Introduction

This proposal outlines a policy for the deprecation of FOLIO modules outside of the official supported set (i.e. flower releases) that are identified to have severe security vulnerabilities and have not been updated in the last three months despite being informed by the Security Team. The purpose of this policy is to maintain the overall security and integrity of the FOLIO ecosystem by deprecating and archiving unmaintained/abandoned software.

1. Objectives

Enhance Security: To mitigate risks associated with unaddressed vulnerabilities, ensuring the safety of the FOLIO project.

Encourage Maintenance: To promote regular updates and maintenance of existing modules.

Inform Stakeholders: To provide clear communication regarding the status of FOLIO modules and associated risks.

2. Pre-deprecation steps

To ensure developers have a reasonable amount of time to fix the vulnerability a three month period is started after the developers have been privately notified by the Security Team. If the notification is not acknowledged within one month, the deprecation process starts immediately.

3. Deprecation Steps after the grace time has expired

Notification:

Inform relevant stakeholders (developers, users, libraries, etc.) about the identified vulnerability and the impending deprecation of the affected module. Provide guidance on the risks and advise on possible alternatives.

Deprecation Announcement:

Officially announce the deprecation of the module on the FOLIO community platforms (e.g., comments in README in GitHub). Set a clear timeline for the deprecation phase, providing stakeholders with a timeline for migration. This timeline should usually be one month for modules outside of the official supported set which are not planned for the next release.

Module Removal:

Archive the GitHub repositories and update documentation to reflect the changes and indicate alternative solutions.

4. Exceptions

Modules that are part of a larger, ongoing development project with a clear and communicated timeline for resolution may be exempt from immediate deprecation.

Modules that have an active and engaged community working toward updates or patches may be considered for extended timelines.

5. Conclusion

The deprecation policy aims to create a safer ecosystem for all FOLIO users by addressing severe security vulnerabilities in a timely and organized manner. By implementing this policy, we can ensure that the FOLIO platform remains robust, secure, and adaptable to the evolving security landscape.