Message-ID: From: "sehrope (@sehrope)" To: "pgjdbc/pgjdbc" Date: Wed, 20 May 2026 11:35:30 +0000 Subject: Re: [pgjdbc/pgjdbc] PR #4079: docs: spell out the proactive-security window in SECURITY.md In-Reply-To: References: List-Id: X-GitHub-Author-Login: sehrope X-GitHub-Comment-Id: 4497956773 X-GitHub-Comment-Type: issue_comment X-GitHub-Issue: 4079 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-Type: comment X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/4079#issuecomment-4497956773 Content-Type: text/plain; charset=utf-8 If I'm reading this correctly, you're suggesting we publish 10 versions of the driver, continue to support all of them, and every time we release a new version, we commit to supporting it as a release line for 5 years? That's way too many versions for something that is inherently supposed to be backwards compatible. We go out of our way to avoid breaking changes. And if there are any, unless there is a security reason why we cannot revert them, we consider breaking changes to be bugs that need to be fixed. Users really should be using the latest version of the driver. For the 99.9999999% of people that are on JDK8+, there is no technical reason they cannot. It's purely bureaucratic. If we are going to have multiple concurrent supported versions, perhaps an "LTS" model is more appropriate (see https://nodejs.org/en/about/previous-releases). We could periodically cut a new release that we would commit to supporting for a known timeframe. Only CVEs would be backpatched and user's could choose to use those branches knowing they will never get anything added or improved. We could have a fixed number of LTS release lines active at any given time (I like just one...). When one ends, we start a new one using the latest non-LTS release. That could be a fixed schedule or whenever we as a group decide to do so. But it'd be well defined with specific off ramp. And regarding the JDK 6/7 versions, I think we just scrap them entirely.