Hey folks,
This is to start a discussion around how to properly represent a ecosystem that is end-of-life (or even if we would want that at all) in OSV records.
Currently for Ubuntu we had two Ubuntu Releases (Ecosystems) that went to EOL and the way we did was:
- We stop loading information about that specific release, therefore the OSV records that had entries of it, will suddenly not have that entry anymore. The exception would be an OSV record that only affects the EOL ecosystem, in that case the OSV record wouldn't disappear but instead we would add the
withdrawn field to it. This creates a bit of a "leftover" if anyone is looking for info for that release.
The other thing about end-of-life is usually when it happens, and for us that can be as soon as the next day that the release went EOL, meaning from one day to the other, scanners would completely not know anymore about such EOL release.
We've been getting more and more questions about having data in OSV for EOL releases, even though we wouldn't add new entries for it or anything else.
Therefore the question is really how should we treat EOL in OSV.
Talking to @another-rex, he mentioned that for debian (and alpine), it has been pretty similar that the entries go away when those ecosystems go EOL. Not sure if anyone has asked questions or saw issues with it.
@DmitriyLewen that might interest you as well and perhaps you have more comments from the users requests/POV.
Hey folks,
This is to start a discussion around how to properly represent a ecosystem that is end-of-life (or even if we would want that at all) in OSV records.
Currently for Ubuntu we had two Ubuntu Releases (Ecosystems) that went to EOL and the way we did was:
withdrawnfield to it. This creates a bit of a "leftover" if anyone is looking for info for that release.The other thing about end-of-life is usually when it happens, and for us that can be as soon as the next day that the release went EOL, meaning from one day to the other, scanners would completely not know anymore about such EOL release.
We've been getting more and more questions about having data in OSV for EOL releases, even though we wouldn't add new entries for it or anything else.
Therefore the question is really how should we treat EOL in OSV.
Talking to @another-rex, he mentioned that for debian (and alpine), it has been pretty similar that the entries go away when those ecosystems go EOL. Not sure if anyone has asked questions or saw issues with it.
@DmitriyLewen that might interest you as well and perhaps you have more comments from the users requests/POV.