After the release of IdPv3, the project committed to making a final determination about the term of support for the v2 code base in March and then delayed the decision to April. That discussion took place during the last Consortium Board meeting in April and the developers have finalized a proposed timeline.
Originally the developers proposed a 12 month lifetime for the old code base, ending this year, and the feedback from the Consortium members was that an additional 12 months was preferred. The compromise reached was for a staged EOL process, ending on July 31, 2016.
The full timeline follows:
- All security bugs and severe non-security bugs addressed until Dec 31, 2015.
- Moderate security bugs addressed until Feb 29, 2016.
- Important security bugs addressed until May 31, 2016.
- Critical security bugs addressed until July 31, 2016 (full EOL).
While these are ultimately somewhat subjective criteria, the following are our working definitions:
A "severe" bug, outside of the security domain, would be something that materially affects one's ability to keep running the software on supported platforms and Java releases. For example, a bug preventing use on Java 8 or a supported Tomcat or Jetty container.
Security bugs would be triaged using the usual scale used with CVE advisories and tend to fall into categories such as:
o Critical - remote exploits or data exposure issues
o Important - unauthenticated denial of service issues
o Moderate - authenticated denial of service issues
Particularly for the less critical issues, priority will be given to bugs that have no obvious workaround or mitigation. Issues that can be addressed with configuration changes may not result in patches.
We realize that not everybody will be happy with the final decision, but unlike the V1-V2 transition, compatibility between V2 and V3 is extremely substantial and we believe this warrants a more aggressive timeline than in the past.
I will be updating our web presence with this information over the next day or two.
Note, this announcement has nothing to do with the Service Provider software. V2 remains the latest version.