What is the lifecycle of privacyIDEA?

starwars · August 12, 2024, 4:09pm

Hello,

Do you only support the latest version in github ?

Regards,

BBA

cornelinux · August 13, 2024, 12:29pm

Hello,

please define “you” (Who are you addressing?) and “support” (What do you understand by “support” by whom?).

Thanks a lot
Cornelius

starwars · August 13, 2024, 12:43pm

Hello Cornelius,

Thank you for your response.

To clarify, by “you,” I am referring to the maintainers or developers of the repository on GitHub. By “support,” I mean whether the team provides updates, bug fixes, or assistance for previous versions of the software, or if you only maintain the latest version.

I appreciate your help!

Best regards,
BBA

cornelinux · August 13, 2024, 1:08pm

You can find Development information here:

github.com

privacyidea/privacyidea/blob/master/CONTRIBUTING.md#development-workflow

# You are welcome to contribute to privacyIDEA

There are different ways to contribute. Some of them should
be really easy.

First of all:  
**Thanks a lot for contributing to privacyIDEA!**

## Tell about it

You are using privacyIDEA in your network? Tell about it!
Write a blog post, tell your friends or simply twitter about it.
This will make privacyIDEA wider known and attract new users and contributors.

## Talk to us

You may join talking in the privacyIDEA Forum.
Talk to other users and share your experience!

https://community.privacyidea.org

This file has been truncated. show original

What is missing: If a new major version is release there are no fixes for older major versions anymore.

starwars · August 13, 2024, 1:29pm

Thanks, for the fast response!

hex · September 11, 2024, 9:54am

If a new major version is release there are no fixes for older major versions anymore.

This is surprising to me. It means users have no grace period where they can plan the upgrade to a new version but always have to upgrade asap to stay on a supported version.

Is this also true for the enterprise edition?

Does the same (patches only for the latest version) also apply for minor versions?

I was looking the the security section on Github because it is common that projects publish information about supported versions there. I suggest to put it there to make it easy to find.

cornelinux · September 12, 2024, 6:32am

I am not sure, what you mean with grace period.
If you take a look at the change log, you get an idea about updates in the past.
(Dates and version numbers)

github.com

privacyidea/privacyidea/blob/master/Changelog

Version 3.10, 2024-09-03

  Features:
  * Node-specific realms (#3758)
    * Add node names and UUIDs to database (#3757)
    * Add, remove and configure realms with node-specific resolver configuration (API and WebUI)
  * Add token containers (#1291)
    * There are three container types (generic, smartphone, and yubikey) which can contain different token types
    * A container can have one owner and multiple tokens
    * Tokens can be added to a container on the fly during the enrollment, on the token, user and container page
    * Perform actions on all tokens of a container (enable, disable, delete)
    * Event Handler
    * Admin and user policies (similar to tokens)
    * Added container serial and type as columns to the audit log

  Enhancements:
  * Drop support of Python 3.6 and enable Python 3.11 and 3.12 (#3593, #3711, #3760)
  * UI: Capitalize headings
  * UI: Enable/disable tokens, reset the fail counter, delete tokens and unassign user from token in user details
  * UI: The support button in the footer will now initiate an email to ease the request of support (#3919)

This file has been truncated. show original

We are doing semantic versioning as mentioned here:

So actually we are not issued patches on a daily or weekly basis.

Some information from our experiences:

There are companies running privacyIDEA and updating privacyIDEA for nine years.

In our 20 year experience we see, that sometime it is more necessary to update the Python dependencies. But updating dependencies does usually not work with the same privacyIDEA code. So when updating dependencies the same privacyIDEA 3.9 will not work. This mean, we need to change the code and even the functionality, which would result in a major version chane in regards to semantic versioning.

From an update perspective it takes 42 seconds to update from 3.9.2 to 3.9.3 but also only 42 seconds to update from 3.9.3 to 3.10.1.

What problem do you want to solve?

PS: Again you have a different definition of “support” than me. If there is no need to do a patch for 3.9.3 when 3.10.1 is out. Is 3.9.3 not supported anymore?
The privacyIDEA open source project does not support anything. You are right, there will be no patches for 3.9.3 when 3.10 is out.
In most cases it is not necessary or (as mentioned above) possible to provide patches for the 3.9 line if 3.10 is available.

PPS: Would you be more comfortable if we would handle releases like other open source projects and just use natural numbers? Giving you no idea if this is a patch or a feature release? Making the update process from version 28 to 29 a manual pain?

hex · September 12, 2024, 2:06pm

Thank you for your detailed reply.

What problem do you want to solve?

I want to use versions that are “recommended” by the project. That means:

public commitment by the project so I can be reasonably sure that I’m not the only one using that version
ideally the version is tested with new releases of DBMSes, python, pi-credential-provider, keycloak-provider,…
the project accepts vulnerability reports for that version

If there is no need to do a patch for 3.9.3 when 3.10.1 is out. Is 3.9.3 not supported anymore?

That means as soon as 3.10.1 is out (with a relevant bug of vuln fixed) I have to do the feature update ASAP. But that feature update may deprecate/break things that our setup depends upon.

“Grace period” was referring to a time when multiple releases are supported and users can plan (and test) the upgrade.

If a user would tell you that they run PrivacyIDEA 2.11 (released 2016-03-29) in production you would probably tell them that it would be a good idea to upgrade? So maybe my question is: which versions do you suggest users should run? (taking into account that they have to plan their work and test feature-upgrades)

you have a different definition of “support” than me.

Clarifying what “support” means would be one of the things that should be part of the lifecycle policy.

cornelinux · September 12, 2024, 7:13pm

This is open source and it comes with aboslutely no warranty!

yes

No. (But wait, this is open source and comes with absolutely no warranty)
So you do not test or plan patch updates?

I am not sure, if I should respond here.

Thanks for your input anyways - it will make me think.

Note: This is supposed to be forum where users can talk to each other.
This is not ment to be a support channel by the privacyIDEA project or any associated company.

Personal human beings are writing text here out of the goodness of their hearts.
Please read this:

Thanks.