/
2025-09-17 FOLIO Support Periods Proposal

2025-09-17 FOLIO Support Periods Proposal

Date

Sep 17, 2025 

 https://zoom.us/j/935492890  

Attendees 

  • @Jenn Colt

  • @Wayne Schneider

  • @Alexis Manheim

  • @Olamide Kolawole

  • @Bodil Wennerlund

  • @Charlotte Whitt

  • @Christie Thomas

  • @Craig McNally

  • @Kevin Day

  • @Julian Ladisch

  • @Jeff Gerhard

  • @Ingolf Kuss

  • @Jenn Colt

  • Jesse Randolph

  • @Maccabee Levine

  • @Robert Heaton

  • @VBar

  • @Zak_Burke

  • @Jeremy Huff

  • @Jason Root

  • @Kajsa Bäckius

  • @Mark Veksler

  • @Tod Olson

  • @Florian Gleixner

  • @Andreas Mace

  • @Shelley Doljack

Time

Item

Who

Notes

Time

Item

Who

Notes

1 min

Scribe

 

@Wayne Schneider is next, followed by @Jenn Colt

Reminder:  Please copy/paste the Zoom chat into the notes.  If you miss it, this is saved along with the meeting recording, but having it here has benefits.

 

FOLIO Support Periods

ALL

Draft decision record: https://folio-org.atlassian.net/wiki/spaces/TC/pages/1187348628

Previous decision by PC: https://folio-org.atlassian.net/wiki/spaces/PC/pages/4884659

Discussion:

  • Primary issue the proposal is addressing is the end of support for the Spring Boot framework used in Ramsons

  • @Julian Ladisch mentions that there is a proposal forthcoming to support Sunflower on Ramsons

  • @Ingolf Kuss asks why should the end of support for Spring Boot drive end of all support for Ramsons? e.g. other security fixes

    • @Julian Ladisch: scope is not just Spring Boot, other libraries may also go out of support

  • @Ingolf Kuss expresses concern that from the implementers' perspective changing the terms of support midstream

  • @Kevin Day thought a decision was made to support Ramsons longer due to slow Eureka adoption

    • @Julian Ladisch this was a proposal never accepted

  • @Jeremy Huff FOLIO can choose to continue to support releases even when underlying technologies are out of support. FOLIO’s certification of support is backed by the security team, there is the option for the FOLIO community to evaluate and possibly mitigate security issues

    • @Julian Ladisch security team has discussed this. Security team supports the changed support policy because the risk is too high (unreported security issues, for example)

  • @Ingolf Kuss one effect of this decision would be to force institutions to move to Sunflower on Okapi, which they did not originally intend

    • Prolonging support period could allow institutions to move more at their own pace

  • @VBar significant policy change to move from release-based to calendar-based

    • This also affects addressing functional P1 tickets

    • Effectively narrowing support definition from GA to specific CSP?

      • @Julian Ladisch notes this is the current state and the proposal on the table does not change it

  • @Jenn Colt institutions can choose to run (or have it chosen by their service provider) out-of-support releases. This proposal addresses just what the FOLIO organization will support, not what risk institutions are willing to take on

    • @Maccabee Levine does this proposal also rule out P1 bug fixes that are not related to out-of-support dependencies? Could there be a split of the definition of “support” in some way?

      • @Julian Ladisch there must be a single end of support date. If there are P1 bugs institutions can choose to backport fixes but there should not be further official releases of the Ramsons branches

  • @Jeremy Huff logistics of managing support windows of all dependencies removes too much autonomy from the FOLIO community.

    • @Jenn Colt security promises made by community become meaningless if we say something is “supported” but not “secure”

  • @Tod Olson there is a need for the project to keep some level of support for Ramsons, but there are issues that may arise which may make that support impractical. If there are valid reasons that many institutions cannot migrate to a supported version in the timeframe, the community should make an effort to mitigate that

  • @Jeremy Huff end of support would also mean end of analysis of security issues for unsupported Spring versions, which add value

    • @Julian Ladisch most security issues affect current and all old versions and so get analyzed anyway; the difference is that old versions are not fixed and so we have no mitigation

  • @Jeremy Huff this is a risk analysis exercise. Some institutions may be willing to accept the risk

  • @Tod Olson responding to security issues isn’t just code fixes, there may also be “compensating controls”

