around the plate -- it demands more thorough support for 2.5 and 3.1, but eliminates support for 2.4 and 3.0. But that might result in the releases that are supported becoming more secure and stable than if we spend the same resources half-assedly patching so many, older, releases.
This might not be the right approach for all libraries. It probably depends on how often they have compatibility-breaking releases. But it may be worth considering as an additional, optional, strategy that is endorsed by VP. So in this alternate universe, VP might recommend that libraries either (a) support up to 3 prior years but impose no limits on year-to-year compatibility, OR (b) only support LTS up to 3 years back, but have strong guarantees for non-LTS releases to be trivially upgradable to either an LTS or the current release.
Something to ponder?
-- lg