From 9312c1807bff4e3e62210dd1f5db9ecedf4a5f45 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Mon, 16 Aug 2021 14:32:54 -0400 Subject: [PATCH] Add support policy --- SUPPORT_POLICY.adoc | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SUPPORT_POLICY.adoc diff --git a/SUPPORT_POLICY.adoc b/SUPPORT_POLICY.adoc new file mode 100644 index 00000000..0925d2dd --- /dev/null +++ b/SUPPORT_POLICY.adoc @@ -0,0 +1,21 @@ += Spring Authorization Server Support Policy + +The Spring Authorization Server support offering provides the following support terms: + +* Releases are currently in the format of 0.x.y, where: +** “x” contains new features and potentially breaking changes. +** “y” contains new features and bug fixes and provides backward compatibility. +* The Spring Authorization Server project will be supported for at least 3 years after the most recent 0.x.0 release is made available for download. +* Security fixes will be provided for at least one year after the 0.x.0 release is made available for download. Security fixes will not be provided for updating versions to third-party libraries. +* Feature support and bug fixes, excluding “Security fixes”, will be provided only for the latest 0.x.y release. +* This support policy starts with version 0.2.0. +* We will switch to the standard https://tanzu.vmware.com/support/oss[Spring OSS support policy] when the Spring Authorization Server project reaches version 1.0.0. + +An example can help us understand all of these points. +Assume that 0.2.0 is released in August of 2021. +This means that the Spring Authorization Server project is supported until at least August of 2024. +If 0.3.0 is then released in May of 2022, the Spring Authorization Server project is supported until at least May of 2025. +The 0.3.0 release may contain breaking changes from 0.2.0. +If a bug is found, only 0.3.0 will be patched in a 0.3.1 release. +If a security vulnerability is found, a 0.2.4 (assume 0.2.3 is latest) and 0.3.1 release will be provided to fix the security vulnerability. +However, a vulnerability found in September of 2022 would be fixed in the 0.3.1 release but not the 0.2.3 release, because the vulnerability was discovered more than a year after the 0.2.0 release date.