With all due respect to the developers and maintainers of Piwik, I want to put forward a point that I think is very important.
Piwik has been on a wonderful streak, with a number of releases following eachother in quick succession. We got new functionality, fixes and speed-ups. Great!
Releases 2.2.0, 2.4.0 and now 2.8.0 are rated critical because they offer a security fix. However, these releases do not only contain a security fix, but also additional changes and in the case of 2.8.0 also API changes. Because of the security fix, which by fixing it, is now out in the wild, end users are practically forced to upgrade.
I believe it is best practice to release security fixes separately and indicate the version by bumping the revision number. The security fixes mentioned before could have been released as versions 2.1.1, 2.3.1 and 2.7.1.
This allows end users to quickly and safely update and fix security issues, without having to rush a complete test and validation cycle on the application as a whole.
I think that releasing security fixes separately will make Piwik an even more awesome product, so I'd love to hear if this opinion is shared and whether there are any substantial downsides to this proposal. Thanks!
Piwik has been on a wonderful streak, with a number of releases following eachother in quick succession. We got new functionality, fixes and speed-ups. Great!
Releases 2.2.0, 2.4.0 and now 2.8.0 are rated critical because they offer a security fix. However, these releases do not only contain a security fix, but also additional changes and in the case of 2.8.0 also API changes. Because of the security fix, which by fixing it, is now out in the wild, end users are practically forced to upgrade.
I believe it is best practice to release security fixes separately and indicate the version by bumping the revision number. The security fixes mentioned before could have been released as versions 2.1.1, 2.3.1 and 2.7.1.
This allows end users to quickly and safely update and fix security issues, without having to rush a complete test and validation cycle on the application as a whole.
I think that releasing security fixes separately will make Piwik an even more awesome product, so I'd love to hear if this opinion is shared and whether there are any substantial downsides to this proposal. Thanks!