Officially supported Git versions

Officially supported Git versions

[Patrick Lühne]

[-- Attachment #1.1: Type: text/plain, Size: 981 bytes --]

Hi,

Is there an official list of the Git versions that are still actively
supported? According to hearsay from colleagues, the latest five release
series receive security patches. I can’t find a source for that, but
might that be correct?

There’s also the Wikipedia page on Git [1], but it doesn’t point to a
proper source either.

According to Wikipedia, versions 2.4.x to 2.9.x are still supported.
This surprised me, because the fix for CVE-2017-14867 [2] hasn’t been
backported to versions earlier than 2.10 if I see that correctly.
CVE-2017-14867 was fixed for Git series 2.10.x and newer on September
22, 2017, and publicly disclosed on September 29, 2017. However, the
latest releases for the 2.7.x, 2.8.x, and 2.9.x series date back to July
30, 2017 (and 2.4.x hasn’t been touched since September 4, 2015).

Best wishes,
Patrick




[1] https://en.wikipedia.org/wiki/Git#Releases

[2] https://www.cvedetails.com/cve/CVE-2017-14867/


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Officially supported Git versions

[Junio C Hamano]

Patrick Lühne <patrick@luehne.de> writes:

> Is there an official list of the Git versions that are still actively
> supported?

Depends on your definition of "official".  Distro with lts may patch
older maintenance tracks longer than the upstream releases do, and
as far as the normal end-users are concerned, Distro packaged
binaries are as "offcial" as they get, probably more "official" than
what comes from the upstream and then built from the source.

I however do not think distro folks advertise which maintenance
tracks they backport the patches here on this mailing list.

As to the "upstream", usually 'maint' track gets all fixes, and
probably one or two older maintenance tracks tend to get security
fixes as well.  Beyond that horizon, it's pretty much "as time
permits" basis.