[syslog-ng] Questions regarding support for syslog-ng

Budai, László laszlo.budai at balabit.com
Thu Oct 12 06:26:14 UTC 2017 

Hi,

I’m not sure in which edition you are using: the premium edition(PE) or the
open source edition(OSE).

Releases
In both cases we have 2 months cadences which means that every two months
we are releasing a
* OSE (rolling release model)
* PE 7 (rolling release)
* PE 6 maintenance

Security patches

One technical difference between OSE and PE: Dependencies.
In case of OSE the vulnerabilities detected in dependencies are not fixed
by us as in case of OSE we are not bundle them, they are part of the
environment where syslog-ng is running.

In case of PE, where we bundle the dependencies, we update and release the
deps. This means that when there is a highly prioritized sec. bug for
example in OpenSSL then we release PE ASAP with the updated
OpenSSL(and this may affect the release date).

What do you mean under ‘typically visible to the users’? We don’t have
currently a publicly available sec. issue tracker. The release
changelog/announcement contains information regarding to the fixed
issues(including fixed sec. vulnerabilities). In case of OSE (and partly in
case of PE7,as it is based on OSE) every issues are available on github.

If you need more details in case of PE, please contact to Balabit (if you
need assistance, I can help you in contact to the right person, just drop
me a private mail).

regards,
Laszlo Budai


On Thursday, October 12, 2017, Diana Wiener <diana.wiener at acquia.com> wrote:

>
> Hi
> I'm collecting information on various dependencies within infrastructure
> for internal tracking. I looked on the website and through your
> documentation and cannot locate the answers needed, so I am reaching out to
> the mailing list.
>
> I was wondering if you can give me any sense of what your cadence for
> releasing updates for syslog-ng.
>
>    - Do you have a routine release cadence for updates?  If so, what is
>    it (e.g. monthly, every third Tuesday, etc.) If there is no set cadence,
>    can you give me a rough sense of how often you release updates?
>
>    - How do you deal with potential security vulnerabilities?  What does
>    your patching procedure look like? Is it typically visible to users?
>
>
> I am sure you can't give me a ton of detail, but we'd like to be able to
> document what our dependencies look like and how often we might be falling
> behind so we can adjust our own roadmaps accordingly.
>
> Thanks in advance for any information you can offer!
>
> Diana
>
>
> --
> Diana Wiener
> Customer Life Cycle Manager, Support
> diana.wiener at acquia.com
> <javascript:_e(%7B%7D,'cvml','diana.wiener at acquia.com');>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171012/b32161ec/attachment.html>

More information about the syslog-ng mailing list