  • @Olamide Kolawole the definition of “support” is a wide umbrella that includes more than security issues. If the proposal is rejected, we need to document what our continuing commitment is and how we would manage support for security issues after the dependencies go out of support

  • @Jeremy Huff affirms Olamide and talks about what it might mean to define “degraded” support

    • @VBar documentation of known security issues might be necessary. He suggests refining the policy to acknowledge that 3rd party dependencies are out of our control

  • @Olamide Kolawole for Umbrellaleaf will the support period therefore also match 3rd party dates? Does the support period require decision records for each release or would it be automatically

    • @Julian Ladisch The TC will automatically set the support period based on the OST (officially support technologies) decisions

  • @Mark Veksler can we create a matrix/table with outcome, impact, cost for a theoretical P1 security issue that is uncovered in an underlying unsupported library?

    • @Jeremy Huff such a matrix would be useful for understanding how the community supports these kind of emergencies

      • Might also be a good agenda item for Community Council to discuss creating an emergency fund for managing this

  • @Olamide Kolawole will put together a table as suggested by Mark Veksler

  • @Maccabee Levine how is this communicated to RMG group

    • @Julian Ladisch has communicated to RMG

  • TC will discuss what would happen if the proposal is not accepted

  • If this is approved, it would also need to be approved by the Product Council

NA

Zoom Chat

 

10:07:12 From Mark Veksler To Everyone:
does it mean FOLIO will be forked?

10:08:31 From Jenn Colt To Everyone:
@Wayne Schneider are you doing notes?

10:11:10 From Charlotte Whitt To Everyone:
Yes, Wayne wrote that to me, just 5 minutes ago

10:19:48 From Julian Ladisch To Everyone:
For Ramsons all modules support both Eureka and Okapi. Some modules have a environment variable to enable Eureka or Okapi, this is a switch, not a fork.
Charlotte Whitt:💯

10:21:06 From Ingolf Kuss To Everyone:
Yes. And if Ramsoms support Ends 12/31, implementors will have to move to Sunflower by then (or take the Risk to run out of support). If it doesn't end early, they don't.

10:22:21 From Jenn Colt To Everyone:
I don’t see how this proposal does that

10:23:12 From Mark Veksler To Everyone:
Replying to "For Ramsons all modules support both Eureka and Ok...":
I was referring to Sunflower/Okapi

10:24:14 From Julian Ladisch To Everyone:
Replying to "For Ramsons all modules support both Eureka and Ok...":
The same for Sunflower. Modules may have a switch, no need for a fork.
Charlotte Whitt:💯

10:31:58 From Jason Root To Everyone:
It is my firm belief that any software is “run at your own risk”
Ingolf Kuss:👌

10:33:33 From Maccabee Levine To Everyone:
I wonder though if we can separate "supported" and "secure", guaranteeing the former for longer but not the latter.
Ingolf Kuss, Huff, Jeremy T, Olamide Kolawole:👍

10:34:02 From Huff, Jeremy T To Everyone:
I agree, I think a gradation of support could be a possible solution

10:39:50 From Jenn Colt To Everyone:
👻British Library👻 -> what I keep thinking about
Charlotte Whitt, Andreas Mace:👍

10:40:04 From Tod Olson To Everyone:
Replying to "👻British Library👻 -> what I keep thinking about":
Aye

10:40:30 From Shelley Doljack To Everyone:
Replying to "👻British Library👻 -> what I keep thinking about":
I was just thinking about this re: security and risk.

10:41:40 From Mark Veksler To Everyone:
right, Tod — compensating controls.
Maccabee Levine:👍🏻

10:47:20 From Charlotte Whitt To Everyone:
Replying to "👻British Library👻 -> what I keep thinking about":
And the situation here in Europe is that all companies and public institutions and authorities are in high risk of being hacked

10:54:41 From Charlotte Whitt To Everyone:
+100 Jeremy Huff. Like the idea about the emergency fund

10:55:33 From Tod Olson To Everyone:
Similar to a Reserve Fund for a co-op, condo association, or similar.
Charlotte Whitt, Huff, Jeremy T:👍

10:56:56 From Jenn Colt To Everyone:
Shared responsibility needs shared decision making
Mark Veksler:👍

10:59:15 From Shelley Doljack To Everyone:
I haven’t done my homework on this yet so I will try to leave some comments on the wiki page.