TL;DR. On the stable branch, there's been for two weeks an unreleased security fix. I'm not gonna install it unreleased, because it's not "absolutely obviously safe" (see below for what I mean). Should I worry?
Two weeks ago, @sam added a security patch on the stable
branch:
Then bugfixes came. But no release. This happens sometimes, but this time it's taking longer.
So my Discourse production instance says it's up-to-date, but I can still upgrade from the Docker Manager page (/admin/upgrade
). Should I?
Pros:
- there are commits on stable since days
Cons:
- judging from the later bugfixes on the patch, and assuming that some tests caught the bugfix, it's possible to commit directly to stable
(rather than through feature branches) commits that don't pass testing.
- since integration testing is not integrated with GitHub's status API, I don't immediately know if stable
passed tests.
Summing up:
- delaying the update is probably paranoia in this case, but IIUC some paranoia is generally required for running production systems.
- while this is nitpicking, maybe the branching model for stable branches could be improved.
UPDATE: In fact, I just learned that Discourse uses Travis, and the stable
branch stopped having green builds ages ago. I guess I'm sticking to paranoia and not upgrading for now.
https://travis-ci.org/discourse/discourse/branches