Relax scs-0210-v2: extend update time for patch versions#1153
Relax scs-0210-v2: extend update time for patch versions#1153
Conversation
Signed-off-by: Matthias Büchse <matthias.buechse@alasca.cloud>
Signed-off-by: Matthias Büchse <matthias.buechse@alasca.cloud>
janiskemper
left a comment
janiskemper
left a comment
There was a problem hiding this comment.
LGTM (of course let's wait for feedback from others)
depressiveRobot
left a comment
depressiveRobot
left a comment
There was a problem hiding this comment.
Fixes #1098.
The requirement has been relaxed, so a new version of the standard is not necessary.
Looks good.
depressiveRobot
added
standards
garloff
left a comment
garloff
left a comment
There was a problem hiding this comment.
Please consider my comment for a followup discussion and potential improvement.
This is not meant to block this agreed change, so approve.
| - The latest minor version MUST be provided no later than 4 months after release. | ||
| - The latest patch version MUST be provided no later than 2 weeks after release. | ||
| - The latest patch version MUST be provided no later than 1 month after release. | ||
| - This time period MUST be even shorter for patches that fix critical CVEs. |
There was a problem hiding this comment.
We are not precise here (how much shorter) here, as we just have a RECOMMENDATION to provide this within 2 days. This lack of precision is not new, it just got a bit more relevant by extending the time period. I suggest we address this in a followup discussion in the future.
Maybe it's <=1 months for normal patch versions, a REQUIREMENT of <= 2 weeks for CVSS>=8 issues and a RECOMMENDATION for <= 2 days for CVSS>8 then. (I feel like 1 week would be more appropriate as a hard requirement, but the 2 week would have the advantage of matching our previous hard requirement.)
There was a problem hiding this comment.
If we want to implement something like this, we should do it now, because once the standard is relaxed, we would need to introduce a new version to make it more strict again.
There was a problem hiding this comment.
Wouldn't it be anyway a relaxation for the general patch release, and a stricter version for CVE's @mbuechse ?
In which way would we NOT have to add a new version of this based on what Kurt proposes?
There was a problem hiding this comment.
Right now, any patch must be provided no later than 2 weeks. In the future, this holds only for those patches with CVSS => 8, whereas patches with CVSS < 8 have 1 month.
There was a problem hiding this comment.
if I'm not mistaken, Kurt proposed to do CVE's in one week instead of two. The I guess we are on the same page that this would be stricter and would require a new version.
If we do it with two weeks, then I agree that it wouldn't be stricter.
@garloff WDYT?
There was a problem hiding this comment.
Kurt proposed 2 weeks, and in parentheses he expressed a preference for 1 week, but he seemed to want to spare us the hassle of a new version. And the new version could still be done later anyway, if it finds a majority. Not sure if 1 week is at all realistic (we still have 2 days for CVSS > 8 as a recommendation)
4 participants
This comes after comprehensive discussion in SIG Std/Cert (of 2026-04-09), as well as research by Syself into industry best practices.