dbus 1.12.x: end-of-life plans

[Simon McVittie]

dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.

I am currently maintaining dbus 1.12.x security releases for the benefit
of Debian 11. After the end of mainstream security support for Debian 11
(mid August 2024[1]), I am no longer intending to make these releases.

If you are a dbus downstream maintainer in a long-lived OS distribution
and you want to use the upstream dbus-1.12 git branch as a place to share
backported security fixes with other distributions, please contact the
dbus maintainers via the dbus-security at lists.freedesktop.org list.

As a reminder, odd-numbered development branches of dbus (1.1.x, 1.3.x,
etc.) do not have any security support. Security fixes applicable to
the current development branch (at the time of writing this is 1.15.x)
are released as part of normal development releases, which typically
also include feature work that might be destabilizing.

Older development branches are considered to have been superseded by the
stable-branch that followed them (for example 1.14.x replaces 1.13.x)
and will not receive any more releases at all. OS distributors should not
use a development branch unless they can promise that they will upgrade
to the stable-branch that follows it, for example moving from 1.15.x to
1.16.x when 1.16.0 becomes available.

A summary of the security status of dbus branches:

* 1.15.x: development branch, no stable releases until 1.16.0
* 1.14.x: stable branch, supported until at least Debian 12 EOL (mid 2026)
* 1.13.x: unsupported
* 1.12.x: reaches end-of-life soon
* all older branches: unsupported

    smcv

[1] The Debian security team aims to support each release for about
    3 years, and Debian 11 was released on 2021-08-14, which would put
    its EOL date around 2024-08-14.

-- 
Simon McVittie, Collabora Ltd.
on behalf of the dbus maintainers